Re: radius doesn't start up correct
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan Lausch wrote: > Satish Patel wrote: > >> check process ID >> #ps aux | grep radiusd > > root 17622 89.6 0.0 4388 2248 pts/1R+ 02:38 0:02 radiusd > > > I also found: > > # netstat -nlp > udp 1580 0 0.0.0.0:18120.0.0.0:*7579/radiusd > udp0 0 0.0.0.0:18130.0.0.0:*7579/radiusd > > That Local IP 0.0.0.0 can't be a good sign, right?! > No, that's fine. All that means is that the socket is bound to all of the box's IP addresses, rather than a specific one, so you could reach that socket via the loopback interface, one of the ethernet interfaces, a ppp interface, whatever. Whatever other ports you have listening on the box will probably look similar. - -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFF74XeDupdmE5TlNIRAiYwAJ9A3gV4Yv3xg+ynFhBxwnnq4fd1CgCgqc+e fpJ+x6fmkSomh6v3lPUneN4= =kAR6 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log failed logins
Cory Robson wrote: I have the following sql in my sql conf file and this is working. My only gripe is if there is no info provided then what gets placed in the log. It appears in the case of User-Password that a default of Chap-Password is entered as per below. G'day Cory, In CHAP, the password never goes over the wire (which is its so-called benefit - I think "Challenge-Response Authentication Protocol" would make for a more appropriate acronym), so freeradius has no idea what the end user entered, only that the challenge-response process failed. Chap-Password indicates this. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius with nagios
Mike wrote: All, When trying to use the "radauth" tool from nagios to monitor freeradius, I get the following in the freeradius log: Error: WARNING: Malformed RADIUS packet from host ... too long (length 18432 > maximum 4096) radtest seems to be ok. has anyone else experienced this or knows what is wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html G'day Mike, Fire up wireshark or tcpdump and have a look what's actually in the packets. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SPLAT question
Enright Patrick - penrig wrote:
I’m not sure if this is how you tell it to look in the group file and
not sure why I do not see this in the messages when I start freeradius….???
G'day Patrick,
You've defined the etc_group module but you also need to instantiate it.
Add etc_group to the authorize { } section further down in radiusd.conf.
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
Long wrote: BTW - I have it configued in radiusd.conf to run under nobody:nobody. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hey Andrew, I'm sure you've checked it, but was there anything interesting in radius.log? /var/log/messages? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange behaviour of freeradius...?
Polyxronopoulos Adreas wrote: Do you think my AP doesn't say nothing to freeradius after the mac-address drop? There is nothing in the AP web-configuration which could set it on and solve the problem. If the problem is the nas there is not a solution ? Thanks a lot for your time I suspect the AP isn't sending Accounting-Stop in this situation, but you can confirm that by running freeradius in debug mode (-X) and watching the screen, or running a packet sniffer such as wireshark or tcpdump. If the AP isn't sending Accounting-Stop, and there's no way you can get a better AP that does, I guess you could periodically run a script from cron to log into the AP's web interface and grab the list of MAC addresses and compare against what your accounting database thinks are open sessions... -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange behaviour of freeradius...?
apolyxrono wrote: Hi list , After If the user select from his wireless card software to disconnect from the specific wlan and make the same query to the database i can see that the AcctStopTime have a specific value and accounting for this user has stopped. However if the user does not use his/her wireless software to disconnect from the wlan and tun-off the wlan switcher of his/her card the accounting is continued (AcctSessionTime is counting) on freeradius but the AcctInputOctets and AcctOutputOctets stop counting. Why is that happening ? How should i know when the user is connected in the wlan and the user was just turned-off his/her switch of wlan ? Your NAS should be sending Accounting-Stop with an Acct-Termination-Cause of Lost-Carrier or something similar. If it doesn't, then it's broken or misconfigured. Maybe there's a timeout configurable on the NAS for this? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send atributes to the client
[EMAIL PROTECTED] wrote: Hello: What file i must set for send some atributes to a Radius client, for example, how can i send the VLAN for some user as soon as he was authenticated? In whish file i must set the attributes for a specific vendor like Juniper ERX atributes? Saludos y Gracias Francisco Hi Francisco, The users file is used for specifying attribute/value pairs send to the client, and the dictionary file is used for mapping attribute names to numbers and types. Was that the info you were after? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius hosting
normalboy wrote: Hello, is there a free Radius server running somewhere on the internet which i could use? I need to create just 2 accounts, but it has to be a Radius server, and i do not have machine 24/7 on the internet. How about http://radiuz.net ? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Script to auth. users and control the remote phone number used
Luis wrote: Hi again, Can anyone tell me if it is possible to control the authentication process using the remote telephone number used by the user? Thanks again :D Hi Luis, You can conditionally authorize users based on phone numbers, yes, if the NAS provides you that information, which it should if your telco carrier provides it. Calling-Station-Id usually contains the number that the user is dialling from (the calling party), and Called-Station-Id usually contains the number that the user dialled (the called party). You can use those attributes as part of check items in your users file, or whatever you happen to use. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: very long regular expression...
