Re: regular expression grouping issue on attrs filter
Hi, We have the regexp's working properly now. The trick was removing the / / (in the front and at the end of the line). The only issue we have left is that we want to set multiple values for the same key in the attrs file, normally we set: Cisco-AVPair = value1 Cisco-AVPair += value2 Cisco-AVPair += valu3 But i only see the operator := to set a value independent of the upstream proxy. Is there a limitation that we can only enforce 1 value per key? Or os there another way to do this? When we use the operator := multiple times our router can't handle the reponse properly. Best regards, Ivo Vastert On Apr 19, 2012, at 9:31 AM, Phil Mayers wrote: On 04/18/2012 07:04 PM, Ivo Vastert wrote: Hi Phil, Thank you for your answer. I just try'd your rule but this one is refused aswell (Freeradius won't start with it, giving a parse error). Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ I still have the feeling ( ) is not accepted, when we don't use themthe grouping characters, the line is accepted. Do you have any other suggestions we can try? I don't know what to tell you; we use regexp with () for grouping locally, and it works fine; FreeRADIUS can start, and the regexp match as expected. FreeRADIUS doesn't handle the regexp itself; it uses your system regexp library. If the regexp fails to parse, it must be a problem with your system regexp library. Just in case, please supply the output of radiusd -X as it fails to start up. Maybe there's something else wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regular expression grouping issue on attrs filter
And to make it even more complicated, On some Cisco-AVPair we want to do reg exp matching. And some other's we want to add by default, but they all share the same key name.. Is this possible within freeradius? Ivo On Apr 20, 2012, at 6:14 PM, Ivo Vastert wrote: Hi, We have the regexp's working properly now. The trick was removing the / / (in the front and at the end of the line). The only issue we have left is that we want to set multiple values for the same key in the attrs file, normally we set: Cisco-AVPair = value1 Cisco-AVPair += value2 Cisco-AVPair += valu3 But i only see the operator := to set a value independent of the upstream proxy. Is there a limitation that we can only enforce 1 value per key? Or os there another way to do this? When we use the operator := multiple times our router can't handle the reponse properly. Best regards, Ivo Vastert On Apr 19, 2012, at 9:31 AM, Phil Mayers wrote: On 04/18/2012 07:04 PM, Ivo Vastert wrote: Hi Phil, Thank you for your answer. I just try'd your rule but this one is refused aswell (Freeradius won't start with it, giving a parse error). Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ I still have the feeling ( ) is not accepted, when we don't use themthe grouping characters, the line is accepted. Do you have any other suggestions we can try? I don't know what to tell you; we use regexp with () for grouping locally, and it works fine; FreeRADIUS can start, and the regexp match as expected. FreeRADIUS doesn't handle the regexp itself; it uses your system regexp library. If the regexp fails to parse, it must be a problem with your system regexp library. Just in case, please supply the output of radiusd -X as it fails to start up. Maybe there's something else wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regular expression grouping issue on attrs filter
Hi, I'm currently having a issue implementing a regular expression within the attrs configuration file. When i try to group entry's within a regular expression the configuration is rejected: For example: This entry works: Framed-IP-Address =~ /^172\.1[6-9]|2[0-9]|3[0-1]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]$/ This entry doesn't work: Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[0-1])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$/ Does anyone know the correct syntax for grouping a entry within a regular expression? It looks like grouping by () is not supported by freeradius? We are using the following version: freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Best regards, Ivo Vastert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regular expression grouping issue on attrs filter
Hi Phil, Thank you for your answer. I just try'd your rule but this one is refused aswell (Freeradius won't start with it, giving a parse error). Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ I still have the feeling ( ) is not accepted, when we don't use themthe grouping characters, the line is accepted. Do you have any other suggestions we can try? Best regards, Ivo On Apr 18, 2012, at 5:35 PM, Phil Mayers wrote: On 18/04/12 15:30, Ivo Vastert wrote: Hi, I'm currently having a issue implementing a regular expression within the attrs configuration file. When i try to group entry's within a regular expression the configuration is rejected: What does that mean? Rejected how? For example: This entry works: Framed-IP-Address =~ /^172\.1[6-9]|2[0-9]|3[0-1]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]\.[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]$/ This entry doesn't work: Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[0-1])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$/ Doesn't work how? Does anyone know the correct syntax for grouping a entry within a regular expression? It looks like grouping by () is not supported by freeradius? Not correct; () is the grouping operator. I suspect you just have the syntax of your regexp wrong. Either that, or your system regexp library is broken - FreeRADIUS just uses that. The regexp you list above is more complex than it needs to be IMO; Framed-IP-Address can't have the wrong syntax because the server enforces it. Try the simpler: Framed-IP-Address =~ /^172\.(1[6-9]|2[0-9]|3[01])\./ freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 It is unrelated to your problem, but that is an old version. Upgrade to 2.1.12. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault - FreeRadius 1.1.0.tar.gz with Debian 3.1
