Re: Freeradius and MySQL
Stefan escreveu: All, I've successfully set up my freeradius to lookup the users in MySql. I've two questions: 1. Is it possible to configure the RADIUS Clients in MySql too? There is a nas table in the db schema now but I don't know how it works. 2. would it be possible to write specific RADIUS Attributes into the accounting db? In some cases, I will get VSAs, which I have to keep for some days. In the text file accounting, I can find them. You can modify the standard accounting table and queries (in the sql.conf file) to include any attribute you nas returns in the accounting requests. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
cris boisvert escreveu: My Mysql database is about 50 megs right now.. because of the accounting table. How large does most people let it get before rolling it? My radacct table is over 500 MB / 1.3 million records right now. For now I'm just letting it grow. Make sure you have plenty of RAM though. If not, the database will become slow to query / insert and radius will stop dropping packets. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MYSQL Accounting Table Size?
cris boisvert escreveu: I got 4 gigs of ram.. I hope its enough.. I've only got 1 so you should be fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration module
Van Deuren Joris escreveu: Hi, Who can tell me in a few lines what the function of the expiration module is? How does it work? I'm not sure if there is a module or not but I use the Expiration attribute to automatically expire logins at a certain time (or date). For example, you can use Expiration := 23 Sep 2004 and the user will no longer be able to connect at 00:00 (midnight) on September 23rd, 2004. If you want a certain time (other than midnight) you can do this: Expiration := 23 Sep 2004 12:00. Someone might want to correct my syntax here?? The nas will receive a Session-Timeout attribute calculated to kick the user off when the Expiration time occurs. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not authenticating only bad guys
Mike Markowski escreveu: For a very open wireless network, we'd like to allow everyone to connect unless we know the MAC is a bad guy. That is, if the MAC address is *in* the postgres db, don't authenticate. If it's not in the db, authenticate. Can anyone think of a way to do this, or will I need to tweak the code? It depends on how your AP sends the MAC address to the radius server. In our case it's in the CallingStationId attribute. In the users file you can do this: DEFAULT Calling-Station-Id == 00:00:00:00:00:00, Auth-Type := Reject DEFAULT Auth-Type := Accept You can also do this with SQL tables but you have to modify the default queries. Hope that helps. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please assist in time limit
Edgars escreveu: ok, will it work also in sucha case - at 16.59 user is still logged in and browsing the internet with full power. Will this you described stop his nicely browsing at 17? this is the second type of time counter i want to made:) There is a much easier solution: The Login-Time attribute. You can set a record in your db like this: Login-Time := Al0900-1700 and your user will be authenticated from 9:00 - 17:00 and as long as your nas supports the Session-Timeout attribute (almost all should) he will be disconnected at 17:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting CallingStationId
[EMAIL PROTECTED] escreveu:
I could ban or reject a specific CallingStationID? , the only examples I seen is on a
specific user or group of users, on file /etc/users
...
and I think it worked just fine, the question now is, I could have this Called, and
Calling stations id in a sql table, so my script for blocking/baning Called or Calling
would be in a sql table and not restart radius each time I add a new rule on users file
I changed the default SQL queries to do this. I'll try to explain how
(using MySQL).
First I created a table to store the bad CallingStationIDs.
CREATE TABLE `bad_callingstationids` (
`CALLINGSTATIONID` varchar(18) NOT NULL default '',
`OBSERVATION` varchar(100) NOT NULL default '',
PRIMARY KEY (`CALLINGSTATIONID`)
)
Then I changed the authorize_check_query in the sql.conf file to this:
SELECT id,UserName,Attribute,Value,op
FROM ${authcheck_table} LEFT JOIN bad_callingstationids ON
'%{Calling-Station-Id}' = bad_callingstationids.CALLINGSTATIONID
WHERE Username = '%{SQL-User-Name}' AND
bad_callingstationids.CALLINGSTATIONID IS NULL ORDER BY id
Hope that's understandable,
Keith Yoder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: raddb/users, having OR conditions
I'm sorry if this is a basic question here. I just set up freeradius, using it to authenticate to network devices (instead local auth). I got it up almost fine. In my raddb/users file, i have the following: test Auth-Type := Local, User-Password == test, Simultaneous-Use := 10, Calling-Station-Id == 10.19.5.1 Service-Type = Login, cisco-avpair=shell:priv-lvl=15 I understand that in the first line i can set up conditions, separated by commas which all have to be true to permit login. How can i set up an OR condition? I'm thinking about letting more IP-s in via radius, not only allowing login from ip 10.19.5.1. You can use regular expressions. The =~ operator indicates this. For example: test Auth-Type := Local, User-Password == test, Simultaneous-Use := 10, Calling-Station-Id =~ (10.19.5.1|10.19.5.2) Service-Type = Login, cisco-avpair=shell:priv-lvl=15 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time-session limits and Time-of-day restrictions.
