RE: Framed-IP-Address override NAS pool?
I now want to assign a few users different, static IPs using this: testuser Service-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. It appears to be. From debug, after Login OK: +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 192.168.1.2 (The address I want) Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 195 with timestamp +79 Ready to process requests. However, that is not the IP that my client shows...it shows 192.168.0.2, which is from the pool defined in the Cisco router's config. It seems to be overriding the radius users' config. -- Hi James I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Cheers, Jeff, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting dialup users to certain client definitions only
Hi Todd, I am using FR MySQL and have the following in my radgroupcheck table to limit my dialup customers from connecting to my dsl aggregators. I have created different Groups (dialup dsl for simplicity). In the dialup group I have rule that reads: ID: xxx GroupName: dialup Attribute: NAS-IP-Address OP: !~ Value: (xxx.xxx.xxx.4|xxx.xxx.xxx.2) This prevents any user in FR with a group of dialup from connecting to a NAS device with an IP of xxx.xxx.xxx.4 or .2 Hope this gives you an idea on where to limit your customers. Cheers, Jeff. -Original Message- From: freeradius-users-bounces+listacct=genhex@lists.freeradius.org [mailto:freeradius-users-bounces+listacct=genhex@lists.freeradius.org] On Behalf Of Paul Bartell Sent: Friday, December 19, 2008 1:26 PM To: FreeRadius users mailing list Subject: Re: Restricting dialup users to certain client definitions only You would use the Calling-Station-ID or Called-Station-ID checks in the groupcheck table. On Fri, Dec 19, 2008 at 9:48 AM, Todd R. tjrl...@lightwavetech.com wrote: In a nutshell here is what I need to do, the long story is after the short version if you are interested. Short version## I want to restrict dialup users or a group of dialup users living within my MySQL tables to certain clients or list of clients. So when a user who is only allowed access when coming from clients 1 and 2 dials in and the request comes from client 3 he is denied access. I already do this with the crappy Windows based radius solution we have been stuck on for years, surely I can accomplish the same with FR. Any help in a language which a total FR novice can understand would be appreciated. ##end short version Long Version### I have read the docs, the archives, the readmes, the examples etc. So far, I can't get a good handle on how to accomplish the following so I am again asking for some guidance from the list. Here is my situation and what I need to accomplish, any help in getting this done would be most appreciated. I don't mind doing the footwork, research etc. to build a solution that will work but please keep in mind that I am a total FR Newb and need this in dufus language :) For the last 8 years or so we have been using a dreaded windows based Radius solution that we just couldn't get away from due to how much code we have written around this horrible solution. Finally, it's time to just do it and deal with the pain. What we have right now is several dialup wholesale networks/carriers/aggregators who proxy the radius request to us, we then decide to accept or deny the dialup user based on many things but of course username/pass etc.. One of the things we use to determine if they get access or not is which client they came from meaning which of our wholesale dialup network's radius server (client) sent us the request. So, in short I need to accomplish the same thing on FR. Let's say I have 5 clients, their short names and IPs configured in my FR clients file. I need to somehow decide within FR when the request comes in from client #1 that this user (in Mysql table) is allowed to have access to that dialup network. So: Joeuser from client1 = OK (allow user) Joeuser from client2 = Not OK (deny user) I am guessing I should do something with groups within the SQL tables such as assign joeuser to dialgroup1 which is then somehow allowed from client1 or for that fact clients 1, 3 and 5 but not allowed to client2. I researched huntgroups but can't find much documentation on that, not sure if that's were I need to go or?? Regards, Todd R. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS vs Aradial RADIUS
Hi Aldo, Posting this type of question to a support mailing list will generally result in some sort of all out war on why X and Y are different and why Y is better than X to do the same thing. A solution that involves radius will come with certain business model decisions that need to be considered. Along with most paid products from vendor X there is a certain expectation of support to the consumer for questions that can be found in the help files. Vendor X knows that they will need to house support staff to answer these questions and bury that cost in the upfront cost of the yearly maintenance fee at %x per year. You will get many promises and guarantees that will give you recourse if the solution does not meet your expectations or requirements (as long as it was agreed that product X will do what you ask) Products like FreeRadius are designed for companies and/or individuals that know the specific needs and requirements of their business model and how open source products fill that need. Companies that implement this type of solution will have individuals (usually) that have experience running open source software solutions and the difficulties that presented. Here too is a cost to the company, but it is a softer cost as they will most likely not need to hire a new administrator but leverage the existing skills present within their organization (such as the individuals on this list). The best course of action would be to determine your business needs from product X, the level of comfort you are looking for from a vendor/oss solution and a realistic determination of the in house skill at running product X. Once you have this criteria determined you can make an educated business decision on product X and why you would choose a specific vendor/producer of this product. That vendor/producer will be able to support you through the life cycle of the product and your satisfaction level will be met. Just my two cents... Jeff. --- Hello guys, I am a little bit scared how hard can be to deploy the FreeRADIUS, I found this in the internet: (aradial.com) this guys claim to have a very convenient and professional AAA server with a convenient price, does anybody here have experience with that aradial radius server? What would be the Pros and Cons of purchase it instead of have the FreeRADIUS one? Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postauth sql logging
Hi all, I have just recently migrated from 1.1.7 to 2.0.5. In 1.1.7 I had the postauth sql logging turned on to log successful and failed auth attempts. I not able to find where I would add it in 2.0.5 to enable this feature. I see the sql statement in the dialup.conf config file but I am unsure on how to invoke the sql query. Any pointers would be great. Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
Hi there, I have a question about prefix realms and stripping them. I have a provider that allows roaming dialup for our customers. They require the username to be in a format of idm/something/username. I get the whole idm/something/username delivered to me as the authentication. I have tried using the IPASS prefix to remove the idm/something, but it just returns the realm of idm and I am still left with stripped-user-name of something/username, I have also tried just adding a realm of idm/something to the proxy.conf and it didn't work. I am currently running freeradius 2.0.5 with a SQL (mysql) back end. Can I strip the idm/something/ somehow? Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm question
Hi all, Sorry if this question has been answered (I did search the archives and google to no avail): I have subscribers that connect with 2 realms as the prefix. How do I strip both and just authenticate locally? IE: username: realm1/realm2/username or realm1/realm3/username. Realm1 will always be present followed by either realm2 or realm3 (no others). Thanks, Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuration issue - unknown client
-Original Message-
From:
[EMAIL PROTECTED]
org
[mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Dan O'Reilly
Sent: August 13, 2007 6:58 PM
To: FreeRadius users mailing list
Cc: FreeRadius users mailing list
Subject: Re: Configuration issue - unknown client
My /etc/raddb/clients.conf:
client 192.168.0.11 {
secret = foobar
}
Here's the output from radiusd -X:
danolaptop freeradius-1.1.7 # /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
Have you tried moving your config files to /usr/local/etc/raddb/ as that
is where freeradius is looking for them, not in /etc/raddb/*
Jeff.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
