Re: ASCII NUL in NAS-Filter-Rule
Just a guess, but is sounds like a "string array" to me. char **string_array ; Look up malloc and related functions to designate space for additions to the array. This is NOT how you do it but this is the general idea : $string_array[0] = "filter entry 1" ; $string_array[1] = "filter entry 2" ; An "automated" way of "creating" a string array is to use a delimited the use index or rindex to find the delimiter then replace the delimiter with '\0'. If you have experienced programing in C, you should know how to find all the functions required to carry this out. On 2011-Apr-20, at 06:38, Ruslan Pustovoytov wrote: Is my question about sending ascii nul in string attribute is wrong or nobody run into this situation ? Hi All My nas box can use attribute NAS-Filter-Rule from radius server to construct filter rules per subscriber "on the fly". Accodingly to rfc 4849 this attribute should contain ascii NUL (0x00) as a delimiter between individual filter rules and at the end of rules. Freeradius define this attribute as a string and I do not know how to create valid string with nul character. I changed attribute type to octets and successfully add null character but a whole string converted to hex also and attribute was not readable. How to send nul character without changing attribute type ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL results going ... wrong
What character set encodings are you using for the database?
I suspect the database is set UTF8 and your default character encoding
on the
system you are developing FreeRadius is different.
You can check the MySQL like this :
mysql> show variables like 'character_%' ;
+--+--+
| Variable_name| Value|
+--+--+
| character_set_client | latin1 |
| character_set_connection | latin1 |
| character_set_database | latin1 |
| character_set_filesystem | binary |
| character_set_results| latin1 |
| character_set_server | latin1 |
| character_set_system | utf8 |
| character_sets_dir | /usr/local/share/mysql/charsets/ |
+--+--+
8 rows in set (0.00 sec)
On 2011-Apr-14, at 08:06, Stefan Winter wrote:
Hi,
I'm just implementing a new virtual server with a slightly complex
query
and sizable result set coming back in radreply. The query goes out as
expected, and the MySQL reply is well-formed and looks as expected in
wireshark when it comes back. But the debug output is ... interesting:
Thu Apr 14 15:43:07 2011 : Info: [sql-aai] User found in radcheck
table
Thu Apr 14 15:43:07 2011 : Info: [sql-aai] expand: SELECT * FROM
reply_aai_firstname WHERE username='%{SQL-User-Name}' UNION ALL
SELECT *
FROM reply_aai_lastname WHERE username='%{SQL-User-Name}' UNION ALL
SELECT * FROM reply_aai_mail WHERE username='%{SQL-User-Name}' UNION
ALL
SELECT * FROM reply_aai_eduPersonAffiliation WHERE
username='%{SQL-User-Name}' -> SELECT * FROM reply_aai_firstname WHERE
username='swinter' UNION ALL SELECT * FROM reply_aai_lastname WHERE
username='swinter' UNION ALL SELECT * FROM reply_aai_mail WHERE
username='swinter' UNION ALL SELECT * FROM
reply_aai_eduPersonAffiliation WHERE username='swinter'
Thu Apr 14 15:43:07 2011 : Error: rlm_sql: Invalid operator
"?x�{?(�{?@�{?D�{?<�{?D�{?Z�{?]�{?v�{?swinter" for
attribute +=
Thu Apr 14 15:43:07 2011 : Error: rlm_sql (sql-aai): Error getting
data
from database
Thu Apr 14 15:43:07 2011 : Error: [sql-aai] SQL query error;
rejecting user
Something looks like accessing memory where it better shouldn't.
If I execute the xlated query on the MySQL server directly, the result
looks beautiful:
+--+---+
++
| username | attribute | op | value |
+--+---+
++
| swinter | RESTENA-AAI-Attribute | += | urn:oid:2.5.4.42='Stefan' |
| swinter | RESTENA-AAI-Attribute | += | urn:oid:2.5.4.4='Winter' |
| swinter | RESTENA-AAI-Attribute | += |
urn:oid:0.9.2342.19200300.100.1.3='stefan.win...@education.lu' |
| swinter | RESTENA-AAI-Attribute | += |
urn:oid:1.3.6.1.4.1.5923.1.1.1.1='member' |
+--+---+
++
So it must go wrong somewhere in the server.
That same server executes many many other SQL queries of the radcheck
style without issues. This is the first time I'm using a radreply
query
though. Version is 2.1.10. mysql client lib is so old I'm too
ashamed to
tell here.
So... any known badnesses in MySQL/radreply? Anything I should do
(besides updating mysql client libs, which has right now popped near
the
top of my TODO list)?
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education
Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius postgresql sql query glitch
On 2009-Dec-07, at 06:00, Josip Rodin wrote:
Hi,
I've observed an SQL logging problem with FreeRADIUS (2.x) and
PostgreSQL
(8.1), on several different installations I occasionally get these
errors:
Mon Dec 7 13:19:01 2009 : Error: [ourlittle_sql] Couldn't update
SQL accounting STOP record - ERROR: invalid input syntax for
integer: ""
sql trace log indicates that this is the offending query:
UPDATE radacct
SET AcctStopTime = ('2009-12-07 13:19:01'::timestamp -
'6'::interval),
AcctSessionTime = CASE WHEN '' = '' THEN
(EXTRACT(EPOCH FROM ('2009-12-07 13:19:01'::TIMESTAMP WITH TIME
ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE
- '6'::INTERVAL)))::BIGINT ELSE '' END,
AcctInputOctets = (('0'::bigint << 32) + '0'::bigint),
AcctOutputOctets = (('0'::bigint << 32) + '0'::bigint),
AcctTerminateCause = 'User-Request',
AcctStopDelay = 0,
FramedIPAddress = NULLIF('4.3.2.1', '')::inet,
ConnectInfo_stop = ''
WHERE AcctSessionId = '57fc9e4821466d86'
AND UserName = 'o...@user.name'
AND NASIPAddress = '1.2.3.4'
AND AcctStopTime IS NULL;
I'm using the default unchanged sql/postgresql/dialup.conf setting:
accounting_stop_query = "UPDATE ${acct_table2} \
SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-
Time}:-0}'::interval), \
AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN \
(EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE -
AcctStartTime::TIMESTAMP WITH TIME ZONE \
- '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT ELSE '%{Acct-
Session-Time}' END, \
AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32)
+ '%{%{Acct-Input-Octets}:-0}'::bigint), \
AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint <<
32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \
AcctTerminateCause = '%{Acct-Terminate-Cause}', \
AcctStopDelay = 0, \
FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \
ConnectInfo_stop = '%{Connect-Info}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress = '%{NAS-IP-Address}' \
AND AcctStopTime IS NULL"
Looks like the code wants to use CASE to check whether %{Acct-
Session-Time}
exists among the internal FreeRADIUS variables, while the return
value of
the whole SQL CASE construct is supposed to be a bigint.
This is a reduced failing case:
radiustmobile=# select CASE WHEN '' = '' THEN (EXTRACT(EPOCH FROM
('2009-12-07 13:19:01'::TIMESTAMP WITH TIME ZONE -
AcctStartTime::TIMESTAMP WITH TIME ZONE - '6'::INTERVAL)))::BIGINT
ELSE '' END from radacct where AcctSessionId = '57fc9e4821466d86';
ERROR: invalid input syntax for integer: ""
I have been using that query for years and have never had a problem.
"select CASE WHEN '' = '' THEN" does not care what is in the empty
strings because they are not designated as integers.
Your problem is elsewhere.
Have you checked to see if AcctStartTime has valid data?
Try :
select AcctStartTime from radacct where AcctSessionId =
'57fc9e4821466d86';
If it contains data that looks like an integer then try :
\d raddact
Make sure AcctStartTime is a time stamp.
Why is your stop record broken? Stop records are supposed to have a
valid Acct-Session-Time, your would appear to be missing.
In the else case, this fallback return value comes into PostgreSQL
as just
an empty string, which causes it to trip over - it sees that there's a
possibility to write an empty string into a bigint field, which
provokes
the syntax error, even if the problem won't actually happen with this
particular setup of input data.
I'm not sure what to do... can the query be rewritten in a manner
that would
allow for both use cases?
(Mailing list users, please Cc: responses for those of us who may
not be
subscribed. TIA.)
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enter users in sql?
On 2009-May-27, at 11:51, Just E. Mail wrote:
I have successfully setup a freeRADIUS server with PostgreSQL
backend (separate) server. When I start freeRADIUS in test mode
'radiusd -X', it connects to the sql server and there is no error. I
have two general questions:
1. I need to add one or two test UID & PW in the SQL database. Is
there a GUI application available to accomplish that or I have to do
it manually entering the data?
You could try to use the dialup_admin php interface that is included
with
FreeRadius source.
It did not meet our needs so I wrote one for in house use.
2. When the freeRADIUS server is live (on-line) how does user
authentication data gets added into the database? In MD5, LINUX has
an application to add USER Name & Group (created automatically)
which both email program (such as Postfix) and freeRADIUS
authenticate against. How is it done in PostgreSQL?
FreeRadius uses the standard libcrypt routines.
Here is a snipet of code from the PHP interface I wrote :
function check_password ($test_pass,$old_encrypted) {
if(crypt($test_pass,$old_encrypted) == $old_encrypted) {
//echo "Password matches";
return(true);
} else {
//echo "Passwowd does not match";
return(false);
}
}
function gen_password ($new_pass) {
$encrypted = crypt($new_pass);
return($encrypted);
}
I have tried to post this question as clearly as I can. Please ask
and clarification!
Jennifer K.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-Based auth and HP chap
On 2009-Apr-29, at 10:26, jehan procaccia wrote:
hello,
I use FreeRADIUS Version 2.1.3, and I try a basic configuration from
my HP procurve2650 to do Mac-based radius auth.
for this I've setup a simple users file
005004B7252EAuth-Type := Local, Cleartext-Password :=
"005004B7252E"
Tunnel-type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 15
First ,it isn't clear to me wether to user Cleartext-Password or
User-Password and == ou := , and "" or no "" around the
password ...!? ,
anyway, with Cleartext-Password it works fine with radtest at least
$ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret
rad_recv: Access-Accept packet from host 157.159.100.55 port 1812,
id=81, length=36
Now when my HP switch tries to auth my PC which has 005004B7252E as
MAC@ for it's eth0, apparently the HP sends a chap password
CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
with turns radius into it's chap module and fails to Authenticate :-(
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
I'am lost. I don't know If I have to set a chap password in "users"
files or anywhere else ? (how, syntax ?)
or if I have to tell my HP switch not to do chap (again how ?)
Thanks .
details of radius -X
rad_recv: Access-Request packet from host 157.159.17.138 port 1125,
id=8, length=195
Framed-MTU = 1480
NAS-IP-Address = 157.159.17.138
NAS-Identifier = "Sw-C01"
User-Name = "005004B7252E"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 26
NAS-Port-Type = Ethernet
NAS-Port-Id = "26"
Called-Station-Id = "00-1c-2e-b4-f2-66"
Calling-Station-Id = "00-50-04-b7-25-2e"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/
auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.17.138/auth-
detail-20090429
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-
%Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth-
detail-20090429
[auth_log] expand: %t -> Wed Apr 29 17:28:16 2009
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL
[suffix] No such realm "NULL"
Uncomment and edit your proxy.conf file for the NULL realm :
...
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
secret = testing123
}
...
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 005004B7252E
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 8 to 157.159.17.138 port 1125
Waking up in 4.9 seconds.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-27, at 12:44, Ivan Kalik wrote:
On 2009-Apr-27, at 11:27, Alan DeKok wrote:
Guy Fraser wrote:
I am obviously missing something.
Ahem, did you read what sql_log does?
Yes it says :
modules {
...
sql_log {
path = "${radacctdir}/sql-relay"
acct_table = "radacct"
postauth_table = "radpostauth"
sql_user_name = "%{%{User-Name}:-DEFAULT}"
Start = "INSERT INTO ${acct_table} ..."
Stop = "UPDATE ${acct_table} SET ..."
Alive = "UPDATE ${acct_table} SET ..."
Post-Auth = "INSERT INTO ${postauth_table} ..."
}
...
}
accounting {
...
sql_log
...
}
post-auth {
...
sql_log
...
}
And that my friend does not help me.
I tried commenting out that section and it did not work I then
changed
it to :
So... what happens?
As far as I could tell nothing changed when I commented out the
REJECT
section :
post-auth {
reply_log
sql
sql_log
exec
# Post-Auth-Type REJECT {
# attr_filter.access_reject
# }
}
Leave reject filter alone.
And I still do not get any failed authentications when I use :
post-auth {
reply_log
sql
sql_log
exec
Post-Auth-Type REJECT {
sql_log
}
}
List sql instead of sql_log. And put the filter back.
Are you saying this will work ?
post-auth {
reply_log
sql
sql_log
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
sql
}
}
I have put it in an restarted the server.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-27, at 11:27, Alan DeKok wrote:
Guy Fraser wrote:
I am obviously missing something.
I tried commenting out that section and it did not work I then
changed
it to :
So... what happens?
As far as I could tell nothing changed when I commented out the REJECT
section :
post-auth {
reply_log
sql
sql_log
exec
# Post-Auth-Type REJECT {
# attr_filter.access_reject
# }
}
And I still do not get any failed authentications when I use :
post-auth {
reply_log
sql
sql_log
exec
Post-Auth-Type REJECT {
sql_log
}
}
I did not see any errors in any log files when I see the failed
attempts in the
/var/log/radacct/radiusd-DEFAULT-*.log file and there are no
corresponding
entries in /var/log/radacct/sqltrace.sql.
I was hoping there was an easy answer.
Does it look like something is broken or is this a configuration issue?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
I am obviously missing something.
I tried commenting out that section and it did not work I then changed
it to :
post-auth {
reply_log
sql
sql_log
exec
Post-Auth-Type REJECT {
sql_log
}
}
Could someone toss me a bone or tell me what document I need to read?
On 2009-Apr-17, at 11:12, Alan DeKok wrote:
Guy Fraser wrote:
I thought this would be enough to make it log failed
authentications :
Yes. But to flat-text files, not to SQL.
post-auth {
reply_log
sql
sql_log
This says "log to SQL on success".
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
You could put SQL logging here, too.
The configuration has changed significantly since I last
contributed to
this project.
The main changes are moving text from one file to another. e.g. the
large chunks of "authorize", etc. in radiusd.conf have moved to
separate
files.
But the main configuration is still pretty much the same. Older
configuration files can be used *almost* unchanged.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radpostauth sql logging of bad passwords
On 2009-Apr-17, at 03:08, Alan DeKok wrote:
Guy Fraser wrote:
I have installed :
"radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1,
built on Feb 26 2009 at 15:47:46"
I have not been able figure out how to get it to log failed
authentication attempts
into the radpostauth sql table, like I had it working in Version 1.
What do you mean by that?
Q: "I tried to do stuff, but it didn't work".
A: Huh?
I thought this would be enough to make it log failed authentications :
log {
destination = files
file = ${logdir}/radius.log
requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y
%m%d.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
Here is the recursive, uncommented and redacted configuration :
---
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.3
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 1645
}
listen {
ipaddr = *
port = 1646
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
requests = ${logdir}/radacct/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y
%m%d.log
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
#start : proxy.conf#
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1645
secret = XXX
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm domain.net {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm customer.com {
type= radius
authhost= x.x.x.x:1645
accthost= x.x.x.x:1646
secret = XXX
nostrip
}
...
#end#
$INCLUDE clients.conf
#start : clients.conf#
client localhost {
ipaddr = 127.0.0.1
secret = XXX
require_message_authenticator = no
nastype = other
}
#end#
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
#start : modules/*#
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
attr_rewrite sanecallerid {
attribute = Called-Station-Id
searchin = packet
searchfor = "[+ ]"
replacewith = ""
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
chap {
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
detail {
detail
radpostauth sql logging of bad passwords
I have installed : "radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Feb 26 2009 at 15:47:46" I have not been able figure out how to get it to log failed authentication attempts into the radpostauth sql table, like I had it working in Version 1. -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneos-Use in login for same mac-address
On 2008-Jun-06, at 08:40, Jean Carlos Oliveira Guandalini wrote:
Hello,
we have a problem of mac-address clone, and we use the Simultaneous-
Use: = 1 option to not allow double login, but when this is a case
of the clone mac-address the freeradius allows the connection.