I was reading on Mailing List about a new (at least for me) attribute 'login-time' is this an standard? It is not shown in RFC2865 as a standard radius attribute, Is it supported by a new RFC? Moreover, I am implementing a web-based admin tool for freeradius, an specific solution for an Ecuadorian ISP, and I need Supporting for: 1. Time-session limits. 2. Time-of-day login restrictions depending of customer. What solutions can you recommend? Login-Time is an attribute that the server uses to decide if the user gets rejected or not. It will work with any nas. By time-session limits, do you mean that a user will be disconnected after x time? If so, you can use the Session-Timeout attribute. In this case the nas has to support it but I would imagine that almost all do. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to use the MAC as the key
I was wondering if it is possible to tell the Freeradius to use the MAC addr. as a validating key? I would like to store all my clients MAC addr. in a db, and use it as a backend for Freeradius, then when the clients starts, the AP sends the clients MAC addr. to Freeradius and the MAC addr. is used as a token for validating. Yes this is possible. You just need to find out where (what attribute) the AP puts the MAC in the request. It might be in Calling-Station-Id. Then you can treat it just like a password. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth
Andrea Gabellini escreveu:
Hi,
I'm using the post-auth section to log user's attempt. Is it possible,
in case of REJECT, to log the full description of the rejection
instead of the useless 'Access-Reject' string?
I added a message field to the table and use the following query:
INSERT into ${postauth_table} (id, user, pass, reply, message, date,
callingstationid) values ('', '%{User-Name}', '%{User-Password}',
'%{reply:Packet-Type}', REPLACE(REPLACE('%{reply:Reply-Message}',
'=5Cr', ''), '=5Cn', ''), NOW(), '%{Calling-Station-Id}')
Hope that helps,
Keith Yoder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User ID Password
vpopmail is used to add UID PW and the data is stored in vpopmail DB in MySQL. Now freeRADIUS also uses UID PW to authenticate and has its own data structure. I like to know if there is a way so that user data is stored in one table in MySQL so vpopmail and freeRADIUS can access the same information?? With vpopmail you can't change the db schema or queries but you CAN with Freeradius. I would suggest altering the Freeradius queries in sql.conf to pull data from the vpopmail table. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calculating Remaining Time for Session-Timeout
Rick, You'll want to use the rlm_sqlcounter module. You can set a Max-All-Session = 36000 to limit a user to 10 hours of total access for example. FreeRadius will calculate how much time was used and set the Session-Timeout attribute automatically. Hope that helps, Keith Yoder Rick Smith escreveu: OK, I have several Mikrotik based hotspots out there. They auth users via RADIUS. I'm now running FreeRadius 1.0.0. I right now can auth users on them via FreeRadius - works great - and I'm using MySQL which is even better. Only problem is, right now they all get non-expiring sessions when they paid for half-hour increments :) Mikrotik expects Session-Timeout back as a clue on when to kick the user to pay for more time. How do I tell FreeRadius that User x bought 15 minutes on a hotspot, and tell Mikrotik to kick him when his time's up ? I understand about putting the Session-Timeout value in the radcheck table - that works. Just need to figure out how to update that Session-Timeout value every time the user logs in and out Thanks, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calculating Remaining Time for Session-Timeout
Rick Smith escreveu: I know the rlm_sqlcounter module is there. I just need to find an example on how to set up FreeRadius to use it. /doc/rlm_sqlcounter tells you everything you need to know. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group, Login-Time not working?
DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes I believe you want a Login-Time attribute like this: Al2000-0500 for all days of the week between 20:00 and 5:00. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap-Group, Login-Time not working?