Norbert Grochal wrote: I have FreeRADIUS Version 1.1.0 I want to disallow login to access points for every hosts that are not in my network. So at the end of /usr/local/etc/raddb/users file I put regular expression that checks if Calling-Station-Id IS NOT in list of my hosts... DEFAULT Auth-Type := REJECT, Calling-Station-Id !~ "008012323244|002938475473|" Is there any reason you shouldn't have a separate stanza accepting each valid MAC address, then implicitly reject all other MAC addresses? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring the modulation
Elie Hani wrote: Hi; Is there any way to configure in the radius database, the modulation for a user? Ex: if I want to oblige a user to open a dial up session, on a certain modulation, V92 for example (or V90, or V34), can it be done in the radius database using a certain entry? Thanks Elie Hani Hi Elie, I suppose it's possible if your NAS supports it, but don't your modems automatically negotiate that? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple search contexts in LDAP
Peter Param wrote: hey all, I would like to have multiple search contexts to get around ambiguous search results due to duplicate object names found in branches under the same basedn = "ou=darlinghurst,ou=nsw,o=myorg,c=au" Peter Hi Peter, You could try using multiple instances of the ldap module, one to search one ou and the other to search the other ou, then invoke them one after the other wherever you currently invoke the single ldap instance. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting : server and port 1813
Bruno Costacurta wrote: My wifi router is Olitec wf402sg (aka NAS (Network Access Server) : do not hesitate to correct me if I'm wrong). To resume my assumptions are : - FreeRadius contains few servers : authorize, accounting (and others ?). Sort of. freeradius contains various modules that can be configured so that they are invoked to respond to various events (such as receiving an Access-Request). These all combine to support the necessary AAA (Authentication, Authorization and Accounting) functions of a RADIUS server. At least, that's how I understand it. - the wifi router is the only client of the radius server (at least in a personal or home config like the one I'm referring to). - so only the wifi router access authorization port 1812 and accouting port 1813 If your firewall and freeradius' clients.conf are correctly configured, yes :) - if my wifi router is not able to be configured for accounting my network is not able to do accounting because station(s) cannot contact 1813. That's correct - at least, you won't be able to do RADIUS accounting with your wifi router. Depending on your network's topology and what other equipment you may have you may be able to use another method to provide accounting. Chillispot (http://www.chillispot.org/) might do what you want. You might even be able to use the iptables byte counters on your Linux server and route traffic through it if you have no other options. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting : server and port 1813
Bruno Costacurta wrote: Hello, I already had a working Freeradius configuration and intend now to install accounting. As far I undestand accounting is a server using port 1813 (as a default value). But where is this value setup on the client ? (ie. 1812 port for autorization is setup and used on the NAS) Depends on your NAS...what do you have? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto get/send the fullname of an user
Ariel VIVES wrote: Alan DeKok wrote: Ariel VIVES <[EMAIL PROTECTED]> wrote: Yes, and my accounts are under NIS. But i want to authenticate my users using freeradius. and it works... so it isn't possible to get additional informations with freeradius by using a shell script or with adding specific attribute ? Does the NIS documentation say you can do that with RADIUS? No. Does the NIS documentation say I can't do that with RADIUS ? No. Well, with NIS I can get informations like login but also full username or home directory. My question isn't about NIS but about freeradius. So I can't tell the freeradius server to get login but alos full username ? Short of writing your own module to retrieve the data to send with Access-Accept, and adding attributes to the dictionary, no. RADIUS is a AAA protocol. Being a directory service is beyond its scope. PHP's NIS/YP functions are pretty easy to use, you'd be better off using those. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto get/send the fullname of an user
Ariel VIVES wrote: James Wakefield wrote: Ariel VIVES wrote: Hello the list, I'm starting with freeradius. Authentication works fine ! But the informations I get is only the username (le login name in /etc/passwd). How do I get the Fullname ? Or others informations (like mail, home directory, ...) Is it possible ? is it a configuration of the server or a request from the client ? thanks for your help Hi Ariel, Can you give us a bit more information about how you're using freeradius? From your description, it looks vaguely like you're using pam_radius to authenticate logins against a freeradius server - is that it? Hi, in fact, the authentication is done with the file /etc/shadow (NIS users but doesn't matter I think) my requests are done with a web interface (php => php-radius) to authenticate users (and this works well). Hope it's enough ... You're trying to use radius for something it's not really intended for. You'd be better off querying that information from a real directory service, like LDAP, or NIS, if you want it quicker and nastier. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto get/send the fullname of an user
Ariel VIVES wrote: Hello the list, I'm starting with freeradius. Authentication works fine ! But the informations I get is only the username (le login name in /etc/passwd). How do I get the Fullname ? Or others informations (like mail, home directory, ...) Is it possible ? is it a configuration of the server or a request from the client ? thanks for your help Hi Ariel, Can you give us a bit more information about how you're using freeradius? From your description, it looks vaguely like you're using pam_radius to authenticate logins against a freeradius server - is that it? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server logs say users authenticate, but they don't (Now with more details!)
G'day Ernie, What value are you sending for Service-Type? Best way to check is radiusd -X, and watch for the Access-Accept that freeradius sends, in case your authorization config isn't quite right. Cheers, James. Ernie Dunbar wrote: Okay, after doing these tests, we can see that the Cisco is now accepting the packets. However, the AS5300 is now telling us "no appropriate authorization type for user". Here's the logs from the AS5300 (XX.XX.XX.X is the new server, XX.XX.XX.Y is the backup that was offline for the duration of the test): *Jan 3 16:30:43: RADIUS: Trying next server (XX.XX.XX.X) for id 20 *Jan 3 16:30:43: RADIUS: Retransmit id 20 *Jan 3 16:30:43: RADIUS: Received from id 20 XX.XX.XX.X:1812, Access-Accept, len 20 *Jan 3 16:30:43: RADIUS: saved authorization data for user 616D09DC at 614184A4 *Jan 3 16:30:43: RADIUS: no appropriate authorization type for user. *Jan 3 16:30:43: RADIUS: ustruct sharecount=1 *Jan 3 16:30:43: RADIUS: Initial Transmit Async56 id 21 XX.XX.XX.Y:1645, Access-Request, len 88 *Jan 3 16:30:43: Attribute 4 6 CCF4E9FE *Jan 3 16:30:43: Attribute 5 6 0038 *Jan 3 16:30:43: Attribute 61 6 *Jan 3 16:30:43: Attribute 1 11 72737461 *Jan 3 16:30:43: Attribute 30 9 36383131 *Jan 3 16:30:43: Attribute 2 18 A3B5B2A0 *Jan 3 16:30:43: Attribute 6 6 0002 *Jan 3 16:30:43: Attribute 7 6 0001 *Jan 3 16:30:44: %ISDN-6-DISCONNECT: Interface Serial2:5 disconnected from unknown , call lasted 53 seconds *Jan 3 16:30:44: isdn_Call_disconnect() Hi Ernie, * Run radiusd -X and check that Access-Accept is being sent, and how long after the Access-Request this is. * Verify with tcpdump that the packet is actually getting onto the wire. * Check for iptables rules/access-lists that might be dropping/rejecting the packets. * Make sure your AS5300 and freeradius are configured to use the same port numbers. freeradius shouldn't be seeing the Access-Request if not, but it might be worth a look. Ernie Dunbar wrote: G'day Ernie, Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout? Yes, we tried that. The access-accept packets aren't arriving at all! Does it work if you temporarily disable the Simultaneous-Use check? No, that doesn't work either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting sessions
Andrew Long wrote: I need to boot users at one property after a specified time period. We have adjusted the "max-daily-session" to "1800" (30 minutes), but users still seem to be staying on. Can someone point me in the right direction. The NAS is a Colubris cn3000. The other attribute we have that may apply is "max-acct-age". I am pretty new to this, so any detail is most appreciated. The NAS should support Session-Timeout, which is the most common method of time-limiting sessions. If not, hit the vendor with a big cluebat, as it's in the RFC. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server logs say users authenticate, but they don't (Now with more details!)