Log of sql.trace:
INSERT into radpostauth (id, user, pass, reply, date) values ('',
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00935',
'bcc93b20ea389f59', 'userlogin', '', '10.0.6.10', '2447',
'Ethernet', '2008-06-06 11:08:45', '0', '0', 'RADIUS', '', '', '0',
'0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP',
'111.111.111.111', '0', '0');
UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46',
AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets =
'0', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop
= '' WHERE AcctSessionId = '81b00935' AND UserName = 'userlogin' AND
NASIPAddress = '10.0.6.10';
INSERT into radpostauth (id, user, pass, reply, date) values ('',
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00936',
'3f7c1d06dbd205d4', 'userlogin', '', '10.0.6.10', '2448',
'Ethernet', '2008-06-06 11:08:49', '0', '0', 'RADIUS', '', '', '0',
'0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP',
'111.111.111.111', '0', '0');
Queries in sql.conf:
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}'
AND AcctStopTime = 0"
despite the mac-address to match are two different users, and the
second to connect without first disconnecting was before.
Is there any possibliidade to block it?
Thanks
Sorry for my english (By Google Tradutor)
I do not think there is a way to block it.
You may want to have the real user change his mac address then block
the cloned mac address.
You will likely then find that another mac address gets cloned.
If you move to a secure username / password access method you may be
able to stop the abuser.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
On Fri, 2007-10-05 at 11:53 -0500, Walter Gould wrote: > Please excuse me if this has already been covered in the docs or the FAQ > (I looked - but nothing jumped out at me). In accounting packets coming > from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does > anybody know why and if this can be changed? I have tried modifying the > aaa accounting commands on the switch, but has not seemed to fix it. On > our 3750 series switches, this doesn't happen and the correct switch/NAS > ip address is listed in the NAS-IP-Address attribute field. > > Thanks in advance, Not sure but look into assigning an IP address to Loopback0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: in vs. out
On Thu, 2007-10-04 at 14:39 +0200, Alan DeKok wrote:
> [EMAIL PROTECTED] wrote:
> > Unfortunately, from a back-end perspective, if having to support a
> > variety of 'broken' commercial vendors, one doesn't have much choice
> > (apart from not supporting these vendors). I guess we have to live with
> > it as it would probably be difficult for these vendors to change their
> > ways now...
>
> Acct-Input-Octets has one meaning: the right one.
>
> You don't have to interoperate with broken vendors. You tell users to
> throw the equipment away, and to buy working equipment.
>
Go get 'em!
I couldn't resist any longer.
RADIUS = Remote Authentication Dial In User Service
A number of us on this list and historically on others have been
developing radius server and related software. I can't remember
any of the developers asking what "Input-Octets" or "Output-Octets"
meant.
--- snip ---
5.3. Acct-Input-Octets
Description
This attribute indicates how many octets have been received from
the port over the course of this service being provided, and can
only be present in Accounting-Request records where the Acct-
Status-Type is set to Stop.
--- snip ---
This would be data coming into the NAS from the remote end point {customer}.
--- snip ---
5.4. Acct-Output-Octets
Description
This attribute indicates how many octets have been sent to the
port in the course of delivering this service, and can only be
present in Accounting-Request records where the Acct-Status-Type
is set to Stop.
--- snip ---
This would be data going from the NAS to the remote end point
{customer}.
Unless the reader or translator did not understand English or the parts
of a Dial In service there should be no reason for it to be interpreted
any other way.
If a vendor is unable to comprehend a small concept like in and out,
I would not trust them to properly resolve more tricky concepts, like
refunds, so Alan suggestion stands. Throw out the improperly designed
equipment if the vendor did not just make an error in their manual.
If the error is in the manual and not the equipment, let them know,
so they can publish an errata. Do a test, figure out which is correct
the equipment or the manual.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: data limit in Mikrotik with Freeradius and Mysql
On Fri, 2007-09-21 at 22:18 +0530, ram wrote: > Hi > > iam trying to achive the same > > any inputs > > ram > Have you tried using ; Acct-Input-Gigawords and Acct-Output-Gigawords instead of ; Acct-Input-Octets and Acct-Output-Octets in the counter calculations ? > > On 9/20/07, ravi sawant <[EMAIL PROTECTED]> wrote: > Hi > > Does anyone have solution for limiting users with data > traffic. I have working setup of Mikrotik with freeradius and > mysql. > > Have searched on net and found one solution but I can put > limit to max 4 GB data. After 4 GB the counter resets to 0. I > know > the reason of that. It's b'coz of the values stored in > protocol are 32 bits only. > > Awaiting your reply. > > Thanks & Regards, > Ravin > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization in RADIUS, Authorization in freeradius
On Sun, 2007-09-02 at 15:36 +0100, George Beitis wrote: > Hi everyone, > I have a general question regarding Authorization in the RADIUS protocol > and how it is implemented in freeradius. What does the RADIUS protocol > refer to when it talks about Authorization, does it actually refer to > users being probably authorized after being authenticated, using the > protocol? Are there RADIUS specific attributes that are for > authorization? (not authentication). There are ways of implementing > authorization into freeradius, but do those simply overwrite the > authentication decision? DIAMETER provides such authorization messeges > from my understanding but the RADIUS protocol does not talk about any, > is this correct? > As far as I understand, Radius is not a AAA server in the way you put it. Radius Authenticates, Accounts and sends Authorization configuration information to the NAS, which implements the Authorization. Radius does not enforce or restrict anything the NAS is not configured to perform, and can in fact the Authentication and Authorization can be overridden by the local configuration on the NAS or requesting Radius Proxy if in use. > thank you very much > > regards > George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log Rotation
On Fri, 2007-05-18 at 17:09 +0200, Jack J Allan wrote:
> On 5/18/07, Brian A. Seklecki <[EMAIL PROTECTED]> wrote:
> Another solution would be to perform logging via syslog(3),
> which
> absolves radiusd from trapping and handling signals and file
> handlers.
> Syslog-ng already does this very well -- why duplicate all of
> that code?
> ~BAS
>
>
> I've certainly looked at that possibility, the problem is that you
> cannot separate your logging components nicely. I'd like to separate
> my radius.log, sqltrace, detail logfiles per nas and all that. I'm
> afraid that syslog can't do that and you'll run out of log facilities
> very quickly if you decided to do it manually ( e.g. one facility per
> logfile).
>
> I found a workaround (no HUP) so I'm happy.
>
> Jack
I have not checked in quite a while, but at one point a while back,
I suggested using configurable dynamic log file names, like the detail
files have. I used to use such a beast on a version of Cistron Radius
that I customized, but I ran into problems trying to make it work
with FR because if I remember correctly, and it is quite possible I
do not, there was some kind of problem I ran into where the "Xlate"
function did not generate what I expected when it had insufficient
data to resolve the log file "name" due to the type of error. Having
the configurable logging was low on my list of priorities back then
and has not become any more important as of now, but it would still
be a nice feature if their was a way to use defaults using
"{{variable}:-default}" type entries.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mac athentication with Tsunami MP.11 5054-R v2.3.0(169)
Hi Cam
I am back from Victoria.
Could you send us some debug info.
HINT: Start freeradius from the command line using
radiusd -X . See "man radiusd" for more information.
After it is in debug mode, attempt an authentication
and send us the info.
On Wed, 2006-11-08 at 13:18 +, Cameron Cowie wrote:
> Hi:
>
> I have configured my freeradius server to run on ubuntu and is stable
> (or so I think). I have ran tests from my workstation to ask for
> authentication and it serves out brilliantly.
>
> But as soon as I ask my tsunami 5054 to authenticate it locks and
> refuses to talk to the radius server.
> user files is just mac address.
>
> I am not sure where the problem lies, on the radius server or on the
> tsunami?
>
> again any and all help is greatly appreciated
>
>
>
> entry for clients.conf is simple
> }
> client xx.xx.xx.x {
> secret = xxxpasswordxxx
> shortname = xxshortbusxx
>
> }
> (mac address) Auth-Type :Local, User-Password := "x"
>
>
> as I said simple, but event the most simplest things come with
> complications.
>
> is there something I am missing on?
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + MySQL + decisionmaking?
On Wed, 2006-09-27 at 02:47 +0100, Jan Mulders wrote:
> Hello,
>
> I am trying to set up some decision-making logic into FreeRADIUS, to
> assign users a different speed of service depending on how much
> bandwidth they've used since their billing started.
>
> I want to issue 512k speed to users in group A, who have used less
> than 20GB of bandwidth (monthlybytecounter is working fine at the
> moment and totals this up nicely). However, if they've used more than
> 20GB, I want to issue 256k speed to users.
>
> For group B, I want users to get 10Mbps as long as they've used less
> than 50GB of bandwidth, and 1Mbps if they're over.
>
> I want to assign the values for speed to some vendor-specific
> variable, let's say Max-User-Speed.
>
Hi
I am replying because I haven't seen any other replies.
The Attribute you use will depend on the "NAS" equipment
you are using. Check the documentation and dictionaries
for your radius client.
> I am using MySQL for this. Here is a snippet from my database:
>
> radcheck table:
>
> username, attribute, op, value
> testuser1, Password, ==, testing
>
> usergroup table:
>
> username, groupname
> testuser1, groupa
>
>
> Here is a snippet from my radiusd.conf file:
>
> instantiate {
> monthlybytecounter
> }
>
> authorize {
> preprocess
> sql
> }
>
> authenticate {
> pap
> }
>
> preacct {
> preprocess
> }
>
> accounting {
> #acct_unique
> #detail
> sql
> radutmp # ?
> }
>
>
> session {
> radutmp # ?
> sql
>
> }
>
> My question is... how do I implement this? Can anyone write down a few
> examples of how I'd go about making these rules?
>
> Would I perhaps be better off making a cronjob or something that
> changes the user's group to one of the following? groupA_belowcap,
> groupA_overcap, groupB_belowcap, groupB_overcap?
>
I do not usually work with MySQL but you are on the right track
using a counter but you didn't say if it was an sql_counter, which
is what I would use. I would also drop the "radutmp" bits, and do
everything from SQL. One other note, I usually keep the "detail"
bits, for archival purposes in case of a dispute.
As for examples, this is as close as I can give you with the bits
you want :
--- snip ---
modules {
detail acct_log {
detailfile = ${radacctdir}/%Y/%m/detail-%Y%m%d
detailperm = 0640
dirperm = 0750
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
}
instantiate {
dailycounter
monthlycounter
}
authorize {
sql
dailycounter
monthlycounter
}
accounting {
acct_log
sql
}
session {
sql
}
--- snip ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate requests in a session
On Thu, 2006-08-31 at 12:31 +0300, Peter Nixon wrote:
> Good question. Does anyone have anything against changing this?
>
> -Peter
>
> On Thu 31 Aug 2006 10:11, Santiago Balaguer García wrote:
> > Thanks James, I don't figure out to use primary key solves the problem of
> > duplicate keys.
> > I had in radacct as primary key <> but now I am going to have
> > <>.
> >
> > This proble cause a new thread: why radacctid is the primary key of radacct
> > table instead od acctuniqueid?
I used a slightly different solution in my PostgreSQL implementation :
ALTER TABLE ONLY radacct
ADD CONSTRAINT radacct_unique_session UNIQUE (
username, nasipaddress, nasportid, acctsessionid
);
NOTE: When duplicate records come in you will see errors in the
log file like these :
Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): failed after re-connect
Fri Jul 7 13:06:47 2006 : Error: rlm_sql (sql): Couldn't insert SQL
accounting START record - ERROR: duplicate key violates unique
constraint "radacct_unique_session"
These errors are mostly informational, because when the insert
fails, rlm_sql will use the alternate "update" method and will
succeed.
This is the same method I used on a customized Cistron
server I used for over 5 years and had no problems.
For some reason acctuniqueid was not unique in the duplicate
packets, so my initial attempts at using it were unsuccessful.
PostgreSQL can have a primary key that spans multiple
columns, and would look like this {IIRC} :
ALTER TABLE ONLY radacct
ADD CONSTRAINT radacct_pkey_session PRIMARY KEY (
username, nasipaddress, nasportid, acctsessionid
);
I did not use this, because I did not want to significantly change
the default configuration of most of the tables. Once I get a chance
to clean up the admin interface I have been developing I will
likely want to add some changes to the PostgreSQL default schema
that will allow better management without affecting the default
configuration, but since I am not finished I don't want to add
the changes to CVS quite yet.
> >
> > >From: James Wakefield <[EMAIL PROTECTED]>
> > >Reply-To: FreeRadius users mailing list
> > >
> > >To: FreeRadius users mailing list
> > >Subject: Re: Duplicate requests in a session
> > >Date: Wed, 30 Aug 2006 22:07:09 +1000
> > >
> > >Santiago Balaguer García wrote:
> > >>Hi people,
> > >>
> > >>1)
> > >> In my activity I realize that when the conexion to Internet of a NAS is
> > >>NOT good (there are some reday in the DSL), the NAS send several Start
> > >>requests. My problen is my RADIUS server ask for all these requests and
> > >>they are inserted in my DB. So, when the user or the NAS finalize the
> > >>session and NAS sends Stop Request, the credit associates to the user
> > >>account is decremented several times. It happens so because I put a
> > >> trgger in my DB to decrement the user credit atomatically.
> > >>
> > >> Can I avoid the problem of inserting several times the start request?
> > >> If it is so, how??
> > >>
> > >>2) Is it supposed that the value of acctsessionid and acctuniqueid in
> > >>radacct table are UNIQUE and they can not be duplicated ?
> > >>
> > >>Thanks,
> > >>Santiago
> > >
> > >Hi Santiago,
> > >
> > >Does your DBMS enforce primary key constraints? Do you have a primary key
> > >defined for your radacct table? If I recall correctly, MySQL by default
> > >doesn't, are you using MySQL?
> > >
> > >Cheers,
> > >--
> > >James Wakefield,
> > >Unix Administrator, Information Technology Services Division
> > >Deakin University, Geelong, Victoria 3217 Australia.
> > >
> > >Phone: 03 5227 8690 International: +61 3 5227 8690
> > >Fax: 03 5227 8866 International: +61 3 5227 8866
> > >E-mail: [EMAIL PROTECTED]
> > >Website: http://www.deakin.edu.au
> > >- List info/subscribe/unsubscribe? See
> > >http://www.freeradius.org/list/users.html
> >
> > _
> > Acepta el reto MSN Premium: Protección para tus hijos en internet.
> > Descárgalo y pruébalo 2 meses gratis.
> > http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccionin
> >fantil
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
On Wed, 2006-08-30 at 15:35 +0200, Graham Beneke wrote: > K. Hoercher wrote: > > On 8/29/06, Fabiano Martins <[EMAIL PROTECTED]> wrote: > >> I've benn searching with no sucess about this... It's frustrating... > >> there is no documents about. > > > > Perhaps the looking into the very obscure doc/rlm_sqlcounter file > > helps, although it' not "DOC" for some strange reason. > > > > I've also looked at that document and it has not got me any closer to > knowing what is going on. It gives examples of how to use sqlcounter for > time based billing - but it does not explain what the different elements > of the sqlcounter are - or how they work. > > I am wanting to build an octets based billing system using some custom > dictionary items from the Chillispot NAS - but I can't find info > anywhere. Although I have heard that it has been successfully been > implemented. There is also some "documentation" in the config file. There may also be some "documentation" in the comments within the source code. I believe this has been discussed many times and there should be some information in the archives. Have you Googled for it? Once you figure it out, maybe you wouldn't mind contributing some better documentation for rlm_sqlcounter to the project. I am sure future implementers would appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Report Generator
That used to work in dialup_admin, I have not worked with it in a long time. The last time I attempted to test dialup_admin, it seemed more difficult to get working than it had been in the past when I was helping with it. I did not spend much time trying to figure out what was causing the problem. I was on a dead line, and I knew it would need extensive modifications to do what we needed, so I built something totally different from scratch. Authenticating users is not terribly difficult using PHP. Are your users accounts stored in a DB or somewhere else ? I can possibly provide a snippet of code you can use to authenticate your users, then you just need to build an HTML table from one or more SQL queries. There are public domain resources that can do most or all of those tasks with PEAR modules. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Me too.
I have also built a report generator, into the management system I
built.
I can provide snippets, but not the whole source until I get
authorization.
Here is a little snippet that allows the PHP output to be
automatically opened in a spreadsheet :
---begin---
// $output contains tab ["\t"] delimited fields
// and linefeed ["\n"] delimited records
$size_in_bytes = strlen($output);
if(strstr($_SERVER['HTTP_USER_AGENT'],'Safari') != false){
// User Agent is Safari = Broken
// Document must be opend and saved with a text editor
// before excel can open it
header("Content-type: application/vnd.ms-excel");
header("Content-disposition: attachment; filename=report-" .
$_SESSION['report'] . "-" . $syear . $smonth . "_" . $eyear . $emonth .
"-" . $gmatch . "_" . $umatch . "-" . date("Y-m-d") . ".txt; size=
$size_in_bytes");
} else {
header("Content-type: application/vnd.ms-excel");
header("Content-disposition: attachment; filename=report-" .