Maybe you are missing $INCLUDE ${confdir}/mysql.conf in your radiusd.conf sql: safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._: / Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault - FreeRadius 1.1.0.tar.gz with Debian 3.1
I haven`t got the file mysql.conf in the directory /usr/local/etc/raddb but I have the file sql.conf where I have the configuration of mysql. In the file radiusd.conf has : $INCLUDE ${confdir}/sql.conf :( That is OK. It is the default file name for mysql configuration. It was rather confusing for me so I renamed it a long time ago and forgot to edit it before cutpaste-ing it for you. Does strace radiusd give you more information about the reason for failure? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Call-Check
Hi, Can someone tell me is it possible to get freeradius respond to Service-Type==Call-Check requests? I have read on cisco's web pages that it is not possible. I am using PM3 RAS with set call-check on option set. Namely, I would like to check for valid caller-id before answering the call and going on with username/password check. If it is possible, some pointers would be very appreciated... TIA Ivo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call-Check
On Sri, 2005-10-05 at 17:28 -0300, Paolo Rotela wrote: so Cisco normally lets you put the DNIS or ANI or something in the UserName field and password). The only two details is this and the fact that from FR's point of view, the NAS will be doing Auth twice, one for the preauth fase on the cisco, and another for the real auth fase. So you will be seeing two Access-Request packets from NAS. Since it looks like normal authentication request, FR (when using sql database) is looking into radcheck for username / password, but my NAS (PM3) sends only username and there is no User-Password attribute in request so FR denies access - I can see Auth: Login incorrect: [XXX/no User-Password attribute] in log file (where XXX is callerId, of course). So, how can I tell FR not to look for password and to accept call from some phone number if that number is in some sql table? TIA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program and iproute2
Thanks for advice but in radiusd.conf I wrote: user root group root and radiusd runs as root or that is not enough. I tried running simple script and it works, but when I change the script with the one that makes shaping then nothing hapens. Forgive me but I didn't understand how to use wraper. Can you tell me how to do it. Thanks in advance. Ivo Petrov --- Paul Hampson [EMAIL PROTECTED] wrote: On Sun, Oct 03, 2004 at 02:22:17AM -0700, Ivo Petrov wrote: Hi all, I'm trying to shape ppp+ interfaces after successful authentication using Exec-Program. radiusd runs as root, in mysql radreply table the last row for the user contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd 1.2.1, iproute2(ip, tc). When user connects to the pptpd everythink is OK, link goes up, but the ppp interface is not shaped. If I run shaping script outside the radius it works. In radius.log the stage of executing the script is noted with correctly transfered value of attribute %f, script is owned by root(same as radiusd), there isnn't an error of any kind, but this automation doesn't work. radiusd may be owned by root, but FreeRADIUS may be set to drop permissions. I'd suggest a wrapper script that logs calls so you can see what's happening or not happening. Can anyone tell me where could the mistake or my misunderstanding in implementing Exec-Program attribute. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program help
Thanks much but I need the script executed after successful authentication not before that. Any way thanks my simple script was executed correctly. Regards Ivo Petrov --- Edgars [EMAIL PROTECTED] wrote: Hello, see what's written in logs. Try Exec-Program-Wait instead. Edgars Ivo Petrov wrote: Hi all, I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. And the radiusd tells the following when run in debug mode: radius_xlat: '/path/script' Exec-Program: /path/script Thank in advance. Ivo Petrov ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program help
Hi all, I have a problem using Exec-Program. I've put the line in radreply table (4,'test1','Exec-Program',':=','/path/script') but the script was not executed. Can anybody tell me why? script : #!/bin/bash ps aux | grep radiusd result When I executed the script from the shell(Linux) it works but nothing hapens when it is called from radiusd. And the radiusd tells the following when run in debug mode: radius_xlat: '/path/script' Exec-Program: /path/script Thank in advance. Ivo Petrov ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program and iproute2
Hi all, I'm trying to shape ppp+ interfaces after successful authentication using Exec-Program. radiusd runs as root, in mysql radreply table the last row for the user contains: Exec-Program = '/etc/ppp/shd %f'. Freeradius version is 1.0.1,MySQL 4.0.21, Slackware 10, pptpd 1.2.1, iproute2(ip, tc). When user connects to the pptpd everythink is OK, link goes up, but the ppp interface is not shaped. If I run shaping script outside the radius it works. In radius.log the stage of executing the script is noted with correctly transfered value of attribute %f, script is owned by root(same as radiusd), there isnn't an error of any kind, but this automation doesn't work. Can anyone tell me where could the mistake or my misunderstanding in implementing Exec-Program attribute. Any advice I would appreciate. Thanks in advance __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Traffic help