Hi Ernie, * Run radiusd -X and check that Access-Accept is being sent, and how long after the Access-Request this is. * Verify with tcpdump that the packet is actually getting onto the wire. * Check for iptables rules/access-lists that might be dropping/rejecting the packets. * Make sure your AS5300 and freeradius are configured to use the same port numbers. freeradius shouldn't be seeing the Access-Request if not, but it might be worth a look. Ernie Dunbar wrote: G'day Ernie, Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout? Yes, we tried that. The access-accept packets aren't arriving at all! Does it work if you temporarily disable the Simultaneous-Use check? No, that doesn't work either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server logs say users authenticate, but they don't (Now with more details!)
Ernie Dunbar wrote: No, it's not multihomed, but on a lark I tried it anyway (since there's two network cards in it, but one isn't used). It still doesn't work. G'day Ernie, Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout? Does it work if you temporarily disable the Simultaneous-Use check? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Comindico
Cory Robson wrote: I’m configuring freeradius 1.0.4-1.FC4.1 for the first time in an attempt to interface with Comindico’s system. Comindico are totally unhelpful hese days with most support issues other than suggesting I buy a copy of radiator as that’s all they apparently know. Anyway I have configured freeradius to use mysql for authentication and accounting. Has anyone done a step by step config or able to assist me in understanding this process better. NTRadping confirms authentication and accounting packets are functional but I cannot find any information to support commindico’s process I have most of my dialup services through comindico. G'day Cory, If Comindico can give you a dictionary of attributes they send and expect to receive, the authentication protocols they support, timeouts, UDP port numbers, and NAS/RADIUS proxy IPs, that should be all you need. If you really have to, ask for their suggested Radiator config, then transpose to freeradius, which I'm willing to give you a hand with if you like. You may also find it useful to subscribe and post to the AusNOG (http://www.ausnog.net/mailman/listinfo/ausnog) and isp-australia (mailto:[EMAIL PROTECTED]) in the hope that your posting is brought to the attention of clueful Comindico people. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+LDAP for TACACS alternative
Arya, Manish Kumar wrote: Hi People, I am a newbie to Radius, picking up slowly with Radius. Can I use Radius for TACACS replacement ? We have users/groups and Tacacs server provides authentication/authorization for router cmds to these user/groups. Can I achive this using Radius, if yes, please send some links to start. Regards, -Manish Hi Manish, I believe http://www-128.ibm.com/developerworks/linux/library/l-radius/ should cover most of your questions. Note however that you cannot perform command-level audit logging with RADIUS as with TACACS. If this is not important to you, then you're pretty much all set. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I contribute ( configure options )
Seferovic Edvin wrote: Sure. How can I help? English is not my native language, but I don't see that as a problem. The only problem I see ( at the moment ) is that I am not familiar with all modules of freeradius and their configure options ( Alan notices that some of them don't even have configure options etc ). I have a few successfull freeradius installations behind myself and I wrote a similar patch Jonathan de Grave published at the mailing list recently ( mine has a hardcoded attribute ;) ). I would appreciate some feedback on the topic "how can I contribute to freeradius project". Regards, E:S I would say the best place to start would be with what you know. You don't have to cover every single option in the first version of the wiki page, as long as you note that the list is not complete. Build the page up as your knowledge builds up. People will make corrections where they need to be made, if you're not sure of something, check it to the best of your ability, ask the list, etc. Other people will contribute their knowledge, too. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing problem in freeradius
anand kumar wrote:
HI,
i want to configure the billing server(mysql database) with freeradius.
Include sql in the accounting { } section towards the end of your
radiusd.conf. If you're working with the default radiusd.conf, all you
have to do is uncomment that line. Then configure sql.conf so that
freeradius can connect to your MySQL server (username, password,
database name) and so that the accounting queries match the schema on
your billing server.
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: billing problem in freeradius
anand kumar wrote: Dear All, I want to integrate our billing code in freeradius. and i wants to make a code in c language with mysql database connectivity and i wants to make a so file also . Please help me. Thanks A. K. Anand Kumar Software Engineer(VoIP) Hi Anand, I'm not quite sure what you mean. Are you trying to get freeradius to deny authorization when a user meets certain billing-related criteria, eg: haven't paid their bill for x months, have used up all their pre-paid usage, etc? Or, are you trying to log accounting data into a database in some way that the rlm_sql accounting code doesn't already allow you to do? The standard approach is to simply use sql accounting, which will log accounting data to an SQL (MySQL, PostgreSQL, Oracle etc) database, then use billing software to generate bills based on the data in your accounting table, or a capture of that data at a particular instance, or something similar. If you have usage meters or other such software, you'd have those querying the accounting table. Did that help, or am I way off? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One connection per username
Ali Jawad wrote: Hi How can I limit one connection per username..I.e. I do not want to allow multiple users to login using the same username password combination. Hi Ali, Your NAS will have to support it, but the Simultaneous-Use attribute may allow you to do this. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups, Realms, MySQL
Brad McAllister wrote:
G'day mate, thanks for the quick reply. I already have this in my
radiusd.conf:
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
Have you got suffix in your authorize { } section?