$_SESSION['report'] . "-" . $syear . $smonth . "_" . $eyear . $emonth .
"-" . $gmatch . "_" . $umatch . "-" . date("Y-m-d") . ".tab; size=
$size_in_bytes");
}
echo $output ;
---End---
Note: When this works, the web page does not change since the data
is output as the attachment.
On Thu, 2006-08-24 at 11:04 -0600, Scott Miller wrote:
> I've also created a report generator - but mine does not require you to
> input the IP address. It just authenticates the user, asks for the month
> they want to display, and if they want a summary report or a detailed
> report. It is actually an old ICRadius script (written in PHP) that I found
> and modified to fit my needs. I'm willing to share this one as well if
> anyone is interested.
>
> Scott
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> On Behalf Of Sean
> Sent: Wednesday, August 23, 2006 1:58 PM
> To: freeradius-users@lists.freeradius.org
> Subject: Report Generator
>
> Hi,
>
> Ive written a report generator in PHP and HTML that will allow your
> clients to generate usage reports from the FreeRadius log files. When
> the user logs in he/she is asked for their IP address and the Month that
> they want to display. If anyone wants a copy let me know. If there is
> enough interest I'll make it available for public download.
>
> Regards,
>
> Sean Bracken
>
> http://swarmhotspots.com
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 14:18 -0400, Alan DeKok wrote:
> Guy Fraser <[EMAIL PROTECTED]> wrote:
> > The attributes are not named like they were in Cistron dictionaries.
> > They all start with "X-".
>
> There's still a bug:
>
> Reply-Message = `%{Reply-Message:-x%{User-Password}x}`
>
> returns "xbob" for the standard test of user "bob/bob".
>
> Patch is given below.
>
> Index: src/main/xlat.c
> ===
> RCS file: /source/radiusd/src/main/xlat.c,v
> retrieving revision 1.72.2.7.2.1
> diff -u -r1.72.2.7.2.1 xlat.c
> --- src/main/xlat.c 8 Dec 2005 12:47:56 - 1.72.2.7.2.1
> +++ src/main/xlat.c 7 Jul 2006 18:24:08 -
> @@ -533,7 +533,7 @@
>* useless if we found what we need
>*/
> if (found) {
> - while((*p != '\0') && (openbraces > 0)) {
> + while((*p != '\0') && (openbraces > *open)) {
> /*
>* Handle escapes outside of the loop.
>*/
>
Thank you, I'll give it a shot.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:19 -0600, Guy Fraser wrote:
> On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote:
> > I have run into an issue where we now have different types of
> > NAS servers. I would like to use %{Connect-Info} if available
> > or a string formatted from two attributes like :
> >
> > D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}
> >
> > This is how I tried to do it :
> >
> > ConnectInfo_stop = \
> > '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}'
> >
> > This is what I get when %{Connect-Info} is not available :
> >
> > "D_X"
> >
> > I haven't seen any examples where two attributes are combined
> > to make one attribute.
> >
> > Thanks
> >
> I figured it out when running debug for some other reason, sorry
> for the stupid question.
>
> Reason :
>
> X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req
> X-Ascend-Connect-Progress = LAN-Session-Up
> X-Ascend-Data-Rate = 26400
> X-Ascend-PreSession-Time = 32
> X-Ascend-Pre-Input-Octets = 364
> X-Ascend-Pre-Output-Octets = 253
> X-Ascend-Pre-Input-Packets = 15
> X-Ascend-Pre-Output-Packets = 13
> X-Ascend-First-Dest = 209.115.142.9
> X-Ascend-Xmit-Rate = 26400
> X-Ascend-Modem-PortNo = 21
> X-Ascend-Modem-SlotNo = 16
> X-Ascend-Modem-ShelfNo = 1
>
> The attributes are not named like they were in Cistron dictionaries.
> They all start with "X-".
>
> Thanks anyway.
Foiled again :^(
I changed it to :
ConnectInfo_stop = \
'%{Connect-Info:-D%{X-Ascend-Data-Rate}_X%{X-Ascend-Xmit-Rate}}'
Now I get stuff like :
"D26400"
Help would still be appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote:
> I have run into an issue where we now have different types of
> NAS servers. I would like to use %{Connect-Info} if available
> or a string formatted from two attributes like :
>
> D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}
>
> This is how I tried to do it :
>
> ConnectInfo_stop = \
> '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}'
>
> This is what I get when %{Connect-Info} is not available :
>
> "D_X"
>
> I haven't seen any examples where two attributes are combined
> to make one attribute.
>
> Thanks
>
I figured it out when running debug for some other reason, sorry
for the stupid question.
Reason :
X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req
X-Ascend-Connect-Progress = LAN-Session-Up
X-Ascend-Data-Rate = 26400
X-Ascend-PreSession-Time = 32
X-Ascend-Pre-Input-Octets = 364
X-Ascend-Pre-Output-Octets = 253
X-Ascend-Pre-Input-Packets = 15
X-Ascend-Pre-Output-Packets = 13
X-Ascend-First-Dest = 209.115.142.9
X-Ascend-Xmit-Rate = 26400
X-Ascend-Modem-PortNo = 21
X-Ascend-Modem-SlotNo = 16
X-Ascend-Modem-ShelfNo = 1
The attributes are not named like they were in Cistron dictionaries.
They all start with "X-".
Thanks anyway.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql variable substitution clarification
I have run into an issue where we now have different types of
NAS servers. I would like to use %{Connect-Info} if available
or a string formatted from two attributes like :
D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}
This is how I tried to do it :
ConnectInfo_stop = \
'%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}'
This is what I get when %{Connect-Info} is not available :
"D_X"
I haven't seen any examples where two attributes are combined
to make one attribute.
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regular expression - Trying to rewrite User-Name
On Thu, 2006-11-05 at 15:13 -0400, Damian Porter wrote:
>
> I have bee struggling with problem for a few days now.
>
> I use Centos 4.3 and freeradius 1.0.1. I am trying to rewrite a
> username to include dashes. see my statement below in the rewrite
> section.
>
>searchfor = "([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-
> z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})
> replacewith = "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
>
> this is the output that i am getting in my radius.log file.
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #0
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #1
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #2
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #3
> Thu May 11 14:36:24 2006 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #4
> Thu May 11 14:36:24 2006 : Info: Ready to process requests.
> Thu May 11 14:36:39 2006 : Auth: Login incorrect: [0e35-353afe-3afe19-
> fe19/NOPASSWORD] (from client$
> Thu May 11 14:38:49 2006 : Auth: Login incorrect: [13ce-ce20f9-20f949-
> f949/NOPASSWORD] (from client$
> Thu May 11 14:38:56 2006 : Auth: Login incorrect: [0e35-353ad7-3ad71b-
> d71b/NOPASSWORD] (from client$
>
>
> PS i have even gone as far as downloading regular expression programs
> to check my code. If anybody has any suggestions or has encounted this
> problem before let me know.
I have no idea if that is supposed to work, but I noticed what appears
to be a problem:
0e35-353ad7-3ad71b-d71b
Can not be parsed with :
([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})([a-z0-9]{2})
([a-z0-9]{2})
Because ;
1) 0e35-353ad7-3ad71b-d71b is 24 charcters not 12
2) You have no provisions for '-' characters.
So your search will not get a match.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New PHP for interface
On Sat, 2006-29-04 at 15:07 -0500, JasonN wrote: > On 4/29/06, mnisay <[EMAIL PROTECTED]> wrote: > > > > I believed he was referring to browsable dialup administration page using > > PHP+APACHE+FreeRadius+MySQL direct access > > to authentication server. > > You are correct. I had this coded up by a member of my team for a > client that runs a small access userbase (dialup). Obviously, dialup > is only one of many things you can use radiusd for, and FreeRadius may > be modified to do all sorts of stuff. All this PHP interface does is > hook you up to the dB (could be remote, but by default I do it > locally) and allow you to edit the MySQL dB you're using for your > radiusd authentication. > > > What type of operations are u using? Local only w/ direct access to FR or > > remote w/ only configs of BD? > > If nobody takes offense, I'll just post the URI to download the php > code. It's short and sweet. Some of you may find it useful. > Obviously, it's not as robust as the the intends to be. But, it's > also not broken. Anyone interested in working from this start to > build something much more feature rich, please contact me directly. I > don't wish to pollute this list. If we come up with something the > FreeRadius commit team wish to use, we may offer it at that time. > Right now, this is very basic. But, it makes my ISP clients very > happy. > > http://www.jasonn.com/files/projects/manage.php.txt > > If you want to participate, please don't waste the list's time > discussing it here. It's extraneous to the FreeRadius core, even > though it may be very useful to many of you. You are welcome to email > me personally. - [EMAIL PROTECTED] > I'll definitely check it out when I get a chance. If it does some of what I need, I will help write some routines to make it work with PostgreSQL as well as MySQL. I have some PHP code I started to develop that has functions to read the configuration files. My code can be integrated with what you have to allow your code to use items from radiusd.conf and the included files. This would allow a more seamless integration and simpler setup. I will dig around, I am pretty sure I have some code that allows CSS and table formatted output to be generated from arrays generated by SQL queries and other things as well. It makes fairly easy work of "beautifying" generated output.;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Fri, 2006-28-04 at 15:37 +0200, Olaf Schaefer wrote: > > 1.8 ? > Freeradius 1.1.1 comes with dialup-admin v1.70.2, the recent CVS > includes v1.80 > > > a file in the documentation directory. The last batch of patches > > Where can I find your patches? Maybe you've done something which could > be useful for me. :) Most were incorporated into the CVS head before FreeRadius was 1.0.0. I doubt I have any of the original patch files anymore. > > > That's right. I would have to study the GPL and FSF licences, > > to understand the implications. > > Hmmm, isn't freeradius itself released under the same license? > Sure, supplying patches that fix bugs or provide improvements does not concern me, because I know that is allowed. Taking the code for dialup_admin breaking it down and turning it into something else is quite different. I respect the tremendous amount of work that went into dialup_admin, and I am sure that many people find it meets their needs. Some of the minimum requirements I have to meet require significant changes, and rather than struggle to get my changes included. I know that I don't like it when people use my code without giving me any credit, making it seems easier to start from scratch so that I don't appear to be taking credit for work that I did not do on my own. > > > That sounds like much work > > It's like eating an Elephant. Start off with small bites, and > > just keep on munching, until eventually your done. > > Bon appetit! ;) > > > I am still mulling it over. > > I think is has to be clear what the expected usage is. I mean there are > two directions, the first is the (technical) administration of the > radius server concerning tasks like setting up NAS, IP-pools, > configuration in general etc. > The second is the "business"-thing, like adding users, billing & > evaluation of accounting data, colorful statistics :) etc. Absolutely, I think there are basically three types of activity: 1) Configuration - Used very rarely buy knowledgable staff, to change operation of the server. 2) Administration - Maintenance of administration, user accounts, service packages, billing systems and report generators. 3) User - Allows users to maintain parts of their account(s) that are permitted, and view the reports they are permitted to see. Some of the tools required to make configuration possible can also be used for administration and in some cases the user area as well, but using a conditioned read only method. For instance it would be easier for administration to be able to select dictionary attributes from a list then be able to select valid values for that attribute, or have their entries verified as being valid. > > I guess Dialup-Admin is somewhere in between. So a real > GUI-configuration tool would be very nice. > > > My Boss ruled it out. He doesn't want a bunch of bits and pieces > > that are loosely coupled. Unfortunately, what he wants to use > > it too limited to do what is needed, but is easy to use. > > I know this scenario, too :) > > Have a nice weekend. > > After work I'm going to look for some elephants... > I hope you get something to eat first. ;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Tue, 2006-25-04 at 07:19 +0200, Olaf Schaefer wrote: > > I have given up on dialup-admin for now. It seemed broken when > > for now but not forever ;) Who knows.;-) > > > I tested the version that comes with 1.1.1, and there are parts > > that need too much work for what I want. I also don't like the > > > I use version 1.80 from the CVS snapshot. It seems quit stable > 1.8 ? > > php3 extensions since it is in php4 and have been unable to > > > Yes, the php3 extension are funny > > > have those and some other changes accepted in CVS. I have not > > What do you mean?^^^ A fair while ago I spent a considerable amount of time making patches to allow dialup_admin to work with PostgreSQL and NetSNMP. I also made some other enhancements which are noted in a file in the documentation directory. The last batch of patches I submitted were not accepted, and after a while I gave up on it to work on other more urgent projects. > > > fully read the licence dialup-admin uses so I decided to start > > After you mentioned the licence issue I got curious and searched > dialup-admin. I found: > > "This program is free software; you can redistribute it and/or > modify it under the terms of the GNU General Public License > as published by the Free Software Foundation; either version > 2 of the License, or (at your option) any later version." > That's right. I would have to study the GPL and FSF licences, to understand the implications. > > > from scratch without referencing it at all. > > That sounds like much work It's like eating an Elephant. Start off with small bites, and just keep on munching, until eventually your done. > > > that I need to write as well. I am also considering using C > > and the wxWidget cross platform libraries to design a more > > comprehensive Integrated Management System, but I will need > > Ambitious plan :) Do want to do it all on your own? I am still mulling it over. > > > to learn how to build a GUI app first. So far I have only built > > console and web based GUI apps, but PHP and Java may not work > > for the end project. > > > > > I will need hierarchal administration and access control for > > my implementation. The system will also need the ability to search > > for related accounts and quickly navigate between them, and produce > > reports and audit trails. Since I have experience accessing > > In my eyes that's all "only" ;) a question of DB-queries. So I don't see > the advantage (for my needs) of programing a new "DB-Interface". Have > you tried "freeside" (http://www.sisd.com/freeside)?. I can't tell you > much about it I only had a glance at it. AFAIK it offers for instance > automated invoices. My Boss ruled it out. He doesn't want a bunch of bits and pieces that are loosely coupled. Unfortunately, what he wants to use it too limited to do what is needed, but is easy to use. The things that are almost what we need are usually too difficult or the accountants rule them out. There was a lot of "training" to get our current system where we wanted it, now there are no old dogs that want to learn new tricks.:^( The only way I will get anything through, is if I can seamlessly integrate into what they want, or make something that does everything required from a single application, so there are no more multiple entries situations that are required to maintain accounts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Thu, 2006-20-04 at 10:08 +0200, Olaf Schaefer wrote: > > http://sphinx.incentre.net/radius.html > > Not bad. I've began something similar only for IP pools but Peter Nixon > announced an sql_ippool module which also stores the configuration > information in the mysql-DB, so I stopped coding and witing for it :) > > > > > Let me know what you think. > > It's a good basis to make freeradius fully configurable via dialup > admin. It shouldn't be that difficult to generate config files using the > variables of your parser. > > When I have my production system running (migration from MS-IAS to > freeradius) I'm going to do some efforts in this direction. > > Olaf I have given up on dialup-admin for now. It seemed broken when I tested the version that comes with 1.1.1, and there are parts that need too much work for what I want. I also don't like the php3 extensions since it is in php4 and have been unable to have those and some other changes accepted in CVS. I have not fully read the licence dialup-admin uses so I decided to start from scratch without referencing it at all. Unfortunately I haven't had any time to continue with this project lately, and you are the first one to respond to me about it. I have a Cisco NetFlow analyzer and traffic accounting system that I need to write as well. I am also considering using C and the wxWidget cross platform libraries to design a more comprehensive Integrated Management System, but I will need to learn how to build a GUI app first. So far I have only built console and web based GUI apps, but PHP and Java may not work for the end project. I will need hierarchal administration and access control for my implementation. The system will also need the ability to search for related accounts and quickly navigate between them, and produce reports and audit trails. Since I have experience accessing PostgreSQL in C and have some libraries I built for our current system, it may not be overly difficult to build a proper cross platform GUI interface. I have Windows, Linux, FreeBSD as well as PPC and Intel Macs with OS9 and OS X in our office now and have had a similar variety in the past, which is why I had been using web based GUI projects in the past, but I recently cam across a tutorial for wxWidgets. I got a ton of stuff to do today, see you later. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PostgreSQL tables in a schema
On Thu, 2006-20-04 at 20:02 +0300, Milen A. Radev wrote: > Is it possible to place the necessary tables in a separate schema? We > need to cross-reference some tables and it would be very convenient if > we could place the tables inside the same database together with our > other schemas. I saw that same table names are specified in the > configuration file (postgresql.conf). Probably it would be easy to > prepend the schema name. But I saw some other tables in the DB that > are not mentioned in the conf file. > If that is what you want to do, go ahead. You do not need to prepend the the schema if the radius users path includes the schema. Read the PostgreSQL docs, and customize the queries how ever you want. The config files are part of the documentation system and are meant to serve as samples only, it is up to you to "tweek" them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, mysql, please help!!!