--- Amedzekor Kafui [EMAIL PROTECTED] wrote: Hi, Can we still have variables in the SELECT statement like %{sql: SELECT %{USER_NAME} ...} Thanks. Kafui Amedzekor. --- Alan DeKok [EMAIL PROTECTED] wrote: Ivo Petrov [EMAIL PROTECTED] wrote: But I wonder is there any way to use values from SQL tables(mtotacct, totacct etc.) of Dialup Admin as check attribute or using Exec-Program or some other thing for letting or rejecting users depending of the traffic values? Sure. You can run any SQL query via %{sql: SELECT ...}, and put the results into any atribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, I thought so, but I need help too in implementing this. I've tried to run iptables line with $FRAMED_IP_ADDRESS variable but probably I've missed something because I didn't succeeded. Can someone help us? Ivaylo Petrov. __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Roaring Penguin PPPoE Attributes
Hi all, I've read somewhere there are attributes for PPPoE server of Roaring Penguin. Can some one tell in which dictionary are they included ( if they are ) or where for I can get them? Thanks in advace. Ivaylo Petrov. ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Traffic help
Hi, I have freeradius installed with MySQL backend for AAA on Slackware 10. All works perfect with Dialup admin as interface. But I wonder is there any way to use values from SQL tables(mtotacct, totacct etc.) of Dialup Admin as check attribute or using Exec-Program or some other thing for letting or rejecting users depending of the traffic values? Thanks in advance __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Traffic help
Hi, I have freeradius installed with MySQL backend for AAA on Slackware 10. All works perfect with Dialup admin as interface. But I wonder is there any way to use values from SQL tables(mtotacct, totacct etc.) of Dialup Admin as check attribute or using Exec-Program or some other thing for letting or rejecting users depending of the traffic values? Thanks in advance __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Traffic help
Hi, I have freeradius installed with MySQL backend for AAA on Slackware 10. All works perfect with Dialup admin as interface. But I wonder is there any way to use values from SQL tables(mtotacct, totacct etc.) of Dialup Admin as check attribute or using Exec-Program or some other thing for letting or rejecting users depending of the traffic values? Thanks in advance ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Traffic help
--- Alan DeKok [EMAIL PROTECTED] wrote: Ivo Petrov [EMAIL PROTECTED] wrote: But I wonder is there any way to use values from SQL tables(mtotacct, totacct etc.) of Dialup Admin as check attribute or using Exec-Program or some other thing for letting or rejecting users depending of the traffic values? Sure. You can run any SQL query via %{sql: SELECT ...}, and put the results into any atribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi again, Because I am new to radius I want to make sure I understood well, is the following steps possible: Auth-Type, Exec-program-Wait = /path/to/script, Attributte = value, Framed-IP-... script: #!bin/sh Attributte := %{sql: SELECT... Will that work? And can you advice me what attribute for Attributte should I use? Thanks again. Ivo. __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup admin replacement
On Mon, Jul 26, 2004 at 10:56:47PM +1200, Barry Murphy wrote: My problem is the poptop pptp server (with debian's ppp) is acting as the NAS server for my wireless clients, so there is no IOS to update. Not many people tend to be using pptp with radius and can answer this question. Barry Hi Barry, Can you tell me how would you like to check if users are still on-line? Namely, I have similar situation (dbian woody) in which ppp hangs so it looks like user is still on-line but it is not. Regards, Ivo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to check full user traffic
Hi, I am going to use Freeradius, but I need some help on configuring it to serve my particulr purposes. I am using pppoe-server and the users are authenticated through radius, but I want to use some checks before letting users to do their jobs. I want to account and check the trafic of each user, perform check of amount of that trafic(input and output), and if that trafic for particular user is above some value( for example above 20MB) I want the radius server to not let that user do anything. I am using Slackware 10, Freeradius 0.9.3, Postgresql-7.4.3 and this set of servers works nice, but I to use more of the potential of the Postgresql and Freeradius. I know that that what I want to achieve is possible but I don't know how. I would appreciate any advice for this. 10x in advance. Ivaylo Petrov. __ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration feature
On Sat, Mar 06, 2004 at 12:58:15AM +0200, Evren Yurtesen wrote: You could send Framed-Filter-Id (and of course define such filter in your RAS that will limit trafic to local server only) Yeah, the problem is that how can I make freeradius send it automatically for users whose Expiration attribute is set in the past. I already have the filters working. I just need a way to get things automated a bit. Are you using sql database? If so, you could change user group when user account expires. I have done that by creating additional table with user name and timeout value and modifying acct-stop sql query (replaced it with stored procedure in postgresql) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration feature
On Fri, Mar 05, 2004 at 05:26:40PM +0200, Evren Yurtesen wrote: Is it possible to send additional radius attributes for expired accounts other than simply rejecting them? What I want to do is to send a special radius attribute (cisco access list) that I will only let the user to connect to account renewal page if the account of user is expired. Any suggestions? You could send Framed-Filter-Id (and of course define such filter in your RAS that will limit trafic to local server only) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html