The huntgroups file looks like this:
wirelessNAS-IP-Address == 127.0.0.1
wirelessNAS-IP-Address == localhost.localdomain
SQL-Group == 3072BY256
radgroupcheck table:
| 8 | netmaster | Huntgroup-Name | == | netmaster |
| 6 | 3072BY256 | Huntgroup-Name | == | wireless |
| 7 | 3072BY256 | Auth-Type | += | local |
| 9 | netmaster | Auth-Type | += | local |
Any reason you're setting values for Auth-Type?
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple users mysql backend
Collen Blijenberg wrote: I'm still looking for a good solution, authenticating multiple users with the same login name and with mysql as backend. in the mysql table 'radcheck' i have entered the following: UserName Attribute op Value gebruiker Calling-Station-Id == 00166f980e78 gebruiker NT-Password := gebruiker Calling-Station-Id == 00166f97d99d gebruiker NT-Password := it does work with the 'Users' plain text file. but as soon as i turn to mysql, it failles... ?! dunno is there some bug, or incomplete code, for the mysql backend ? G'day Collen, Can you post any and all SQL queries you see in the output of radiusd -X? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prevent certain ip ranges from accounting
Phil Mayers wrote: If you're assigning fixed IPs, you might look at netflow. Packets like "ipfm" and similar can be used to monitor traffic by IP from a port mirror. All depends on your network architecture. You can also use netflow with dynamic IPs, if you script up something to match the IPs and timestamps in the netflow data against the timestamps, IPs and usernames in your radius accounting. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting Frame-IP-Netmask
Apu islam wrote: I am having problems rewriting the IP Netmask attribure. I am using mysql for my user authorization. the IP address seems to get set right, but the Netmask does not. I have specified it specifically and even changed the default, but could not get this to work. Its a PPP framed connection. What should I look at ? Thank you for suggestions. Apu Hi Apu, Run the server in debugging mode (radiusd -X) and watch the access-accept packet go from freeradius to your NAS. If the subnet mask is correct there, there's a config. problem/bug with your NAS. If it's not correct there, then there's something you've missed in your freeradius config. Is there any chance the subnet mask is specified on your NAS and it's overriding what you send it? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups, Realms, MySQL
Brad McAllister wrote:
If I removed the huntgroups out of the picture, is works fine. The
problem seems to be that the realm is not being stripped off of the
username when it checks it against the usergroup table. If more
information is needed, please let me know. I would really like to get
this working.
Thanks!
- Brad
Have a look at the realm { } instances and attr_rewrite in
http://wiki.freeradius.org/Radiusd.conf.
If that doesn't sort you out, could you post (with private info
obscured, of course) relevant excerpts from your radgroupcheck table and
huntgroups file?
Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: only work with 5 users or clients
Hi Tom, I see nothing that should cause the behaviour you're seeing, though bear in mind I'm not a VPDN expert. Could you post: * An Access-Request packet logged when your setup is working * The Access-Accept packet that corresponds with the above Access-Request * An Access-Request packet when your setup is *not* working * The Access-Accept packet that corresponds with the above Access-Request Could you also perhaps check on the general health of your router and the AAA server when the setup isn't working? Does it coincide with anomalous CPU usage, load average, memory usage etc? I don't *think* you need to check or reply with any tunnelling-related attributes in simple cases of a VPDN setup, but as I say, I'm not an expert in that area. Cheers, James. Tom Miller wrote: Here is a more details list of aaa for my Cisco 7204 configuration: aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login telnet line aaa authentication login localauth local aaa authentication ppp default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting nested aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius ! vpdn enable vpdn aaa override-server 172.17.17.17 ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname bbbr.ca.AADS local name abc123456789cha lcp renegotiation always l2tp tunnel password 7 ! radius-server host 172.17.17.17 auth-port 1645 acct-port 1646 ! interface Virtual-Template1 mtu 1492 ip address 192.168.172.1 255.255.255.128 peer default ip address pool DSLCustomer ppp authentication chap callin ! ip local pool DSLCustomer 192.168.172.51 192.168.172.125 Original message Date: Mon, 02 Oct 2006 09:18:59 +1000 From: James Wakefield <[EMAIL PROTECTED]> Subject: Re: only work with 5 users or clients To: [EMAIL PROTECTED], FreeRadius users mailing list Tom Miller wrote: I have a 7204 (12.0(22)S1) terminating DSL L2TP VPDN and freeradius ( 1.0.4) I am having problem when number of users (clients) increase from 6 and up. It worked fine when I have only 5 users (clients) using the system. I found the max_requests was set at 1024 in radiusd.conf and have inscrease the number up to 50 clients (50x256=12800) max_requests = 12800 However, It doesn't seem to have any effect. What am I doing wrong. One things I noticed. The two users that can not connect will sent incomplete information to the radius server from NAS (7204) such as: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.17.1:1645, id=200, length=95 NAS-IP-Address = 192.168.17.1 NAS-Port = 3 NAS-Port-Type = ISDN User-Name = "[EMAIL PROTECTED]" CHAP-Password = 7482c25ab08ffsddfddc0625fcb4007e Service-Type = Framed-User Framed-Protocol = PPP auth: user supplied CHAP-Password matches local User- Password Sending Access-Accept of id 200 to 192.168.17.1:1645 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 209.101.222.12 