On Wed, 2006-12-04 at 14:02 -0400, Alan DeKok wrote: > YvesDM <[EMAIL PROTECTED]> wrote: > > mysql> select * from radcheck; > > ++--+---+++ > > | id | UserName | Attribute | op | Value | > > ++--+---+++ > > | 1 | steve| User-Password | :=3D | $1$nyiGAEuR$5wcFr5bT7SfkVjIChnbZo0= > > | > > These are *not* clear-text passwords. They're encrypted > passwords. Change the attribute name to Crypt-Password, and it should > work. > > Alan DeKok. You will also need to use Auth-Type := Crypt-Local This has been discussed, an enormous number of times. Please feel free to use Google to search for answers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Fri, 2006-07-04 at 10:12 +0200, Olaf Schäfer wrote: > Not yet! That's what I'm looking for. I've already started to do > something in this direction regarding ip-pools. Where can I find your > parser? > > regards, > Olaf The quick site I set up hosting the files is at: http://sphinx.incentre.net/radius.html Let me know what you think. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql replication vs. radrelay
On Thu, 2006-06-04 at 23:01 +0200, Olaf Schäfer wrote: > hello, > > I have a redundant radius server setup with two radius servers. On each > of the servers freeradius 1.1.1 and mysql is running. If the primary > server goes down the AC falls back to the secondary server. To keep the > databases (except the radacct table) synchronised I use MySQL > replication. But I'm not sure which is the best way to replicate the > accounting information: using radrelay or mysql-replication, too? > > Besides the man page for radrelay says "The functions of radrelay > have been added to radiusd". I couldn't find any documentation about > this feature. Any hints? > > regards, > olaf There are many schools of thought on that. Some prefer SQL replication, others suggest it is better to build it into the management system. If you have lots of people managing the accounts and you may need a different method, than someone with only a few people maintaining accounts, since table locking and connection load balancing could become an issue. In some cases batch processing is acceptable, in other cases it can be detrimental. Can you give us an idea, about how many people will be changing user info and at what rate you would be expecting additions, modifications and removals? It would be helpful for those of us designing management systems, so we can test for possible conflicts and performance issues. I am not yet working on the SQL maintenance portion of my project but it would be helpful for me to have that information in order to do some preliminary planning. Some replication methods scale better than others, but have their own drawbacks and difficulties. PS Have you had a chance to try my PHP radiusd.conf configuration parser ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Thu, 2006-06-04 at 14:12 -0400, Dennis Skinner wrote: > Guy Fraser wrote: > > vacuum; > > This is not a MySQL command. > > You probably want to look at CHECK TABLE, REPAIR TABLE, and OPTIMIZE > TABLE. But we are getting off topic here > > I will note that FreeRADIUS performance had significant improvements > once the tables were changed to InnoDB from MyISAM, especially the > radacct table as that fills up quick if you don't archive regularly. I said : " I don't use MySQL very often so do not know for sure if this would work, but here goes a simple example : select * into radacct_old from radacct where AcctStopTime < '2006-04-01 00:00:00' ; delete from radacct where AcctStopTime < '2006-04-01 00:00:00' ; vacuum; If you intend on using MySQL you will need to learn how to use it. There are many functions and some may help you do what you want. " I prefer PostgreSQL, which is SQL92 compliant and does support the SQL VACUUM command. MySQL database maintenance is of little interest to me, because I do not think it is good for anything but text and blob storage, and I don't need that very often. Since nobody else had attempted to answer the posters question I suggested a possible method he could try, and suggested he learn how to maintain MySQL if he intends on using it. I REALLY do NOT want to get into a flame war over the differences between MySQL and PostgreSQL. I based my sample on SQL standard commands hoping that MySQL would support them, but having suggested that they may not work without specifying why, may have left it open for interpretation. I am sure that for those who know MySQL well it works very well for them, but I don't care to spend the time learning how to do things the MySQL way. I have provided some assistance ensuring that the MySQL and PostgreSQL drivers had the same functionality, and have a MySQL db on the R&D machine for that purpose, but do not have any intention on using it for production. The PostgreSQL db I use for my custom Cistron server has operated flawlessly and at high efficiency since it was installed over 5 years ago. Since the Software and Hardware are long in the tooth, I will be upgrading them in the near future. I have been helping with the development of FreeRadius for a couple years, in preparation for this long anticipated upgrade. Once I have a good Management interface I will upgrade. I have spent a few days building some functions and others have been spending considerable time on similar projects, and some of us have agreed to share, our work in order to move this along, so I am hoping to have a new server in place by years end. Good luck, and have a great day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Wed, 2006-05-04 at 22:06 +0300, Mordor Networks wrote: > Date: Wed, 05 Apr 2006 11:09:58 -0600 > From: Guy Fraser <[EMAIL PROTECTED]> > Subject: Re: How to make FR reset the logs > To: freeradius-users@lists.freeradius.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > On Wed, 2006-05-04 at 06:15 +0300, Mordor Networks wrote: > > hi > > Is it possible to make FR remove all monthly accounting logs from > the > > database "mysql"? > > Yikes, why would you want to do that? > > Thanks for your reply . i have pppoe-server with FR and mysql and > dialup_admin , and 600 user , so i have a lot of traffic and logs > daily/monthly I don't use MySQL very often so do not know for sure if this would work, but here goes a simple example : select * into radacct_old from radacct where AcctStopTime < '2006-04-01 00:00:00' ; delete from radacct where AcctStopTime < '2006-04-01 00:00:00' ; vacuum; If you intend on using MySQL you will need to learn how to use it. There are many functions and some may help you do what you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.1.1 in FreeBSD 6.0 with mysql support
On Wed, 2006-05-04 at 13:08 -0400, Alan DeKok wrote: > "Mark Hennessy" <[EMAIL PROTECTED]> wrote: > > I'm trying to build freeradius 1.1.1 on a FreeBSD 6.0 system with MySQL > > 4.1.15 > > Doesn't the ports system work? That exactly what I was thinking. The port was updated on Mar. 28 > > > checking for mysql_init in -lmysqlclient_r (using mysql_config)... no > > See the config.log for details. Maybe libmysqlclient_r needs > additional libraries for it to work. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make FR reset the logs
On Wed, 2006-05-04 at 06:15 +0300, Mordor Networks wrote:
> hi
> Is it possible to make FR remove all monthly accounting logs from the
> database "mysql"?
Yikes, why would you want to do that?
Wouldn't it be better to move the data to monthly archive
tables, then remove the data and vacuum the table?
This is basically what I currently use, so that when a
customer tries to dispute his charges, we can produce
detailed information very quickly. I currently maintain
3+ years of detail, users can check totals, summaries or
detailed logging for their account from the beginning of
the third year ago {IE Jan 2003} until the previous
logout.
Once I have a similar scheme in place I will be moving
to which ever current version of FreeRadius is available.
I will continue to work toward integrating similar
functionality into FreeRadius, that I developed for
Cistron, allowing dynamic {using xlat} table names. I
currently use this method in my custom version of
Cistron Radius, to generate new logging tables every
month as required. The system I developed has met our
needs for the last 5+ years, but I would prefer to
build support into an open platform {FreeRadius}, so
others can make use of the same advantages, and the
community can enhance and support the project.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frontend for freeradius???
On Thu, 2006-30-03 at 22:04 -0500, Alan DeKok wrote: > Guy Fraser <[EMAIL PROTECTED]> wrote: > > Since the users file can handle multiple alternate > > configurations for DEFAULT and or user entries, it will > > require careful planning. > > I would suggest avoiding the users file. It causes *way* too many > problems. > > Instead, design something that will be useful, better than the > "users" file, and easy for you to implement. We'll then take a look > at creating a module to support it. > > Alan DeKok. Interesting Idea! I have very simple needs now for Radius, we only provide a few different dialup packages and only allow PAP authentication. The current rml_sql is all I currently need, but I will consider some alternative ideas, that could provide easier manageability for myself and many others on this list. PS I have recently posted a link to some of the PHP stuff I have developed lately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius out of the box....
On Wed, 2006-05-04 at 09:07 +0100, Tony Spencer wrote: > Because of the issues I've been having with authentication with > Freeradius I started from scratch and used RPM to remove Freeradius > and then re-installed the latest version. > > I needed to be able to accept both PAP and CHAP authentication, > however I couldn't get it to do both and had to by default to get it > to auth everyone no matter what the password should be. But I don't > see this as ideal. > > Since I took over the radius server from someone else I'm guessing it > had been changed by the previous person to the extend where only a re- > install would solve the problem. > > > > I read that out of the box Freeradius would accept both PAP and CHAP > authentication as long as the password was in clear text and I used > "Password ==". > > So I re-installed Freeradius version freeradius-1.0.1-3.RHEL4.3 and > convert all the entries from Auth-Type := Accept to "Password == > " where was the users password. ...snip... > > DEFAULT Auth-Type = System > > Fall-Through = 1 ...snip... Auth-Type = System is for reading the user names from the password file IIRC. Try : Auth-Type = Local - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin & ippool administraton
On Fri, 2006-31-03 at 10:37 +0200, Olaf Schäfer wrote: > > > > > > But the configuration information like "range-start" etc. is still > > > stored in the radiusd.conf. My idea was to put these configuration > > > information for each ippool into the mysql-db. > > > > That may be harder to do. But if you can create a patch, it will be > > welcome. > > I'm afraid this exceeds my abilities :( > > Thus I resigned to the fact and have started to parse the radiusd.conf > via PHP. > I have written a recursive function for reading radiusd.conf and all included files. I finally spent some time and built a simple site to host the current files for the FreeRadius Admin stuff I am working on. You can check it out at : http://sphinx.incentre.net/radius.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Expiration Date
On Thu, 2006-30-03 at 10:09 -0600, Atkins, Dwane P wrote: > I have looked into the db_mysql.sql and found that their was start and > stop dates in the radacct. If I can get freeradius to use the > radcheck table, does this mean it will automatically see the radacct > table and use input from this table as well? Have you read any of the documentation? The FreeRadius database schemas and configurations are designed to be generic examples, to help you get started, and are meant to be part of the documentation, which is why they are labelled .sample . You are free to modify anything in the configuration files and database schema, to fit your specific needs. There are many different modules and features that may do exactly what you want without doing any significant changes to the configuration files. You should read all the documentation, and go through all the config files. It is a lot of work, but if you do not do your homework, you will never know how to help yourself. We are not babysitters, and are more than happy to help once you run into problems, but are not going to spoon feed you. Happy reading. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frontend for freeradius???
On Thu, 2006-30-03 at 16:40 +0100, Pelusa Vali wrote: > hi list, i have a question, are there any freeradius frontend to administer > users, but which don't assume i have ldap or mysql?? my users are only in > users file, i reviewed dialup_admin and php radius accounting tool, but both > assume i have mysql or ldap, i just want some program with graphical > interface to add users and passwords in freeradius, and if possible monitor > them. > are there something like that?? > thanks. I almost forgot. If most or all of your users have the same checks and replies but have different passwords and are using PAP, you may want to consider a default entry with Auth-Type = System and using the password file to maintain users. If you do it that way, you could use Webmin to maintain the user accounts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frontend for freeradius???
On Thu, 2006-30-03 at 16:40 +0100, Pelusa Vali wrote: > hi list, i have a question, are there any freeradius frontend to administer > users, but which don't assume i have ldap or mysql?? my users are only in > users file, i reviewed dialup_admin and php radius accounting tool, but both > assume i have mysql or ldap, i just want some program with graphical > interface to add users and passwords in freeradius, and if possible monitor > them. > are there something like that?? > thanks. > I don't think there are any official projects. Some people have "in-house" management systems, but are weary about making them public. If you are willing to modify and maintain the front end code without endless queries to the progenitors of some code, you might want to ask if anyone has something to help you get started. I have been working on some PHP functions to manage FreeRadius, but have not developed anything for the users file yet. So far I have developed functions that can acquire the information from the configuration or dictionary files. But I am taking some time to consider how to handle the huge amount of data from the dictionary files. Since the users file can handle multiple alternate configurations for DEFAULT and or user entries, it will require careful planning. In order to make sure the entries are stored in a unique way, and ensure that the correct entry can be identified, and make sure that entries do not get combined. For my needs, most users will have little more than an encrypted password, and we intend on using an SQL backend, and do not use the users file at all, so accessing the data in the users file is near the bottom of my list, but others may have it as a different priority. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: L2tp and fixed Framed IP Address for ADSL customers
On Tue, 2006-28-03 at 12:05 -0500, Alan DeKok wrote: > "Adil Bikarbass" <[EMAIL PROTECTED]> wrote: > > My radius is listening on 1645 for auth and 1646 for acct, I can see the > > auth request coming into my radius box but the IP address is never got from > > the Framed-IP reply item but assigned from the Cisco pool > > > > Any clue about what could be the problem? > > The NAS. Fight with it some more. I don't think there's anything > you can do to FreeRADIUS to fix it. > Is the IP address in a valid range configured on the NAS? A Cisco will not assign an IP address that it is not configured to handle. It seems to me we used eigrp to handle the "static" ip address networks for our NAS servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear text passwords
On Thu, 2006-23-03 at 17:44 -0500, Alan DeKok wrote: > "Corey Burks" <[EMAIL PROTECTED]> wrote: > > In my radiusd.conf file I made the following changes and it is still logging > > my password clear text password > > > > log_auth = no > > You will have to edit the source code to the detail module to make > it do what you want. > Is that the way it is supposed to be, or is it on a todo list for it to be fixed? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to use 2 different authentication-methods
On Wed, 2006-22-03 at 15:15 +0100, Hans-Peter Fuchs wrote: > I use freeradius 1.0.5 > > for a special NAS I want to use 2 user databases. > > requests from nas-special should first verified per sql > If and only if sql does not verify the user try pam. > > In users I have: > # new > DEFAULT NAS-IP-Address == special, Autz-Type := SQL > Idle-Timeout = 3600, > Session-Timeout= 7200, > Fall-Through = yes > end new > begin old config: works > DEFAULT Auth-Type = Pam Have you tried : DEFAULT NAS-IP-Address != special, Auth-Type = Pam ... > Service-Type = Framed-User, > Nomadix-Bw-Up = 128, > Fall-Through = yes > ### end old config > ### begin new config > # pam-authentified users from ssg get Ainternet-attribute > DEFAULT NAS-IP-Address == special > Service-Type = Framed-User, > Idle-Timeout = 3600, > Session-Timeout= 7200, > Cisco-Account-Info += "KW0", > Fall-Through = yes > ### end new config > > But with this users who are verified by sql are also checked against > pam. Do you have some tips? > > Output from radiusd -X: > > rlm_sql (sql): Released sql socket id: 3 > modcall[authorize]: module "sql" returns ok for request 0 > modcall: group Autz-Type returns ok for request 0 > rad_check_password: Found Auth-Type Pam > auth: type "PAM" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > pam_pass: using pamauth string for pam.conf lookup > pam_pass: function pam_authenticate FAILED for . Reason: Permission > denied > modcall[authenticate]: module "pam" returns reject for request 0 > modcall: group authenticate returns reject for request 0 > auth: Failed to validate the user. > > > Grüße > > Hans-Peter Fuchs > > > Hans-Peter Fuchs - RZKR, Zimmer 20 > Zentrum fuer angewandte Informatik - Universitaetsweiter Service RRZK > Universität zu Köln - Tel: 0221-470-6972 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 has been released
On Wed, 2006-22-03 at 08:22 +0100, Stefan Winter wrote: > Hi, > > > I understand that this change is what you want, but there MAY be > > someone depending on the existing behaviour. This change will then > > surely break their current working configuration. They can of course > > fix it by reconfiguring the server, taking this change into > > consideration, but that is NOT the way to do a stable release cycle. > > My explanation was intended only to explain why packet handling gets a tiny > little bit faster. But you are right, there is a very minimal impact: > normal packets (with User-Name) are always passed through hints, this is > unchanged. So, the only new behaviour is that packets without User-Name > attribute are also passed through hints, which indeed is new. > However, it would only break an existing configuration iff someone relies on > the fact that his Accounting-On-Off packets are ignored in the hints run. > I don't want to judge on that, but it sure sounds odd if your configuration > relies on that. > > The patch would add consistency where it wasn't before, which is a very good > thing IMHO. But I also see your concerns. > > Stefan The problem I mentioned, when this was brought up, was that the intention for doing this was to use hints for something it was not meant for. I think it would be better to use hints as a template for a new module that does specifically what you want. If someone wants the functions the new module is designed for, they can configure it in pre-processing or where ever it is required. I don't use hints anymore, but other users who are not privy to the developers list may. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql.conf
On Mon, 2006-20-03 at 16:56 -0600, Atkins, Dwane P wrote: > Why is it that when I run a radiusd –X, I always come back with errors > on saying that it cannot connect to the mysql server: > > ...snip... > rlm_sql_mysql: Couldn't connect socket to MySQL server > [EMAIL PROTECTED]:radius > > rlm_sql_mysql: Mysql error 'Access denied for user > 'radius'@'localhost' (using password: YES)' ...snip... > > I have put this in my sql.conf like so: > > > > # Connect info > > server = "localhost" > > login = "radius" > > password = "x" > > > > # Database table configuration > > radius_db = "radius" > > > > What am I doing wrong? I have followed a number of whitepapers to > install this and most of them say the same thing. > > > > I downloaded freeradius and mysql-server using the ‘yum install’ > option. Now, when I do a ./configure on freeradius, do I need to do > it with a –with—mysql option? > > > > Should I try this on something other than FC4? I am opened to > options. First of all for stability, I would suggest FreeBSD. The Fedora Core Releases are, cutting edge with a short life span. First thing you should try is using the mysql command line to access the database with the credentials you put in the configuration file. bash> mysql -h localhost -u radius -p x If it lets you in try to connect to the db : mysql> \r radius If you can not get connected this way the problem is in your MySQL configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail Files
On Fri, 2006-17-03 at 16:15 -0500, Lisa Casey wrote:
> Hi,
>
> I sent this email a couple of hours ago but it hasn't appeared on the list
> yet so I'm resending it. If it comes through twice, accept my apologies.