Framed-IP-Netmask = 255.255.255.128 Framed-MTU = 1492 Finished request 16 Going to the next request *** This is a log when it connected. It included the Tunnel server and client end point * rad_recv: Accounting-Request packet from host 192.168.17.1:1646, id=199, length=232 NAS-IP-Address = 192.168.17.1 NAS-Port = 6 NAS-Port-Type = ISDN User-Name = "[EMAIL PROTECTED]" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0CD8" Framed-Protocol = PPP Tunnel-Server-Endpoint:0 = "10.10.6.5" Tunnel-Client-Endpoint:0 = "10.10.6.6" Tunnel-Type:0 = L2TP Tunnel-Client-Auth-Id:0 = "12345678" Tunnel-Server-Auth-Id:0 = "sfldse26rr.wi.AADS" Acct-Tunnel-Connection = "13441125" Framed-IP-Address = 209.101.222.12 Acct-Terminate-Cause = Admin-Reset Acct-Input-Octets = 281672 Acct-Output-Octets = 266074 Acct-Input-Packets = 4390 Acct-Output-Packets = 4154 Acct-Session-Time = 1967 Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf This is an accounting stop record, as opposed to the access accept record you display above and below. It isn't necessarily indicative of what freeradius sent to the NAS, or anything else that happened when the client connected. --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.17.17.1:1645, id=200, length=95
Re: prevent roaming configuration question
isidoros wrote: James: I'm allmost there (now I'm thinking like this) 1) authorize_group_check_query: to check of the user is in a group 2) authorize_group_check_query: retrieve the check-items for this group (which is my solution) 3) authorize on the check-items. if the expression is like this "whether or not to authorize a request, such as User-Password == "mypassword", or Calling-Station-Id != "5554796". will all users in the same group authorize by the same password? I guess my question is: Is the group check additional to the user check. Yes, it is additional. Typically you wouldn't check User-Password in the group checks. radcheck is for user-specific checks (like User-Password). Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
James Wakefield wrote: isidoros wrote: Thanks James for your answer, I'm fairly new to freeradius I know the package only 14 days. (or radius in general for that matter) The group configuration is a mystery to me. It is unclear for me how this separates the users. This is how I think 1) G1 with users A,B,C 2) G2 with users X,Y,Z 3) At a request the configuration determines which group the user belongs to 4) And makes a query for the users A until Z to the same database 5) the auth_query only talks about the user. 6) This is the point where a fail to understand that the group config helps me. The query is made to the same database on behalf of the any user. Please spell it out to me where my thinking goes wrong. I would like the understand this group config thing better (if at all at this point in time). Actually, http://wiki.freeradius.org/Rlm_sql explains it much better than I just did. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
isidoros wrote:
Thanks James for your answer,
I'm fairly new to freeradius I know the package only 14 days. (or radius
in general for that matter)
The group configuration is a mystery to me. It is unclear for me how
this separates the users. This is how I think
1) G1 with users A,B,C
2) G2 with users X,Y,Z
3) At a request the configuration determines which group the user belongs to
4) And makes a query for the users A until Z to the same database
5) the auth_query only talks about the user.
6) This is the point where a fail to understand that the group config
helps me. The query is made to the same database on behalf of the any user.
Please spell it out to me where my thinking goes wrong. I would like the
understand this group config thing better (if at all at this point in time).
Hi Isidoros,
In sql.conf,
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
groupcheck_table and usergroup_table are referred to here:
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"
This retrieves all the check items that apply to the group the user
belongs to. The usergroup table maps users to groups, and radgroupcheck
maps groups to check items. A check item, which will be a new term to
you if you're a newbie, is an expression which is evaluated when
deciding whether or not to authorize a request, such as User-Password ==
"mypassword", or Calling-Station-Id != "5554796".
When rlm_sql is invoked to authorize a request, the user's check items
in radcheck are evaluated. When the user is in a group, this might only
be to check User-Password. Then, authorize_group_check_query is used to
retrieve check items for the user's group, which are then evaluated.
If all the applicable check items, from both radcheck and radgroupcheck,
match, then the reply items - Attribute=Value pairs sent from freeradius
to the NAS when it sends the Access-Accept message for an authorized
request - are retrieved by querying radreply, for reply items specific
to the user, and radgroupreply, for reply items specific to the user's
group.
Make any more sense?
In the meanwhile:
I have solved the problem with the below changes:
in sql.conf replace this rule with:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' AND \
Location = (SELECT Location FROM nas WHERE nasname = '%{NAS-Identifier}') \
ORDER BY id"
in mysql
fill the nas table with your info:
INSERT INTO nas (nasname, nasshortname, type, secret, Location) VALUES
('yournasname in chillspot', 'anyname' , 'other', 'shared secret',
'Location-number '. );
It works, but I have no idea if this is "best practice" or I'm seriously
damaging the config.
Best practice is to not change any code if you don't have to. By using
groups, you don't have to change any code. I wouldn't say you've
"seriously damaged" the config, but you may find that it doesn't behave
in the future. I would recommend spending the time getting groups and
group checks to work, then reverting any SQL queries you've altered back
to their defaults. It'll be much less painful in the long run.
Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prevent roaming configuration question
isidoros wrote: Goal: users X,Y,Z should only be authenticated on NAS1 and not on NAS2 or any other nas users A,B,C should only be authenticated on NAS2 and not on NAS1 or any other nas etc G'day, You'll probably want users X,Y,Z mapped to one group (let's say, G1), and A,B,C mapped to another (let's say, G2) in your usergroup table. You can then use NAS-IP-Address as a check item in radgroupcheck to authorize only G1 from NAS1's IP address, and authorize only G2 from NAS2's IP address. You shouldn't have to touch any of the SQL queries in sql.conf. http://wiki.freeradius.org/Rlm_sql should provide the info you need to do the above. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: only work with 5 users or clients
Tom Miller wrote: I have a 7204 (12.0(22)S1) terminating DSL L2TP VPDN and freeradius ( 1.0.4) I am having problem when number of users (clients) increase from 6 and up. It worked fine when I have only 5 users (clients) using the system. I found the max_requests was set at 1024 in radiusd.conf and have inscrease the number up to 50 clients (50x256=12800) max_requests = 12800 However, It doesn't seem to have any effect. What am I doing wrong. One things I noticed. The two users that can not connect will sent incomplete information to the radius server from NAS (7204) such as: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.17.1:1645, id=200, length=95 NAS-IP-Address = 192.168.17.1 NAS-Port = 3 NAS-Port-Type = ISDN User-Name = "[EMAIL PROTECTED]" CHAP-Password = 7482c25ab08ffsddfddc0625fcb4007e Service-Type = Framed-User Framed-Protocol = PPP auth: user supplied CHAP-Password matches local User-Password Sending Access-Accept of id 200 to 192.168.17.1:1645 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 209.101.222.12 Framed-IP-Netmask = 255.255.255.128 Framed-MTU = 1492 Finished request 16 Going to the next request *** This is a log when it connected. It included the Tunnel server and client end point * rad_recv: Accounting-Request packet from host 192.168.17.1:1646, id=199, length=232 NAS-IP-Address = 192.168.17.1 NAS-Port = 6 NAS-Port-Type = ISDN User-Name = "[EMAIL PROTECTED]" Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0CD8" Framed-Protocol = PPP Tunnel-Server-Endpoint:0 = "10.10.6.5" Tunnel-Client-Endpoint:0 = "10.10.6.6" Tunnel-Type:0 = L2TP Tunnel-Client-Auth-Id:0 = "12345678" Tunnel-Server-Auth-Id:0 = "sfldse26rr.wi.AADS" Acct-Tunnel-Connection = "13441125" Framed-IP-Address = 209.101.222.12 Acct-Terminate-Cause = Admin-Reset Acct-Input-Octets = 281672 Acct-Output-Octets = 266074 Acct-Input-Packets = 4390 Acct-Output-Packets = 4154 Acct-Session-Time = 1967 Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf This is an accounting stop record, as opposed to the access accept record you display above and below. It isn't necessarily indicative of what freeradius sent to the NAS, or anything else that happened when the client connected. --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.17.17.1:1645, id=200, length=95 NAS-IP-Address = 172.17.17.1 NAS-Port = 3 NAS-Port-Type = ISDN User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0xcc3aeb78c7482c25ab08dc0625fcb4007e Service-Type = Framed-User Framed-Protocol = PPP auth: user supplied CHAP-Password matches local User-Password Sending Access-Accept of id 200 to 172.17.17.1:1645 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 38.101.172.12 Framed-IP-Netmask = 255.255.255.128 Framed-MTU = 1492 Finished request 16 Going to the next request What am I missing here? How are you authenticating and authorizing your users? users file, some sort of database or directory? Could you send some relevant excerpts from those sources, eg: some users file stanzas if you're using the users file, objects from your LDAP directory in LDIF if you're using LDAP? My hunch is that freeradius isn't configured to send the necessary attributes and your NAS is defaulting those attributes, but can't do that for more than 5 concurrent users. Unless you're observing considerable delay between the receipt of access-request and the sending of access-accept (ie: more than a couple of seconds), or freeradius is sending different attributes with the access-accept for the same user when things seem to be going wrong to when they're going right, I think you're missing some attributes or your NAS is misconfigured or both. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius is not restarting properly (fails to quit and becomes a zombie process)
Jason Wittlin-Cohen wrote: Over the last few days I've been having a recurring problem. Whenever I start Freeradius either with radiusd in a terminal or as a service in Debian, I can not restart/kill radiusd properly if it's authenticated any clients. Restarting the service says it's successful but the radius log states that port 1812 is already in use. "top" shows 100% cpu usage after I attempt to restart radiusd. In addition, kill will not work. I need to use kill -9. No errors are thrown when I try to kill it in debug mode either. It just says exiting and sits there but doesn't die. Howdy Jason, Might you get any useful info by running radiusd with strace? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple MAC in calling-station-id
Collen Blijenberg wrote:
Just a question...
we use 'Calling-Station-Id' for authenticate agains MAC address (and
username and passwd)
can i use multiple 'Calling-Station-Id' if some user account has, let's
say 3 laptops.. ??
or is there an other way to link multiple mac addresses to a user account ?
Hi Collen,
All the check items in the first line of a users file stanza must be
matched for access to be granted. You could try using multiple stanzas
for each user who needs access from multiple Calling-Station-Ids, eg:
testcase1 User-Password == "12345", Calling-Station-Id == "00166f980e78"
Reply-Item = "value"
Other-Reply-Item = "other value"
testcase1 User-Password == "12345", Calling-Station-Id == "00166f97d99d"
Reply-Item = "value"
Other-Reply-Item = "other value"
Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius-2.0
William wrote: Greetings, I am having some probles with mod_auth_radius-2.0 on apache 2.0.54. The error I am receiving is: Cannot load /usr/local/apache/modules/mod_auth_radius-2.0.so into server: /usr/local/apache/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf I am running on suse 10.1-x86_64 and apache is compiled from source.Any suggestions? Help? G'day William, What do you get when you run ldd /usr/local/apache/modules/mod_auth_radius-2.0.so ? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning different ippools according to huntgroups
Ami Schieber wrote: users: DEFAULT Huntgroup-Name == "t1" Pool-Name := Pool-t1, Fall-Through = No Hi Ami, You need to assign Pool-Name as a check item rather than a reply item. In the case of the users file stanza above, this: DEFAULT Huntgroup-Name == "t1", Pool-Name := Pool-t1 Fall-Through = No should work. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups - doku?