>
>
> Currently my Freeradius server writes new accounting detail files each day.
> In radiusd.conf, if I were to change
>
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>
> to
>
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m
>
> Would it then write one detail file for each month?
>
Yes
Normally I don't like the per NAS/Client directories, but
do like daily logs, so I use :
detailfile = ${radacctdir}/detail-%Y%m%d
I use a cron job to compress the daily logs, and archive
them.
I only keep them in case of a legal dispute, all of my
real accounting is done in SQL.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql problem
On Thu, 2006-16-03 at 10:45 +0100, KNO wrote: > On 3/16/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > > "Fabiano Rodrigo Boscatto" <[EMAIL PROTECTED]> wrote: > > > Hi there, i have freeradius working fine with mysql authentication. The > > > problem is that the User-Password is stored in mysql table as clear text. > > > Is > > > there a way to crypt that? > > > > Change User-Password to Crypt-Password, and encrypt the password > > with the Unix crypt() tool. > > > > Then CHAP & MS-CHAP stop working. > > > > If you want to encrypt the password with some kind of key, and then > > make the key available to FreeRADIUS too, that might be useful. Maybe. > > > > But it's not as useful as it might first look. You're better off > > controlling access to the entire MySQL DB, which contains a lot more > > security information than the clear-text password. > > > > Alan DeKok. > > And what I must to do if I want to use MD5 to store the passwords? > Greets, Aitor > If you are using a Unix/Linux system that can use MD5 passwords in the password file, then -libcrypt likely supports MD5 passwords. I have tested using SHA1/DES/MD5 encrypted passwords from the system password file on FreeBSD and put them in SQL and it worked. One thing I discovered while testing was that you will need to set Auth-Type := Crypt-Local and Crypt-Password == ''. I tend to put the Auth-Type settings in radgroupcheck and assign users with encrypted passwords to different groups than those with clear text. Example: 1 chap-unlimited Auth-Type := Local 2 pap-unlimited Auth-Type := Crypt-Local Then radcheck would be like : 1 fredf User-Password == wilma 2 troll Crypt-Password == $1$f3d5.Cf9$aeM0tnhrmahLR/yHMlEwU1 And usergroup would be like : 1 fredf chap-unlimited 2 troll pap-unlimited I have just started working on a new PHP management system and am intending on supporting the system crypt() command for encoding passwords when updated. Dialup Admin has not been updated much, since the last time I used it, and it does not provide many of the functions I need. I am using code I have written from scratch, but in the day I have been working on it I have almost got a function that correctly parses radiusd.conf and any files included. Once I can accurately read the all the config files that are not intended on being deprecated then I will make the functions to modify them. Once that is done I will concentrate on functions to maintain MySQL and PostgreSQL users and accounting tasks. It is a fairly large task, and it may get sidelined for or more simple system, but I want to start using FreeRadius, so I can decommission the Cistron server I customized to send accounting info directly to a PostgreSQL data base. Although the current system has been working flawlessly for over 5 years, FreeBSD has a lot more functionality, flexibility and is currently maintained by more people than just me. TTFN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect radacct AcctSessionTime
On Tue, 2006-14-03 at 15:16 -0500, Alan DeKok wrote: > "Gunther" <[EMAIL PROTECTED]> wrote: > > From time to time I see entries in the radacct AcctSessionTime column with > > over 1 billion seconds, > > despite that the StopTime minus StartTime is less than 5 seconds. > > With FR 1.0.5 it was a few times 2147483647: > > 2147483647 is 2^31-1. It looks like a signed/unsigned problem to > me. I used to see Acct-Session-Time responses from USR Hyper Cards like that every so often, the NAS was at fault and required a reboot. We would then calculate the time : Example, Acct-Session-Time = (Acct-Stop-Time - Acct-Stop-Delay) - (Acct-Start-Time + Acct-Start-Delay) We did it that way to give the customer the benefit of any error possibly incurred by delays. How you do this in real life will depend on what kind of DB you use to store the accounting data. > > > Now with 1.1.0 it is around 1142280970: > > Which is a weird number. > > > I presume that the NAS (wrt54g with Chillispot) is sending the incorrect > > information ... > > Is this correct? > > Maybe. See the SQL queries. If the NAS is sending > Acct-Session-Time, that goes into the column. If it doesn't send > Acct-Session-Time, then the session time is calculated based on the > local system time, and other info. > > It looks to me like the clocks on your NAS and the RADIUS server may > be quite a ways off from each other. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Monthly Time Limits
On Mon, 2006-13-03 at 15:39 -0500, Lisa Casey wrote: > Hi, > > We are an ISP. As many ISP's do these days, we outsource our dialup numbers > to wholesalers such as Megapops, etc. but we maintain our own radius > servers. The wholesaler proxies radius requests to us. > > The following is kind of hypothetical, but I need to know this in order to > understand how all this works. > > I have monthly time limits set up in my Freeradius. When customers login, > where exactly does the information come from that tells Freeradius "This > customer is OK, he has not used up his time limit yet" or "Reject this > customer, he has used up his limit for this month". Is this dependent on > something in the radius config at the wholesalers end, or is this info taken > from my db.monthly file? > > Another way of asking this question (in case I'm not making myself clear > which is always a possibility) is: > > Does the wholesaler have to support monthly time limits or can I do it all > from my end (whether or not the wholesaler supports such an attribute)? > > Any info about how this process works will probably help clear up my > thinking. > > Thanks, > > Lisa Casey You will want to use a monthly counter. Personally I would prefer a rlm_sqlcounter, and slightly modify the rlm_sql queries to provide a maximum session time of the time left as an attribute. The whole thing is very configurable and it's kind of left up to the admin to tweek the configs for there own unique purpose. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Logging
On Mon, 2006-13-03 at 17:38 +0100, andre kip wrote:
> Hi Geoff,
>
> I haven't been successful in getting freeradius not to
> log passwords. Where is this rlm_syslog?? I am looking
> for it at source but to no avail. ..or did you change
> rlm_detail by adding:
>
> if ((strstr(buf, "User-Password") != 0) &&
> (strcmp(inst->hidepasswd, "yes") == 0))
> {
> pair->next;
> }
>
> regards,
> Mr. Trüffle
>
Have you tried changing the settings in radiusd.conf?
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeBSD and freeRADIUS with mySQL
On Sat, 2006-25-02 at 14:52 -0500, Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > the ports for freeradius don't seem to install correctly, and when we > > build from lates binaries there is errors when trying to load mysql... In > > the mandrake 10.2 system I had - all I did was install mysqlxx-dev > > development extensions, and all was good... I can't find any support for > > freebsd. > > I suggest asking on the freebsd ports list, asking the maintainer, > or looking through the freebsd bug list. > > I don't know any developer who uses FreeBSD, so that makes it > difficult to track down the problem. > > Alan DeKok. I have not been actively doing any development lately, but I did a bunch of development pre 1.0 to ensure the PostgreSQL and MySQL had the same functionality. The maintainer for the FreeBSD port is quite good, and I have not had any problems with the port in the past. There have been an enormous amount of posts on this topic, and it has been answered a hundred times. The information is out there there is also sample data that I have posted a number of times. It would help if the original poster, let us know what version of FreeBSD he was using. He mentions Mandrake 10.2 but as far as I know they don't have a FreeBSD distribution. ;^) I was planning on doing some more testing soon, I will try to get to it today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints processing for Accounting-On / Off packets?
On Wed, 2006-22-02 at 07:34 +0100, Stefan Winter wrote: > Hi, > > > You don't have to have a User-Name in the request to use that file. If > > it isn't there and you need it for further processing you can add it. > > Well, no. That's exactly the point: the hints file is *skipped* if there is > no > User-Name in the request. > > Greetings, > > Stefan Winter The hints file was originally designed to classify users and determine what methods of connection were allowed, by using an uppercase character or other pattern. It provided a similar function to what groups are now used for, before groups were implemented. The letter or pattern could be removed before authentication if desired. Examples : Uacct01 = UUCP user acct01 Pacct02 = PAP user acct02 Cacct03 = CHAP user acct03 etc. The Accounting-On is a status messages from the NAS indicating that no users are currently logged on and that accounting will start. The Accounting-Off is a status messages from the NAS indicating that all users logged in are being logged off and that accounting will stop. There is no relationship to any specific account, so hints is not supposed to be used. If you are using hints to do some other kind of processing, you are likely using it for something it was not intended for. If you are using an SQL backend for accounting the Accounting-On / Accounting-Off packets are handled by the sql configuration to mark all active as stopped for the NAS that sent the packet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to kick a logged user
On Mon, 2006-06-02 at 11:47 -0500, Eduardo Bejar wrote: > Hi, > > I´ve been searching a while about how to kick a logged user or force > terminate it´s session. It seems that this has been asked before on the > list, but I didn´t find an answer different from "radius can´t do that". The > only answer that I´ve found is that it´s required an external script for > this. > > Section 4.3 of the Freeradius FAQ mentions a radkill program, but the link > included is dead. And also says "try using SNMP". I haven´t also been able > to find information on how to use SNMP for this, so I ask the list: > > Can anyone post a link to download radkill? > > Or > > Can anyone explain me how to do this with SNMP? > > Or perhaps, > > Can anyone post a procedure to kick a logged user? > > Thanks for your replies, > > Edo It depends entirely on your NAS. Radius is not designed to kick off users. Check the documentation for your NAS. The radkill script was designed to work with Livingston Portmasters and does not work with many other products, but may be a good place to start to build your own. We rarely needed to kick users off, and when we did we just logged into the NAS and booted them from there. I looked into it briefly for Cisco 5248 and determined that by setting the interface administratively down would boot the user, then setting it back to up would allow it to accept access again. The tricky part was matching the user to the interface so you would kick the right user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgres
On Thu, 2005-08-12 at 15:57 -0500, Brian A. Seklecki wrote: > On Wed, 7 Dec 2005, leunam atebro wrote: > > > I am new to this freeradius server, can you give me > > some idea on how to authenticate freeradius in a > > postgres database? Also, I need sample configuration > > Working, tested, proven sample configuration files are [what this project > is in] in desperate need of. Very few changes need to be made to make FreeRadius work with PostgreSQL using the default configuration files, the main change is selecting the postgres configuration file. The schema and configuration files are included. There isn't information on how to configure PostgreSQL, because they have their own documentation and mailing list. I have provided data sets for testing PostgreSQL in the past and are likely still in the archives. I did extensive testing prior to the release of version 1.0 to ensure that the PostgreSQL driver had equivalent capability to the default MySQL driver. Most problems configuring FreeRadius for use with SQL backends is misconfiguration of the SQL system. Test the SQL connection using the username, password, host and port from the radius server using the values you have configured in the config files using the databases command line utilities to ensure you have properly configured your database. In many cases you will need to edit the host based authentication and configuration files to enable IP connectivity and allow authentication for the SQL backend from the FreeRadius server. All of this is part of the SQL server configuration and is not covered by FreeRadius, because it is covered by the database documentation. > > In the mean time, search the mailing list archives. > > Just out of curiousity, are you just wanting to control AAA access to the > CLI or are you authenticating a dialin port on the AUX? > > ~BAS > > > to test the server. My NAS client is CISCO(2500) with > > 11.3 IOS. > > > > Help is highly appreciated.. > > > > Thank you... > > > > Nuel > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > l8* > -lava > > x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL NAS table
On Tue, 2005-25-10 at 12:52 -0400, Alex M wrote: > Can some one point me to the documentation on use of SQL NAS table? > > So that I can add nas devices to the DB and not a text file? > ...snip... There has been discussion on this in the past, here is a message I sent as a response to this list, that might point you in the right direction. ---Copied message from archive--- On Thu, 2005-15-09 at 15:08 -0400, Alan DeKok wrote: > > Am I to take it that it is not possible to use SQL for the clients.conf > > file? And if that it the case could someone please explain what the nas > > table is for in the database schema? > > It's possible. You do need at least one entry in "clients.conf", > though. I suggest "127.0.0.1" > > Then, read "sql.conf", and set "readclients=yes" > > Alan DeKok. Cool. I am working with FreeBSD and the updates for 1.0.5 are not in the cvsup repository yet, so my comment is in regards to 1.0.4, but may apply to 1.0.5. I to a look at the postgresql stuff and it appears as though the schema will need a little tweak in order to be compitible with "rlm_sql.c"'s requirements. A "SERIAL" column named Id will need to be added. This will make it compatible : -- SQL clients table CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128), shortname VARCHAR(32) NOT NULL, typeVARCHAR(30), ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description TEXT ); This is not required, but this info used to be in the nas table in the postgresql schema. -- additional nas info table included in previous nas table CREATE TABLE nas ( id int4 NOT NULL, ipaddr INET PRIMARY KEY, snmpVARCHAR(10), naslocation VARCHAR(32) ); ---End of message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Value of Calling-station-id on ethernet
It is what ever you want, but it is best to pick something unique you can use to identify the end point equipment. For dial-up it is the caller-id, for EAP it is usually a MAC address and for tunnelling it is usually an IP address. On Tue, 2005-11-10 at 21:03 +0200, Jonathan De Graeve wrote: > Is this value the mac or the ip address on Ethernet networks. > > I need to know since I'm programming a radiusclient. > > J. > > -- > Jonathan De Graeve > Network/System Administrator > Imelda vzw > Informatica Dienst > 015/50.52.98 > [EMAIL PROTECTED] > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and Cisco devices
On Wed, 2005-05-10 at 09:56 -0500, Ryan Klinkhammer wrote: > Is it possible receive accounting information for cisco devices. When > I go to my log files I can see the start and stop of my session but > don’t see the commands I entered on the device. Or does freeradius > not log accounting information. I am using version 1.0.5 It sounds like you are thinking of syslog accounting rather than radius accounting. If you are using debug to log the activity on your Cisco device you will have to configure it to use a remote syslog server, to collect the debug information. If you want per interface accounting information, you will either want to use SNMP of NetFlow information. Radius is only for the AAA features on the Cisco device. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
On Mon, 2005-26-09 at 17:49 +0200, Jonathan De Graeve wrote: > So is it 2147483648 or 2147483647? > 2147483648 / 2147483648 = 1 2147483648 mod 2147483648 = 0 The range is 0 through 2147483647. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Maximum size Input-Octets/Output-Octets
On Fri, 2005-23-09 at 19:42 +0200, Jonathan De Graeve wrote: > > What "radacct" are you talking about? The Acct-Input-Octets stops > >at 2G because the RFC dictates that it's a 32-bit integer. That's why > >the Acct-Input-Gigawords attribute was defined. It goes past 2G. > > I'm talking about the detail file from freeradius. > > This is what I found in RFC2869 > > 5.1. Acct-Input-Gigawords > >Description > > This attribute indicates how many times the Acct-Input-Octets > counter has wrapped around 2^32 over the course of this service > being provided, and can only be present in Accounting-Request > records where the Acct-Status-Type is set to Stop or Interim- > Update. > > So I assumed that the wrapping went @ 4GB instead of 2GB > > >From RFC2866: > > Value > > The Value field is four octets. > > Also: > > integer 32 bit unsigned value, most significant octet first. > > So its 32bit. (4GB right??) > > I will use 2147483647 for now. But I can't find the definition which > says that it should be 2GB so I need to be sure. > > J. What is right and what is in common use may be two different things. In my experience, some NAS vendors generate negative numbers when the Octet Value is greater than 2^31. By the way a GigaWord is 2147483648 bytes since a Word = 2 Bytes and Giga = 1024*1024*1024 = 1073741824. It would therefore make sense to use a modulo of 2147483648 for the Octet value which holds the "remainder" of the full byte count. Just in case you were wondering what a TeraQuad was after watching a Star Trek NG episode it is 4398046511104 Bytes. ;^) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Postgresql configuration
On Mon, 2005-26-09 at 11:22 +0100, [EMAIL PROTECTED] wrote: > Good morning! > I have successfully configured freeradius server with using postgresql > database > to storage users which i want to authenticate. > when i put it in debug mode to test he works well. But when I run it as deamon > the server radius don't see the postgresql server. In the radius's log file i > look this: > Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked > Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb > Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server > [EMAIL PROTECTED]:radiusdb > Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: > Permission denied ?Is the server running on host "localhost" and accepting > ?TCP/IP connections on port 5432? ' > Error: rlm_sql (sql): Failed to connect DB handle #0 > Info: Ready to process requests. > Please help me. > What platform and operating system are you using? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deal with this ...