Michael Messner wrote: Here are my new configs, it looks like they are working, but I'm not sure if this is really the correct way: -- snip (see previous post) -- is this the correct way? It looks pretty right to me. Can't see any better way to do it. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQUID---radius
http://www.squid-cache.org/contrib/squid_radius_auth/ ego seek wrote: Does anybody know how I can make squid (transparent web proxy) work with radius? thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum timed out Session
Elie Hani wrote: Hi; Is there a way to disconnect a user after a certain time automatically using freeradius? I’ve tried the entry:”Max-All-Session” in the database, but it didn’t work. Hi Elie, The standard way is to send the Session-Timeout attribute to the NAS, with a numerical value of seconds, eg: Session-Timeout=600 for a 10 minute timeout. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
Keith Woodworth wrote: My users file: DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Using it like this works. But as soon as I use it this way: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Why does the top way work and the bottom way not? Expressions on the first line in a users file stanza are check items. Expressions on subsequent lines are reply items. You probably want to use the second method and replace "Service-Type = Framed-User" with the comparison "Service-Type == Framed-User". And is this an acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest? If the check and reply items needed for your setup don't result in a users file that's unmanageable, it's acceptable. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help about this error
Elie Hani wrote: Radgroupreply: id groupname attribute op value 1 Dialin Framed-Protocol == PPP 6 Dialin Service-Type:= Framed-User 8 Dialin Auth-Type := Local 9 Dialin Pool-Name := main_pool 10 Dialin Reply-Message = Access Hi Elie, Try putting rows with ids 1, 6, 8, and 9 in radgroupcheck rather than radgroupreply. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help about this error
Hi Elie,
Are you using SQL auth.? If so, is your radgroupcheck table small
enough that you could paste us a select * from it?
On Wed, 2006-09-06 at 10:16 +0200, Elie Hani wrote:
> Hi;
>
> Can anyone help me about this error? How can I slove it.
> I think I've missed something in the tables in the database.
>
> rlm_ippool: Could not find Pool-Name attribute.
> modcall[post-auth]: module "main_pool" returns noop for request 2
> rlm_ippool: Could not find Pool-Name attribute.
> modcall[post-auth]: module "real" returns noop for request 2
> radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20060906'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20060906
> modcall[post-auth]: module "auth_log" returns ok for request 2
>
>
> Thanks
> Elie
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure free radius to make it listen to different udp ports?
On Thu, 2006-08-31 at 10:34 +0530, Shankar Ganesh C wrote:
> Hi,
>
> How can i make freeradius listen to different UDP ports?
>
> Thanks and regards
> Shankar ganesh
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
http://wiki.freeradius.org/index.php/Radiusd.conf
look for the listen { } section.
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate requests in a session
Santiago Balaguer García wrote: Hi people, 1) In my activity I realize that when the conexion to Internet of a NAS is NOT good (there are some reday in the DSL), the NAS send several Start requests. My problen is my RADIUS server ask for all these requests and they are inserted in my DB. So, when the user or the NAS finalize the session and NAS sends Stop Request, the credit associates to the user account is decremented several times. It happens so because I put a trgger in my DB to decrement the user credit atomatically. Can I avoid the problem of inserting several times the start request? If it is so, how?? 2) Is it supposed that the value of acctsessionid and acctuniqueid in radacct table are UNIQUE and they can not be duplicated ? Thanks, Santiago Hi Santiago, Does your DBMS enforce primary key constraints? Do you have a primary key defined for your radacct table? If I recall correctly, MySQL by default doesn't, are you using MySQL? Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius configuration
Have you tried the documentation supplied with the freeradius package? It's not bad... If you need more, try the book "RADIUS" by Jonothan Hassell, published by O'Reilly. affora deeb wrote: hi free radius users. i asked u before if any one can help me and send the configuration or steps of configuration of free radius over linux and really i'll appreciate u. thanks -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: doubt in Radius and openser fro accounting...
raviprakash sunkara wrote: radacctID |AcctSessionID | AcctuniqueID | UserName | AcctStartTime | ActStopTime | calledID | callingID | -- 1 12h34yy 2334juuw45 Uac113:10:00 00:00:00 Uac2 uac1 2 12h34yy ko34ji899 Uac213:11:1113:11:11 Uac1 Uac2 --- In accountting with openser + radius in should insert only one insert for every call made . FreeRADIUS with SQL accounting will insert a row for each session when accounting starts, then update that row when accounting stops. I'd guess that the session with an AcctStopTime of all zeros that you posted hasn't actually stopped yet. Look at the schema, I'm pretty sure all zeros is the default value for that column. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on this issue
Elie Hani wrote: Hi James; The folder db.ippool does not exist in /etc/raddb. And I can't locate it using the " locate db.ippool" in the root directory. Thanks Can you post your radiusd.conf? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on this issue
Elie Hani wrote: Rlm_ippool: Failed to open file /etc/raddb/db.ippool/db.ippool: permission denied Hi Elie, What does ls -l /etc/raddb/db.ippool/db.ippool say? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair SQL accounting (attr. not duplicated)
G'day,
Sorry if this has been covered already, as I imagine it's a common
issue, but I haven't been able to rustle any working answers up after a
long time googling and grepping $FR/src.
I've got an AS5300 that sends a few attributes, with accounting stop,
encapsulated in Cisco-AVPair eg: Cisco-AVPair = "nas-tx-speed=53300" and
the VSA hack doesn't appear to let me refer to that value in my SQL
statements with either the %{nas-tx-speed} or %{Cisco-AVPair[index]}
syntaxes I've seen suggested for Cisco VSAs in various places. rlm_sql
complains of an unknown xlat function or non-existent attribute.
Has anyone managed to do this? If so, what is the correct syntax to use
these in SQL accounting statements?
Cheers,
--
James Wakefield
Systems Administrator
+61 03 5227 6888
We have now moved head office to 8-12 Pakington Street,
Geelong West.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Walled Garden for Users Without Realms.
Hi Alexander,
BIND can do it, we use version 8.4.6 on that particular server. Here's
the relevant parts from named.conf. You don't have to use views if the
box doesn't serve any other zones, but if so, do as below:
---
view "old_dial_walled_garden" {
match-clients { xxx.yyy.zzz.64/26; xxx.yyy.zzz.128/25; };
zone "." in {
type master;
file "db.walled_garden_root";
};
};
view "default" {
match-clients { any; };
// all of your normal zones go here
};
-
The wildcard zone file, db.walled_garden_root:
-
; BIND db file for the root zone that walled garden users will see
$TTL 60
@ IN SOA server. dnsadmin.sunet.com.au. (
2005072501 ; serial number YYMMDDNN
60 ; Refresh
60 ; Retry
60 ; Expire
60 ; Min TTL
)
; Authoritive Nameservers [NS]
NS walled-garden-server-hostname
IN A aaa.bbb.ccc.ddd
* IN A aaa.bbb.ccc.ddd
------
Hope that helped,
James Wakefield
Systems Administrator
+61 03 5227 6888
We have now moved head office to 8-12 Pakington Street,
Geelong West.