On Fri, 2005-23-09 at 15:01 -0300, Ezequiel O. Block wrote:
> Guy Fraser wrote:
> > On Fri, 2005-23-09 at 11:55 -0300, Ezequiel O. Block wrote:
> >> Hi Guys,
> >>
> >> Using Freeradius for authorization, accounting and ip pools management.
> >>
> >> By mistake i turned off my NAS, and when this NAS came back online then
> >> freeradius began rejecting my users as if they were still connected,
> >> should my NAS send some kind of "Accounting restart let's start again"
> >> packet to Freeradius in order to let him know that those users are no
> >> longer connected? am i right? if not how can i deal with this kind of
> >> problems? apart from not being so stupid again to turn off a nas by
> >> mistake
> >>
> > Yes your NAS probably should, but many vendors do not include
> > support for Accounting on and Accounting off.
>
> I'm using MPD on FreeBSD as PPPoe AC, I'm going to ask on their mailing
> list to see if it does support accounting on/off.
>
> >
> > If your NAS does not support Accounting On/Off there is little
> > you can do. If your NAS supports remote syslog, you could
> > monitor the log and watch for something that occurs at startup
> > or shutdown. You could also set up up some kind of "heart beat"
> > monitor that checks to see if the NAS shuts down. You can use
> > these to close the open accounts on the affected NAS. You will
> > need to be careful how you account for the interuption in your
> > billing system because you will not have any accurate accounting
> > information or stop time. In the past when we have had NAS
> > failures we did not bill for the session that failed, but to
> > limit our exposure we set a 100 hour maximum session time, that
> > way users have to connect at least 7 times per month so we don't
> > loose a complete billing cycle.
>
> Thanks a lot for the tip, I just switched back to plain text validation
> over the NAS itself, to recover from this situation I'm just about to
>
> 1. DELETE FROM radacct WHERE AcctStopTime is NULL and NASIPAddress =
> 'a.b.c.d';
Rather than delete the record, maybe set AcctStopTime = AcctStartTime,
AcctSessionTime = 0 and the Termination cause = NAS-Shutdown or
something like that.
I don't have access to a FreeRadius machine this morning, but if I
remember correctly there is an SQL query defined for Accounting
On/Off handling.
I don't delete any records from the database and if I update a
record I set the Termination Cause to indicate why the record was
updated manually.
>
> 2. Restart freeRadius to clean up those ips no longer in use?
I have never used IP pools on a radius server, so I don't know the
best way to flush the unused IPs.
>
> 3. did I forget something?
> >
If you are using session/unix files {radutmp and radwtmp} you may
need to use radzap to clear the entries from them.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deal with this ...
On Fri, 2005-23-09 at 11:55 -0300, Ezequiel O. Block wrote: > Hi Guys, > > Using Freeradius for authorization, accounting and ip pools management. > > By mistake i turned off my NAS, and when this NAS came back online then > freeradius began rejecting my users as if they were still connected, > should my NAS send some kind of "Accounting restart let's start again" > packet to Freeradius in order to let him know that those users are no > longer connected? am i right? if not how can i deal with this kind of > problems? apart from not being so stupid again to turn off a nas by > mistake > Yes your NAS probably should, but many vendors do not include support for Accounting on and Accounting off. If your NAS does not support Accounting On/Off there is little you can do. If your NAS supports remote syslog, you could monitor the log and watch for something that occurs at startup or shutdown. You could also set up up some kind of "heart beat" monitor that checks to see if the NAS shuts down. You can use these to close the open accounts on the affected NAS. You will need to be careful how you account for the interuption in your billing system because you will not have any accurate accounting information or stop time. In the past when we have had NAS failures we did not bill for the session that failed, but to limit our exposure we set a 100 hour maximum session time, that way users have to connect at least 7 times per month so we don't loose a complete billing cycle. Good luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting analysis
On Thu, 2005-22-09 at 13:58 +0200, Marc-Henri Boisis-delavaud wrote: > Hello > do you a free tool to generate analysis from freeradius accounting ? > --- > Marc We account to an SQL database and write queries to generate monthly reports. When we are looking for other trends or are trying to track something down we write one off queries. If you are not using SQL for accounting, you might want to look at radreport. I may be able to do what you want or customized to do what you want. Whatever you use, it will likely need hands on knowledge and tweaking, because very few circumstances are the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time based accounting
On Wed, 2005-21-09 at 04:54 -0700, Nirmal wrote: > Thanks > > Alan DeKok <[EMAIL PROTECTED]> wrote: > Nirmal wrote: > > Is there any way we can time based accounting Input/Output > Octets in free radius ? > > Post process the logs. > > FreeRADIUS doesn't generate the accounting data, the NAS does. > So > there's not much you can do to FreeRADIUS to make it log the > data you > need. > > And FreeRADIUS doesn't analyze the accounting data. It just > logs > them. So if you need to analyze them, you'll need another > program. > > Alan DeKok. Nirmal, It would appear to me that you are trying to measure I/O traffic using time, is that correct? Have you checked to see if the device you are using supports some kind of session traffic limit rather than trying to use a session time limit ? If my presumption was correct and there is no other way of doing what you want automaticaly, this may be a last resort : If your equipment provides bandwidth limiting, you may be able to use successive approximation, by using the maximum amount of traffic over a specified amount of time to determine the session time limit. You could then calculate how much traffic is left and allow the next session to connect for the ammount of time it would take to exhaust that amount of traffic. I have not looked into the specifics of how you could do this, but if you are using some kind of SQL for accounting it shouldn't be too difficult. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM, Postgres, Freeradius
On Mon, 2005-19-09 at 15:31 +0100, Mark Olliver wrote: > Hi All, > > I am looking at using a postgres database as the backend storage system for > freeradius and I think I have this part configured correctly. Does anyone > have > any scripts for creating simple user a/c's into the database? > > The second more important thing is that I want to use PAM to authenticate > against the freeradius server. This is because I have many different servers > and need to keep a consistent list of users on all systems. This I can do by > replicating the postgres database, however I can not directly (safely to my > knowledge) do this with out going via pam. > Can anybody who has this working please give me an example of how they did > this and what there pam.d files look like now. > > Thanks > > Mark Google for : freeradius postgresql schema or freeradius postgresql data You should find a number of posts from me with sample data. I am not actively developing on either of these projects and have no data easily accessible at the moment, so the archives are the best place to find my sample data. I have no experience authenticating PAM from radius, but their has been a bunch of threads in the past. Good Luck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
On Thu, 2005-15-09 at 15:08 -0400, Alan DeKok wrote: > > Am I to take it that it is not possible to use SQL for the clients.conf > > file? And if that it the case could someone please explain what the nas > > table is for in the database schema? > > It's possible. You do need at least one entry in "clients.conf", > though. I suggest "127.0.0.1" > > Then, read "sql.conf", and set "readclients=yes" > > Alan DeKok. Cool. I am working with FreeBSD and the updates for 1.0.5 are not in the cvsup repository yet, so my comment is in regards to 1.0.4, but may apply to 1.0.5. I to a look at the postgresql stuff and it appears as though the schema will need a little tweak in order to be compitible with "rlm_sql.c"'s requirements. A "SERIAL" column named Id will need to be added. This will make it compatible : -- SQL clients table CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128), shortname VARCHAR(32) NOT NULL, typeVARCHAR(30), ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description TEXT ); This is not required, but this info used to be in the nas table in the postgresql schema. -- additional nas info table included in previous nas table CREATE TABLE nas ( id int4 NOT NULL, ipaddr INET PRIMARY KEY, snmpVARCHAR(10), naslocation VARCHAR(32) ); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with installing to /etc and /var
On Fri, 2005-08-07 at 16:37 -0500, [EMAIL PROTECTED] wrote: > I am running freeradius-1.0.4 from source, on SLES 9.0. I want to install > freeradius so that it uses /etc and /var, and not /usr/local/etc and > /usr/local/var. > On Suse, Redhat and a few other Linux distributions they like to clutter up these directories. > If I do: > > /usr/local/src/freeradius-1.0.4 # make clean && make distclean > > /usr/local/src/freeradius-1.0.4 # ./configure --disable-shared > --without-rlm_x99_token --prefix=/ --localstatedir=/var \ > --sysconfdir=/etc --exec-prefix=/ --bindir=/usr/local --sbin=/usr/local > --libexec=/usr/local --datadir=/usr/local \ > --libdir=/usr/local --includedir=/usr/local --oldincludedir=/usr/local > --infodir=/usr/local --mandir=/usr/local && make > You missed a few: >From what you included, this could be derived : ./configure --disable-shared --without-rlm_x99_token \ --prefix=/ --localstatedir=/var --sysconfdir=/etc --exec-prefix=/ \ --bindir=/usr/bin --sbin=/usr/sbin --libexec=/usr/libexec \ --datadir=/usr/share --libdir=/usr/lib --includedir=/usr/include \ --infodir=/usr/share/info --mandir=/usr/share/man && make I wouldn't modify --oldincludedir= . You will need to also edit radiusd.conf and the maube the dictionary file. I suggest using grep to look for other files in the raddb directory that need to be updated. Is there any specific reason to have set --disable-shared ? Have you used ; ./configure --help to make sure you understand all of the options. > Why do I receive this error message: > > /usr/local/src/freeradius-1.0.4 # src/main/radiusd > Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files ... > radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: > Permission denied > (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) > Please note that there may be a more efficient way of specifying the changes, but to be sure you will have to read the help from configure. Example : ./configure --disable-shared --without-rlm_x99_token \ --prefix=/ --exec-prefix=/usr && make All the rest of the directories will be properly allocated. > > There should be no reference to: > > Couldn't open /usr/local/var/log/radius/radius.log > > Full logs of configure and make are viewable at: > http://www.southwestern.edu/~johnk/freeradius_build_logs.txt > > Additionaly, why isn't there a Makefile method for deinstallation? > Because nobody has contributed one. > > Thanks, > --johnk > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Traffic limits
On Tue, 2005-17-05 at 15:52 +0300, Varlaam Sobakkin wrote: > Hello! >I have a very simple question. Maybe there's an answer for it in >the archive, but there are no search function in archive =( >Few years ago I've used an IC-Radius with octets-patch. Is there >any way to limit traffic to user? Some kind of Total-Octets-Limit >and Octets-Direction reply items. I haven't found any of that in >dictionaries and anywhere else in distro =( >Hope for short answer. Not really. It is a decision of the NAS or the end user to end a session. If your NAS supports an attribute that allows the radius server to send an octet limit, then it is possible to use rlm_counter to sum up the current usage and send the remaining amount. Read the docs on your NAS and for the rlm_counter module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to log Acct-Termination-Cause variants in SQL DB
With every vendor making up there own Attributes and Values
it has me wondering how whether any one has a simple solution
to putting all the similar Attributes into the acctterminatecause
field. I have been thinking that I would use :
%{Acct-Terminate-Cause}:-%{Ascend-Disconnect-Cause}:-%{Cisco-Disconnect-
Cause}
I am not sure if this would need brackets or if there is a better
way. So far I will only need these three, for that entry.
There are other entries that will likely need to be mapped as well
but I have not yet researched them.
The custom Cistron I wrote allows me to map as many Radius
Attributes as I want to a sql attribute. In my system I just
put
#START#
...
Acct-Terminate-Cause= Acct-Terminate-Cause : Text #
Ascend-Disconnect-Cause = Acct-Terminate-Cause : Text #
Cisco-Disconnect-Cause = Acct-Terminate-Cause : Text #
...
#END#
The automatic table create/update function, accumulates all
the distinct SQL attributes, and creates one column per
Attribute, or adds any new columns to an existing table.
Unfortunately the code I wrote was not abstracted in any
way, and may be difficult to make work with MySQL, since
I only had PostgreSQL in mind when writing it.
PS: Can XLAT be used to generate SQL table names ?
My current system generates configured table names such as :
acct_%{Acct-Session-Type}_%Y%b
So every month I get 3 tables :
Eg:
acct_start_2005apr , acct_stop_2005apr , acct_other_2005apr
Acct-Session-Type is a special case, only Start and Stop
Tables are Created anything else is sent to the Other table
along with any duplicate log entries. Any failed entries
are saved in a cache file, that is monitored. I had one
entry over a year ago, that was caused by an entry that
had a byte count > 2GB that was being put into an int4.
I updated the attribute map to use "bigint", but haven't
had anything that large since.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
On Thu, 2005-03-03 at 13:54 -0800, Kris Efland wrote: > Excuse me if this has already been discussed but I couldnt find > anything after searching... > > I have FR successfully up and running. I have it "logging" through > sql, and authenticating through ldap. How do I go about getting more > detailed logs out of FR through sql? Currently it is only logging to > postauth_table and is therefore only showing successful logins. I > need it to log to authcheck_table (radcheck) to see if people are > failing to login properly. These are being sent to the logfile but > not to sql. I have broken down the sql config files but they dont > seem to have any insert statements into the radcheck sql table. Do I > have to write these myself? or is it more simplistic than that? Can > you do this when seperating the authentication mechanism from sql? > Thanks in advance. > > Kris I am not exactly sure what you are trying to do, but you should never need to have the server write to radcheck. The table you are probably looking for is radacct. radcheck is equivalent to the first line of the users file. radacct is equivalent to the detail file. You likely want to add sql to the accounting section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius +connect to postgresql server
On Tue, 2005-15-02 at 12:26 +, nake116 nake116 wrote: > server ="localhost" > login="postgres" > password="postgres" > > #database table configuration > radius_db="radiusdb" Using the information you supplied, have you tried to use psql to access the database? Example $ psql --host localhost --username postgres --dbname radiusdb --password Enter Password : postgres If you cannot connect using that command you have not correctly configured the permissions in PostgreSQL, which is not a topic supported on the FreeRadius list. Note: It is not a good idea to use the postgres user for anything other than administration. Install pgadminIII if you need a GUI tool to administrate one or more PostgreSQL servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about me - and a question
On Thu, 2005-27-01 at 21:56 +0100, Sebastian Wild wrote: > Hello list, > > I've just joined in here. My name is Sebastian and I am from Germany. I > work as adminstrator at an ISP and I also am a maintainer of a private > wlan project called wlan-r. > Now wlan-r uses chillispot to authenticate wireless users on hotspots > via freeradius against mysql and it works fine. > Recently I've seen that it is possible to get info about which users are > currently online on wlan. Since that was not on a hotspot but on a > website somewhere at the net I am thinking that it used a feature of the > freeradius server. Now it would be very interesting to know how to get > the info about which users are currently online out of free radius. > Does anyone know how to do that? > > greets from snowy regensburg, GER > Sebastian >From the command line you can use radwho. I believe there is also a radwho.cgi that can present the data on a web page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Freeradius and postgres
On Sat, 2005-22-01 at 01:55 -0800, [EMAIL PROTECTED] wrote:
> Thanks for the information. What I was missing was the Auth-Type in
> Radgroupcheck. That is new to me. I did not have do that with the older
> version of Freeradius. When did that change? I did not see any references
> to that Auth-Type in any of the docs nor in the archive of the mailing
> list.
>
> Again I appreciate the quick response.
>
If I remember correctly the entries I have are not required, but I
was using them as place holders from when "Auth-Type := Local" was
either required or worked. I am fairly sure that "Auth-Type := SQL"
is not even a valid entry, I just used it to show how data is used
in radgroupcheck.