Alexander C. Fossa wrote:
Hi James,
Exactly what I have been trying to do for about 6 months, but keep
getting distracted by doing something else.
What software do you use for the wildcard DNS? Any example configs?
Regards,
Alexander Fossa
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
McCain, Al
Sent: 19 September 2005 14:26
To: FreeRadius users mailing list
Subject: RE: Walled Garden for Users Without Realms.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
James Wakefield (Sunet Sysadmin)
Sent: Sunday, September 18, 2005 6:27 PM
To: FreeRadius users mailing list
Subject: Re: Walled Garden for Users Without Realms.
G'day Al,
We're doing the same thing here changing a dial-up number and migrating
off of the NASes that serve that number. My approach is:
* Match customers who need to be placed in the walled garden, this is
easy enough for our situation, as they're in the huntgroup comprised of
the old NASes. I could also match Called-Station-Id if I wanted.
* Send specific attributes for those users, giving them a short session
timeout (say 5, 10 minutes) which, if they fail to see or heed our
message, will motivate them to call helpdesk and get sorted out, and
also setting their primary DNS server to one which resolves every
hostname to one of your IP addresses using a wildcard zone or some such.
If this DNS server is already providing other services, you'll want to
use a view for walled garden users, which you may need to facilitate by
putting them into a specific subnet. What attribtues you use, exactly,
will depend on your NAS gear.
* On that IP address that you're resolving * to, is a webserver which
displays the message you wish the walled garden users to read. If this
webserver already serves other pages, you'll need to do some URL
rewriting to send them to the appropriate page eg: using Apache's
mod_rewrite. This way, any request for a web page will display your
message.
Personally, I find the easiest approach is to just dust off a box that's
not being used and put the wildcard DNS and webserver on it - it's only
got a couple of very simple functions to perform and it's not a critical
service.
You may also want to consider applying packet filtering to walled garden
users as they'll still be able to reach the entire Internet by IP
address, though the session timeouts make that only a moderate concern
in our situation.
You could also do a similar thing with email by setting up a mailserver
on the wildcarded IP and bouncing everything with your walled garden
message. Personally, I think sending your customers an email and then
putting in the web-based walled garden is enough.
Cheers,
James Wakefield
Systems Administrator
+61 03 5227 6888
We have now moved head office to 8-12 Pakington Street, Geelong West.
McCain, Al wrote:
Hi.
I was wondering if there was a way to place users in a Walled Garden if
they try to Auth without a Realm.
We are currently running FreeRADIUS Version 0.9.3. Our users are stored
in MySQL.
Company:
I work for an ISP. We seem to aquire new properties every few months.
Current structure :
We have multiple instances of RADIUS running: one for each domain. (I
have NO clue who set it up this way).
I would like to consolidate these intances into one, and force our
users to use realms.
Problem:
We can't just force the customers to use realms. We would need to
notify them of the changes. (This can prove tricky).
What I would like to see:
Aside from contacting the customer a
Re: Walled Garden for Users Without Realms.
G'day Al, We're doing the same thing here changing a dial-up number and migrating off of the NASes that serve that number. My approach is: * Match customers who need to be placed in the walled garden, this is easy enough for our situation, as they're in the huntgroup comprised of the old NASes. I could also match Called-Station-Id if I wanted. * Send specific attributes for those users, giving them a short session timeout (say 5, 10 minutes) which, if they fail to see or heed our message, will motivate them to call helpdesk and get sorted out, and also setting their primary DNS server to one which resolves every hostname to one of your IP addresses using a wildcard zone or some such. If this DNS server is already providing other services, you'll want to use a view for walled garden users, which you may need to facilitate by putting them into a specific subnet. What attribtues you use, exactly, will depend on your NAS gear. * On that IP address that you're resolving * to, is a webserver which displays the message you wish the walled garden users to read. If this webserver already serves other pages, you'll need to do some URL rewriting to send them to the appropriate page eg: using Apache's mod_rewrite. This way, any request for a web page will display your message. Personally, I find the easiest approach is to just dust off a box that's not being used and put the wildcard DNS and webserver on it - it's only got a couple of very simple functions to perform and it's not a critical service. You may also want to consider applying packet filtering to walled garden users as they'll still be able to reach the entire Internet by IP address, though the session timeouts make that only a moderate concern in our situation. You could also do a similar thing with email by setting up a mailserver on the wildcarded IP and bouncing everything with your walled garden message. Personally, I think sending your customers an email and then putting in the web-based walled garden is enough. Cheers, James Wakefield Systems Administrator +61 03 5227 6888 We have now moved head office to 8-12 Pakington Street, Geelong West. McCain, Al wrote: Hi. I was wondering if there was a way to place users in a Walled Garden if they try to Auth without a Realm. We are currently running FreeRADIUS Version 0.9.3. Our users are stored in MySQL. Company: I work for an ISP. We seem to aquire new properties every few months. Current structure : We have multiple instances of RADIUS running: one for each domain. (I have NO clue who set it up this way). I would like to consolidate these intances into one, and force our users to use realms. Problem: We can't just force the customers to use realms. We would need to notify them of the changes. (This can prove tricky). What I would like to see: Aside from contacting the customer about changes, I would like to send the users to a web page after they log in without a realm. The page would tell them that they need to log in with realms. I believe this is called hURL'ing, however I cannot seem to find any documentation. Has anyone ever done this, or know if it can be done ? Any help is greatly appreciated. Thanks, Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