>
> Thanks
>
> Kevin
>
>
>
> At 05:12 PM 1/21/2005, you wrote:
>
> On Fri, 2005-21-01 at 13:52 -0800, [EMAIL PROTECTED] wrote:
> > I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it
> > installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can
> > authenticate to a users file. But when I try to use radcheck in
> > postgres I get login incorrect. I am trying to upgrade from freeradius
> > .7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just
> > fine. I have created the tables using provided sql script. I
> > configured radiusd.conf to use sql authentication. I have compared
> > radiusd on the new machine to the radiusd on the old machine. They are
> > as identical as they can be considering changes in the conf file. Does
> > anybody have any other ideas or know of any isue with current version
> > of freeeradius and postgres
> >
> > Thanks
> >
> >
> > Kevin Waters
>
> Below is some sample data I use for testing PostgreSQL .
>
> The password for troll is skunk {sh1 encrypted} you will
> need to generate a redhat linux compatable {des or md5}
> password for it to authenticate on an RH system.
>
> NOTE: If you want to use the users file and sql, you
> can not have any Auth-Type attributes in your DEFAULT
> entries.
>
> The data below is supposed to be tab delimited.
>
> --Start of file--
...snip...
> COPY radgroupcheck (groupname, attribute, op, value) FROM stdin;
> ppp-unlimited Auth-Type := SQL
> ppp-static Auth-Type := SQL
> nas-prompt Auth-Type := SQL
> \.
>
...snip...
> --End of file--
>
...snip...
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and postgress
On Fri, 2005-21-01 at 13:52 -0800, [EMAIL PROTECTED] wrote:
> I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it
> installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can
> authenticate to a users file. But when I try to use radcheck in
> postgres I get login incorrect. I am trying to upgrade from freeradius
> .7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just
> fine. I have created the tables using provided sql script. I
> configured radiusd.conf to use sql authentication. I have compared
> radiusd on the new machine to the radiusd on the old machine. They are
> as identical as they can be considering changes in the conf file. Does
> anybody have any other ideas or know of any isue with current version
> of freeeradius and postgres
>
> Thanks
>
>
> Kevin Waters
Below is some sample data I use for testing PostgreSQL .
The password for troll is skunk {sh1 encrypted} you will
need to generate a redhat linux compatable {des or md5}
password for it to authenticate on an RH system.
NOTE: If you want to use the users file and sql, you
can not have any Auth-Type attributes in your DEFAULT
entries.
The data below is supposed to be tab delimited.
--Start of file--
COPY radcheck (username, attribute, op, value) FROM stdin;
fredf User-Password == wilma
barneyr User-Password == betty
troll Crypt-Password == $1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.
frogUser-Password == kermit
\.
COPY radgroupcheck (groupname, attribute, op, value) FROM stdin;
ppp-unlimited Auth-Type := SQL
ppp-static Auth-Type := SQL
nas-prompt Auth-Type := SQL
\.
COPY radgroupreply (groupname, attribute, op, value) FROM stdin;
ppp-unlimited Framed-Compression := Van-Jacobsen-TCP-IP
ppp-unlimited Framed-Protocol := PPP
ppp-unlimited Service-Type:= Framed-User
ppp-unlimited Framed-MTU := 1500
ppp-static Framed-Compression := Van-Jacobsen-TCP-IP
ppp-static Framed-Protocol := PPP
ppp-static Service-Type:= Framed-User
ppp-static Framed-MTU := 1500
nas-prompt Framed-MTU := 1500
nas-prompt Framed-Compression := Van-Jacobson-TCP-IP
nas-prompt Service-Type:= NAS-Prompt
\.
COPY radreply (username, attribute, op, value) FROM stdin;
barneyr Framed-IP-Address := 10.19.65.38
barneyr Framed-IP-Netmask := 255.255.255.252
\.
COPY usergroup (username, groupname) FROM stdin;
fredf ppp-unlimited
barneyr ppp-static
troll ppp-unlimited
frognas-prompt
\.
--End of file--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple script to check user authentication from a script.
Many times I wanted a simple script to check a users
password or to see if a radius server is working.
The output of radclient and radtest need to be parsed to
figure out what you want to know.
The script I put together provides output on stdout
for simple command line use, and also uses exit codes
so it can easily be used in shell scripts.
---radauth---
#!/bin/sh
#
# radauth
#
# Created by Guy Fraser on Jan 18 2005.
#
# This program is a quick and simple tool used to verify the
# authentication of a user on a radius server.
#
# This program requires four options ;
# 1) radius server
# 2) radius secret for the sending machine and radius server
# 3) username with realm if required
# 4) password
#
# There are three possible responces ;
# 1) If all options are presesnt and correct :
# "yes" sent to stdout and exit status is 0 {true}.
# 2) If all options are presesnt but something is incorrect :
# "no" is sent to stdout and exit status is 1 {false}.
# 3) If all options are not present :
# Usage message is displayed.
#
PREFIX=/usr/local
EXEC_PREFIX=${PREFIX}
BINDIR=${EXEC_PREFIX}/bin
ECHO=/bin/echo
RADCLIENT=$BINDIR/radclient
AWK=/usr/bin/awk
TEST=/bin/test
usage () {
$ECHO "" >&2
$ECHO "Authenticate a user on an authorized radius server." >&2
$ECHO "" >&2
$ECHO "Usage:" >&2
$ECHO "radauth radius-server[:port] secret user passwd" >&2
$ECHO "" >&2
exit 1
}
if [ $# -ne 4 ]
then
usage
fi
SERVER=$1
SECRET=$2
UNAME=$3
PASS=$4
RES=`$ECHO "User-Name=\"$UNAME\",User-Password=\"$PASS\"" \
| $RADCLIENT -q -s $SERVER auth $SECRET 2>&1 \
| $AWK '/Total approved auths/ {print $4}'`
if $TEST $RES = 1 2>/dev/null
then {
$ECHO yes
exit 0
} else {
$ECHO no
exit 1
}
fi
---radauth---
Command line use :
--
--everything correct--
$ radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilma
yes
--passord is wrong--
$ radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilm
no
--secret is wrong--
$ radauth 127.0.0.1 testing12 [EMAIL PROTECTED] wilma
no
Shell script use :
--
--everything correct--
$ if radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilma \
>/dev/null 2>&1
then echo Bonus
else echo Busted
fi
--output--
Bonus
--passord is wrong--
$ if radauth 127.0.0.1 testing123 [EMAIL PROTECTED] wilm \
>/dev/null 2>&1
then echo Bonus
else echo Busted
fi
--output--
Busted
--secret is wrong--
$ if radauth 127.0.0.1 testing12 [EMAIL PROTECTED] wilma \
>/dev/null 2>&1
then echo Bonus
else echo Busted
fi
--output--
Busted
---
Feel free to use this or add it to the CVS tree.
Have a nice day
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Luscent Portmaster 3
On Fri, 2005-14-01 at 10:41 -0600, Brad Fisher wrote: > Michael A Cooper wrote: > > > I use the pmvision for my Portmaster Admin stuff, It's a really nice > > program I can get right into over the net config it reboot it pretty > > much what-ever needs to be done. Okay I'll Stop rambling this is off > > topic Sorry Guys > > > > Kerry Penland wrote: > > > >> I also have a PM3 functioning with Freeradius, working well for over > >> a year. I am using ports 1812 and 1813 however. I use dialupadmin to > >> perform most of the day to day customer stuff. If you reboot the pm3 > >> while clients are online, you will get no accounting stop packets and > >> thus you'll be left with some open sessions to clean up. > > > If you disconnect the T1(s) from the back of the PM3 for a few seconds > before rebooting, it will send the stop packets. Of course, you can't > do that remotely :) > > -Brad IIRC portmasters do send accounting off packets when you run reboot from the command line. It would be nice to be able to close all the open calls on a NAS with a single command. I have not been working on dialup_admin for a while and don't know if it is already possible using it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Suggestion
Unfortunately most of the people who provide help have other urgent things to do. Taking some time to check the list and answer what you can, is one thing. Having an instant message pop up while you are fixing a mission critical problem is a whole other thing. I have been working with FreeRadius for over two years now and am just starting to get ready to install it as a critical system. The Cistron Radius I modified has been running perfectly for at least 3 years. I Started to help on FreeRadius when Cistron was to be end of life. If you don't fiddle with stuff on a live system, you should not experience catastrophic problems. When ever you modify a config file backup and date the original so if a problem comes up you can switch back to a known good configuration. My point is : If it is a critical system, make it work as good as you can. When you have something better that you have thoroughly tested, migrate to that but keep the other system available to switch back to just in case. If possible incrementaly move to the new system, don't cut and run. It's your butt on the line not anyone else on the list. On Fri, 2005-14-01 at 16:31 +0530, Amit Gupta wrote: > Hi, > > You are right. Even, Most of the time we solve our problems on our own. But > some times we need immediate help. For example, few of us will be working at > ISPs. At ISP, problem at Radius server affect hundred of customers. For such > situations I recommend online community. I case or emergency we can get in > touch with online member and troubleshoot problems. > > BTW, You welcome to add my IDs to your messenger contacts. I will be glad to > help you. > > Amit Gupta > Mobile: 91-9891062552 > Yahoo IM: amitguptainn > MSN IM : amitguptainn > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lewis Bergman > Sent: Friday, January 14, 2005 4:04 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: Suggestion > > > Amit Gupta said: > > I have suggestion. > > > > > > > > We can create on online community at Yahoo/MSN messengers for fast > > resolution of problems. > By whom? > The same people on this list? If so, what do you find unique about that > system that this one does not support? > > Even my stupid questions have been answered. Most times not before I > figured them out myself, meaning I shouln't have posted them anyway. > > There seems to be something about posting a question to the list that > lends an extra little drive to solve your own problem. > -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radzap in FreeBSD
I don't know if this has anything to do with it but the UTMP on FreeBSD is slightly different than many other platforms. I came across these differences a number of years ago, when I was having problems. The main consequence I came across was that FreeBSD truncates the nas/port information. If radutmp on FreeBSD is using a standard structure on all platforms rather than the platform standard, this may be a mute point. On Tue, 2005-11-01 at 13:53 +0100, [EMAIL PROTECTED] wrote: > Luiz Gustavo Anflor Pereira schrieb: > > > There is some problem about radzap 0.9.1 in a FreeBSD > > system? > > Why it does not zap the users from radutmp? > > Because there's a bug in the source code which prevents > it from working when you're trying to run it on the same server > on which the server is running - no matter what OS that > box is using? > Didn't we have some detailled description of the problem in > the past weeks? > > Regards, > Stefan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kill online user
Like I said:
# snmpwalk -c community -Of nas.domain.tld ciscoAAASessionMIB
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoAAASessionMIB
= No Such Object available on this agent at this OID
Not all Cisco equipment responds to the same OID's.
I seem to remember looking through the IOS matrix the last time we
update our IOS and
an additional license is required to do Call Management. Since we didn't
think we needed
it we didn't purchase it. My original solution still works.
As for IF-MIB, you are correct.
Doing a diff on :
/usr/share/snmp/mibs/IF-MIB.txt
and
/usr/share/snmp/mibs/Cisco-v2-MIBs/IF-MIB.my
Indicates the only differences are blank lines, Since they were
different sizes I thought
Cisco may have modified something more significant.
Alexander M. Pravking wrote:
On Wed, Oct 13, 2004 at 02:42:11PM -0600, Guy Fraser wrote:
It depends on the type of NAS you are using.
On some Cisco Access Servers you can use SNMP to administratively disable
the line the user is on then administratively enable the line to allow new
connections on it.
Even between different classes of Cisco products, the SNMP OID codes may
be different. And other vendors will likely have much different OID codes.
A snippet from Cisco's IF-MIB.my file :
It's not Cisco's, it's common MIB :)
Cisco has its own means too: casnDisconnect from CISCO-AAA-SESSION-MIB.
It's more handy, because the index in that table corresponds RADIUS
NAS-Port attribute, and there's no need to enable the interface back.
But ifAdminStatus method should work for any NAS, the only problem is
to determine SNMP index of the interface. For Cisco, it's, yes, index
of an entry which has ifDescr = "Async%{NAS-Port}". For PortMaster,
I get it from
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.%{Framed-IP-Address} variable.
--
Guy Fraser
Network Administrator
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kill online user
It depends on the type of NAS you are using.
On some Cisco Access Servers you can use SNMP to administratively disable
the line the user is on then administratively enable the line to allow new
connections on it.
Even between different classes of Cisco products, the SNMP OID codes may
be different. And other vendors will likely have much different OID codes.
A snippet from Cisco's IF-MIB.my file :
start
ifAdminStatus OBJECT-TYPE
SYNTAX INTEGER {
up(1), -- ready to pass packets
down(2),
testing(3) -- in some test mode
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The desired state of the interface. The testing(3) state
indicates that no operational packets can be passed. When a
managed system initializes, all interfaces start with
ifAdminStatus in the down(2) state. As a result of either
explicit management action or per configuration information
retained by the managed system, ifAdminStatus is then
changed to either the up(1) or testing(3) states (or remains
in the down(2) state)."
::= { ifEntry 7 }
end
Match the index number to the interface :
start
# snmpwalk -v 2c -c community server.domain.tld ifDescr
IF-MIB::ifDescr.1 = STRING: Ethernet0
IF-MIB::ifDescr.2 = STRING: Serial0
IF-MIB::ifDescr.3 = STRING: Serial1
IF-MIB::ifDescr.4 = STRING: Null0
IF-MIB::ifDescr.5 = STRING: T1 0
IF-MIB::ifDescr.6 = STRING: T1 1
IF-MIB::ifDescr.7 = STRING: Serial0:0
IF-MIB::ifDescr.8 = STRING: Serial0:1
IF-MIB::ifDescr.9 = STRING: Serial0:2
...
IF-MIB::ifDescr.101 = STRING: Serial1:21
IF-MIB::ifDescr.102 = STRING: Serial1:22
IF-MIB::ifDescr.103 = STRING: Loopback0
IF-MIB::ifDescr.104 = STRING: Dialer1
IF-MIB::ifDescr.105 = STRING: Async1
IF-MIB::ifDescr.106 = STRING: Async2
...
IF-MIB::ifDescr.137 = STRING: Async33
IF-MIB::ifDescr.138 = STRING: Async34
IF-MIB::ifDescr.139 = STRING: Async35
IF-MIB::ifDescr.140 = STRING: Async36
...
IF-MIB::ifDescr.150 = STRING: Async46
IF-MIB::ifDescr.151 = STRING: Async47
IF-MIB::ifDescr.152 = STRING: Async48
IF-MIB::ifDescr.153 = STRING: Virtual-Access1
IF-MIB::ifDescr.154 = STRING: Virtual-Access2
IF-MIB::ifDescr.155 = STRING: Virtual-Access3
end---
For example if a user is on :
NAS-Port = 34,
NAS-Port-Type = Async
The index number for the appropriate line ;
IF-MIB::ifDescr.138 = STRING: Async34
Would be :
138
Verify the port is active :
# snmpget -v 2c -c community server.domain.tld ifOperStatus.138
ifAdminStatus.138
start
IF-MIB::ifOperStatus.138 = INTEGER: up(1)
IF-MIB::ifAdminStatus.138 = INTEGER: up(1)
end
To reset the user you would use something like this :
# snmpset -v 2c -c community server.domain.tld ifAdminStatus.138 i 2
IF-MIB::ifAdminStatus.138 = INTEGER: down(2)
# snmpset -v 2c -c community server.domain.tld ifAdminStatus.138 i 1
IF-MIB::ifAdminStatus.138 = INTEGER: up(1)
This works on a Cisco 5200 that I maintain, but your mileage may vary.
Nurul Faizal Bin M.Shukeri wrote:
Hi again,
How am I going to kill online users other than radkill, may be
ucd-snmp. Anyone can help me..
**Nurul Faizal Bin M.Shukeri**
Pusat Komputer,
Universiti Sains Malaysia.
--
Guy Fraser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: So close....yet so far
That looks like some kind of shell expansion. Putting "\" character in front of the "!" character, is called "escaping", and it is used to prevent the "shell" from using that character as part of an expansion. [EMAIL PROTECTED] wrote: Hello, When last i posted, I was having problems getting radius and LDAP to talk using TLS. Ive fixed my problem, but in this process Ive come across another issue. When testing I tried using a "!" in a test user's password. On the radius server it came across as %21 instead of !. EXAMPLE: radtest testradius ta!ters radius testing123 gets a access-denied and the log files on radius server: rlm_ldap: login attempt by "testradius" with password "ta%21ters" but radtest testradius ta\!ters radius testing123 gets an access-accept Any ideas what is going on?? Thanks! David SSG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
Anson Rinesmith wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 1:23 PM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog "Anson Rinesmith" <[EMAIL PROTECTED]> wrote: My biggest issue is that I want to bring in a second and third ISP to use our radius service. I want to present each ISP with their error log, without seeing the other ISPs errors. I am currently at a loss on how to do this. As I said, post-process them. If you can tell the messages apart when putting them into any theoretical DB, you can tell them apart when reading them from "radiusd.conf". That's my problem, I DON'T know how to tell them apart. Looking at any entry from the radius.log file, I don't know if it for my customers, ISP2 or ISP3. Using the 'cli' won't help as we have overlapping customer bases. If you are using realms and they are not being stripped, they should appear in the log file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
I don't have anything yet, I have found the squid2mysql stuff but have not had time to look at modifying it yet. Anson Rinesmith wrote: If you've got some code working for postgre, I'm sure I could port that to work for mysql. I'm willing to do the work, I just don't know where to get the differentiating information from freeradius so I know what ISP that user belongs to. Something based on Called-Station-ID like the users and acct_users file (DEFAULT Called-Station-Id == "1234567890", Proxy-To-Realm := "ISP1") would be useful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a ChangeLog
There was a program written to work with "Squid" that sent the logs to a database. It used a "FIFO" for the log file, so squid would write to the FIFO and The program would read from the FIFO. The program would decipher the logs and insert the relevant data into a table. I believe the program was written in Perl and was called "squid2mysql" or something like that. I think I may have "ported" it to PostgreSQL, I will see if I have it archived somewhere. I have considered making a rlm_log module but have not had time to delve into it yet. Once such a module exists having the data exported to a DB and file for redundancy, should not be too difficult. For now I will try to find the pipe based stuff, and see what I can do with it. Anson Rinesmith wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 21, 2004 9:06 AM To: [EMAIL PROTECTED] Subject: Re: Is there a ChangeLog "Anson Rinesmith" <[EMAIL PROTECTED]> wrote: I would like to find out what new features have been added since my version of FreeRADIUS. I looked but this was the best I found: "It is a significant leap in functionality over 0.9.3, and contains too many bug fixes and feature enhancements to list in detail." Have you tried doc/ChangeLog? I'm looking specifically for what has changed in error reporting. Any new messages, can it be put to a DB, can it be separated by realm, etc. I'm not sure what you mean by that. Can the /var/log/radiusd.log file be sent to a database instead? I have written my own user interface and it would be much simpler if I could show my clients their error logs by querying a table, rather than parsing a file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting Users when using mysql
I put a timestamp field in usergroup called expire_time and modified the (postgre)sql.conf file to return a session time out that would not exceed that time, and would fail authentication if expire_time had been exceeded. Unfortunatly that was just used to verify if it could be done, and I didn't save the configs. It should be fairly easy to just add a "char" or "bool" column called disable, or something simmilar, that could be used to return a failure if it is set with a true value but ignored if unset or set with a false value. Since every user is in usergroup I have found it to be the best place for this type of setting. Thor Spruyt wrote: - Original Message - From: "Linda Pagillo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 16, 2004 12:54 PM Subject: Rejecting Users when using mysql Good morning everyone: Good afternoon. I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. If you just want "suspended", then I would add a column suspended and edit the sql query in sql.conf If you need more complex checking that can't be done with sql queries, then you might look at the exec or perl modules to execute external scripts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Good points.
Alan DeKok wrote:
Guy Fraser <[EMAIL PROTECTED]> wrote:
I have been quietly watching this thread, and the idea of setting up
a FIFO {First In First Out} buffer to handle inserts sounds like a
good idea, but may have some adverse consequences.
Like losing requests if the server goes down. If the requests are
on disk, the "detail" file acts like a FIFO, and is permanent storage.
I have always used detail and SQL accounting at the same time just for
the sake
of redundancy. I am thinking it might be a good idea to have rlm_sql use
detail
as the primary accounting method and update the database from the detail
file(s).
The problem I perceive with this method would be that the db could be
out of
sync with an accounts status. A possible work around may be to keep a
hash of
accounting requests stored to the detail file and those still pending
delivery to the
database. This hash could be used to delay authentications for accounts
with
pending accounting requests. This method could possibly cause
authentication
failures if the database is swamped, but only accounts with pending data
would
be affected.
Another trick that would work with postgresql would be to use the "copy"
function used to import "bulk" TAB or CSV delimited data. It is between 10
and 100 times faster than using insert statements. If the FIFO file(s)
were output
in this format the data could be imported more quickly. To the best of my
knowledge MySQL does not support such a mechanism.
Another option might be setting up a customizable delay into the
acknowledge response from the radius server. This is sometimes referred
to as a delay pool, and is used for connection throttling in squid
and apache if I remember correctly.
I'm not sure that this would work for RADIUS. The NAS is getting
10^4 people logging in at the same time, and slowing down the response
for person A won't change the speed of the accounting requests for
person B.
Alan DeKok.
I guess the authentication delay should be configurable when SQL
sessions are used for simultaneous access verification, but would not
be required when UTMP sessions are used.
I have never had a situation where I exceeded the 100 inserts per
second limit on my current database for my customized Cistron server,
so I have not considered this issue before. I think their should be
a better alternative than manually switching to detail file when
expecting a heavy load, because you may not know when to expect a
heavy load. As customer expectations increase, we have moved from
processing detail files daily to currently providing information that
is accurate up to the last closed session, and some are pushing for
accuracy up to the time of request and would not accept batch
processing anymore.
I am currently only using Radius for dial up authentication and
accounting so many of the scenarios where you could get 10^4 requests
had not made it into my considerations. I suppose that 802.1x and VOIP
have much higher requirements than dial up which is what radius was
designed for. As we all know things change and it is often better to
develop a better wheel than to come up with something altogether
different.
I am in the middle of a big PHP/MySQL project right now, but once I
have some time I'll look at a delimited FIFO solution. I seem to
recall having developed an SQL logging system using pipes a few years
ago.
Later
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Matthew Schumacher wrote:
Alan DeKok wrote:
"Gary McKinney" <[EMAIL PROTECTED]> wrote:
From following this thread I am wondering how many transactions a
second can a DB handle successfully perform before the system starts
to lose information???
That depends on the DB. Oracle is fast, PostGreSQL is fast, MySQL
is less fast.
I am wondering for a given platform and OS (such as linux or FreeBSD
running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI
hard-drive subsystem) how many transactions can the FreeRadius
system handle in a second???
I use postgres and have done a bit of tuning so it's as fast as it's
going to be on this hardware, but even with very fast servers there is
only so much inserts you can do at a time before you run out of DB
connection handles and this is almost always going to happen long
before radius reaches it's processing limits, especially when you have
several million rows like I do.
I think the most graceful way to handle this would be to add a
function to rlm_sql that writes the accounting packet to a detail log
then call that before returning RLM_MODULE_FAIL. The name of the file
could be defined in the sql {} part of the config file. This way any
sql based failures will at least be written somewhere instead of lost
forever. This detail file could be fed back to the server at some
other point in time.
I'm a very poor C programmer so before I start looking into this
further perhaps Alan and comment on any problems he sees with this and
describe any problems I may run into with calling rlm_detail from
rlm_sql.
I have been quietly watching this thread, and the idea of setting up a FIFO {First In First Out} buffer to handle inserts sounds like a good
idea, but may have some adverse consequences. I have not delved into
the rlm_sql source too much and don't know what adverse issues would
be lurking behind this issue.
Another option might be setting up a customizable delay into the
acknowledge response from the radius server. This is sometimes referred
to as a delay pool, and is used for connection throttling in squid
and apache if I remember correctly.
Just my 2 cents.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin/sql using postgresql
Check the mailing list archives, or google for dialup admin postgres schema
I have supplied postgres compliant commands for dialup admin a number of
times
in the past. I currently have my development machine in pieces so I can't
provide the information anew.
apellido jr., wilfredo p. wrote:
mysql -h mysql.host.com -u username -p radius < badusers.sql this is
for MYSQL. what about POSTGRESQL? i tried this
cat mtotacct.sql | psql radius
and i got this : ERROR: syntax error at or near "(" at character 44
thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring freeradius on freebsd 4.10
Darko Kalevski wrote: Because FreeBSD doesn't support shadow passwords, if I remember the >code correctly, you have to comment out passwd= and shadow= to get system password file authentication that uses master.passwd. Which is how the server comes configured by default. There are also comments in radiusd.conf SPECIFICALLY MENTIONING FREEBSD. So... you edited "radiusd.conf" to change the default configurastion, but didn't read the comments directly above the section you were editing. What kind of documentation could we have to include in the server so that you would read it? Oh come on, I didnt know how FreeBSD deals with passwords, that means the word -lookups are done via database- didnt mean to me that it doesnt use shadow file...i still dont know some aspects of this OS so still learning, nothing about FreeRadius :) ... so maybe you could write FreeBSD doesnt use shadow file in the manner linux does, as it is not mentioned alot...neither is in the handbook i think... smiles :) Darko Try it with the default configuration after installing from ports, you will discover it works, without messing with those lines. There are very few things in the radius.conf that you should need to mess with if you are accounting to detail files and authenticating from default users with unix passwords. Make sure to install from ports unless you are a developer, and understand how FreeBSD works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: copying accounting
This is the default behavior as far as I know. User logs in to NAS with [EMAIL PROTECTED] NAS sends accounting record to your radius server. Your radius server performs its configured accounting steps and proxies the accounting to the some-realm radius accounting server. The some-realm radius server performs its configured accounting steps. Both radius servers should have accounting records for the transaction. I use this method to bill ISP's who resell our modem pools, and when we use other ISP's modem pools, we use our records to verify what they bill us. Hope this clears up your question. Alexander Serkin wrote: Is it possible to keep accounting for several realms locally along with sending it to third party AAA server? I.e. i need to write accounting for customers visiting us from another network, but also send it to their home AAA server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql Issues!
Alexander Khoo wrote:
Hi all,
My goal is to use Freeradius with the sql module for authenticating
users. I'm using version 0.9.3 (installed from rpms i created with the
specfile that came with the tarball).I've been working
off of this tutorial: http://www.frontios.com/freeradius.html
I got but then I proceeded to follow the instructions for sql and have
run in to some trouble. I followed all of the required steps and am unable
to authenticate. I'm using the following command to test the server:
...snip...
radius_xlat: 'alexander'
rlm_sql (sql): sql_set_user escaped user --> 'alexander'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'alexander' ORDER BY id'
Checked for alexander in radcheck.
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'alexander' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Checked for alexander in radgroupcheck and usergroup.
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = 'alexander' ORDER BY id'
Checked for alexander in radreply.
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE
usergroup.Username = 'alexander' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
Checked for alexander in radgroupreply and usergroup.
rlm_sql (sql): No matching entry in the database for request from user
[alexander]
Did not find sufficient information in db.
...snip...
And here's the only entry in my radcheck table:
++--+---++-+
| id | UserName | Attribute | op | Value |
++--+---++-+
| 1 | alexander| Password | == | password|
++--+---++-+
I think you need an entry in usergroup.
This is the sample data I use for testing:
NOTE: The delete lines will EMPTY your tables.
NOTE: The encrypted password for troll is "skunk" in MD5.
---8< cuthere >8---
delete from usergroup ;
insert into usergroup (username,groupname) values('fredf','ppp-unlimited');
insert into usergroup (username,groupname) values('barneyr','ppp-static');
insert into usergroup (username,groupname) values('troll','ppp-unlimited');
insert into usergroup (username,groupname) values('frog','nas-prompt');
delete from radcheck ;
insert into radcheck (username,attribute,op,value)
values('fredf','User-Password','==','wilma');
insert into radcheck (username,attribute,op,value)
values('barneyr','User-Password','==','betty');
insert into radcheck (username,attribute,op,value)
values('troll','Crypt-Password','==','$1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.');
insert into radcheck (username,attribute,op,value)
values('frog','User-Password','==','kermit');
delete from radreply ;
insert into radreply (username,attribute,op,value)
values('barneyr','Framed-IP-Address',':=','10.19.65.38');
insert into radreply (username,attribute,op,value)
values('barneyr','Framed-IP-Netmask',':=','255.255.255.252');
delete from radgroupcheck ;
delete from radgroupreply ;
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-Compression',':=','Van-Jacobsen-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-Protocol',':=','PPP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-Compression',':=','Van-Jacobsen-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-Protocol',':=','PPP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Framed-Compression',':=','Van-Jacobson-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Service-Type',':=','NAS-Prompt');
---8< cuthere >8---
Hope this helps.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with MD5 and MySQL
Hi You don't need to change any Auth-Type settings, and it's best that you don't even use any Auth-Type settings when authenticating from MySQL. In your MySQL database you use the attribute "Crypt-Password" for encrypted passwords. Search the archives for "MySQL schema" and or "Guy Fraser". I have submitted a number of responses with configuration examples including an MD5 encrypted password in MySQL. Coolins Paker wrote: Hi list, I need change auth-type in Server Freeradius, but I dont't make it. I find in archive list and i still not found. My freeradius its configured with authenticate MySQL and my passwords was MD5. How to change Auth-type for MD5 passwords. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring the NAS
Kaczmarek, Thaddeus wrote: ...snip... DISCLAIMER e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. Please do not send this cruft. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add multiple MySQL queries/stmts for each Acconting START/STOP packets?
Not that I know of using standard methods.
If you were using PostGreSQL you could use 'rules' for inserts and
updates that could invoke additional actions.
See:
http://www.postgresql.org/docs/7.4/interactive/rules-update.html
FreeRadius does work with PostGreSQL.
[EMAIL PROTECTED] wrote:
Hi All,
Is there a way to add number of SQL statements into SQL.conf to execute
for each Accounting START/STOP packet?
I need to update multiple tables with stats once radiusd receives
accounting START or STOP packet.
Please see my current SQL.CONF entries below.
Can I write ?
Accounting_start_query = ("INSERT Statement1";"Delete Statement";"Update
Statement")
Thanks in Advance,
Sagar
Accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
accounting_start_query_alt = "UPDATE ${acct_table1} SET AcctStartTime =
'%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start =
'%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query = "UPDATE ${acct_table2} SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = "INSERT into ${acct_table2} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}, 'seconds'), '%S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
'%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{Acct-Delay-Time}')"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
--
Guy Fraser
Network Administrator
The Internet Centre
780-450-6787 , 1-888-450-6787
There is a fine line between genius and lunacy, fear not, walk the
line with pride. Not all things will end up as you wanted, but you
will certainly discover things the meek and timid will miss out on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
Search the archives.
Just yesterday I sent another example of how to configure for sql, and
gave some sample
data.
Look for postgres, in the archives.
The same data works with MySQL and the only config change is to include
sql.conf
instead of postgresql.conf.
On the 20th I collected the most current version from CVS then built and
installed it.
Yesterday I spent 10 minutes, and configured the new radiusd.conf and
postgresql .conf for PostgreSQL and tested it with encrypted and clear text
passwords. I then changed the include from postgresql.conf to sql.conf and
configured sql.conf.
Here is some sample data for MySQL {password for troll is skunk}.
delete from usergroup ;
insert into usergroup (username,groupname) values('fredf','ppp-unlimited');
insert into usergroup (username,groupname) values('barneyr','ppp-static');
insert into usergroup (username,groupname) values('troll','ppp-unlimited');
insert into usergroup (username,groupname) values('frog','nas-prompt');
delete from radcheck ;
insert into radcheck (username,attribute,op,value)
values('fredf','User-Password','==','wilma');
insert into radcheck (username,attribute,op,value)
values('barneyr','User-Password','==','betty');
insert into radcheck (username,attribute,op,value)
values('troll','Crypt-Password','==','$1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.');
insert into radcheck (username,attribute,op,value)
values('frog','User-Password','==','kermit');
delete from radreply ;
insert into radreply (username,attribute,op,value)
values('barneyr','Framed-IP-Address',':=','10.19.65.38');
insert into radreply (username,attribute,op,value)
values('barneyr','Framed-IP-Netmask',':=','255.255.255.252');
delete from radgroupreply ;
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-Compression',':=','Van-Jacobsen-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-Protocol',':=','PPP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-unlimited','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-Compression',':=','Van-Jacobsen-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-Protocol',':=','PPP');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value)
values('ppp-static','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Framed-MTU',':=','1500');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Framed-Compression',':=','Van-Jacobson-TCP-IP');
insert into radgroupreply (groupname,attribute,op,value)
values('nas-prompt','Service-Type',':=','NAS-Prompt');
NOTE: There is nothing in radgroupcheck .
Bob Ross wrote:
Believe me when I tell you I do understand what your saying. The problem was
that I was tossed in to this after all our fee's were paid to the wholesale
dialup provider when he told us they do PAP, and on the day we were ready to
start it didn't work. So I was between the rocks and a hard place and was
recommended to use mySQL and freeradius, both that I have never used or
looked at before a week ago.
It has been authenticating fine so far, no problems noticeable, but I still
have to leave the two auth-type in the uesrs file or it quits. It works now
and I think I'll leave it and hope it doesn't break.
Thanks for all your help.
Bob Ross
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