Gavin White escreveu: DEFAULT Ldap-Group == sundayonly, Login-Time = 2000-0500, Auth-Type := LDAP Fall-Through = Yes Okay, looking at this more closely I think you need to use the := operator because this is a check item. Try Login-Time := Al2000-0500 Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login-Time attribute
Alan DeKok escreveu: Keith Yoder [EMAIL PROTECTED] wrote: It seems as if Freeradius only recognizes the first Wk setting. The user can login from 7:30 - 8:30 but not from 15:30 - 18:30. Is this expected behaviour (only one time setting per day)? If not, how can I set up this limit? It should work. If it doesn't, I would suggest going through the code with a debugger, to see what's going on. Alan DeKok. Okay, I went digging through the code and found the solution. There are two operators, , and |, that can separate Day definitions. If I use a comma, Freeradius ignores the second day definition. Using a | everything works as expected. As a reminder: Wk0730-0830,Wk1530-1830 -- only authenticates between 0730 and 0830 any day of the week. Wk0730-0830|Wk1530-1830 -- authenticates between 0730 and 0830 and from 1530-1830 which is what I wanted :) Maybe the /doc/README file should be updated to describe this behavior? Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login-Time attribute
Hello all, I have a user that is allowed access from 7:30 - 8:30 and from 15:30 - 18:30 on weekdays. I have configured the Login-Time attribute like this: Wk0730-0830,Wk1530-1830 It seems as if Freeradius only recognizes the first Wk setting. The user can login from 7:30 - 8:30 but not from 15:30 - 18:30. Is this expected behaviour (only one time setting per day)? If not, how can I set up this limit? Thanks, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accept Simultaneous-use from specific router
Dear all: I had free radius server 0.9.3 running and every thing is going will, and the Simultaneous-use is working fine, I defined the Simultaneous-use to be 1, but I want to be allowed to skip simultaneous-use check when the radius request come from a specific router. Can I do that? Is it doable or not? If yes how can I do it? Really if there I can do it will help me very much. Thank for the help. Yes, that is possible. How you do it depends on what you're using to store check and reply attributes. If you're using the users file it could be done like this: DEFAULT Nas-Ip-Address != aaa.bbb.ccc.ddd, Simultaneous-Use := 1 Fall-Through = 1 Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to specify more than one SQL query in SQL.CONF
[EMAIL PROTECTED] escreveu:
Hi All,
I can see accounting_update_query in SQl.conf which updates RADACCT
table for each ACCOUNTINGT_UPDATE PACKET form NAS.
My question is can I specify more than one query here.
I want to decrement SESSION_TIMEOUT in RERPLY by min each time I receive
Accounting update packets.
So is it possible to Write .
accounting_update_query =
(UPDATE ${acct_table1} SET FramedIPAddress = '%{Framed-IP-Address}',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName =
'%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}';
Update RADREPLY set SESSION_TIMEOUT= SESSION_TIMEOUT-60
)
I've tried to write multiple MySQL queries in one Freeradius statement
and it didn't work for me. In your case it seems you want to limit
users time online (prepaid or something like that). If that is the case
it would be much easier for you to use the sqlcounter module to do this
for you.
Hope that helps,
Keith Yoder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter is not working
[EMAIL PROTECTED] escreveu:
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sqlcca3
Change that last line to:
sqlmod-inst = sql
There was a problem in the example file. I think it's been fixed in the
CVS head. I once did the same thing :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql and freeRadius
John Que escreveu: As I understand , I must install the sources of MySql if I want to use rlm_sql in freeRadius (and not install the rpm for mySql Server and client). Actually, you can install the -devel rpms and that will allow you to compile the rlm_sql_mysql module. This will make sure all the libraries and header files get to the right places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate login
Bernie Liwanag escreveu: Thanks for the reply I found that there are certain users that has -00-00 00:00:00 value in their AcctstopTime in my SQL database.Unless I change the the Simultaneous-Use = 2 they will not be able to login again. So temporarily I changed the affected dialup users Simultaneous-Use = 2 until I solved the issue. What will I do to the radacct tables?Shall I delete the record of AcctStopTime and AcctStartTime of all affected users?How will I do it?Please Advise! Thanks again! Bernie If you know the RadAcctId you can do this to each record that needs a stop time: update radacct set AcctStopTime = NOW() where RadAcctId = yourRadAcctId That will make it appear as if the user has logged out but you will still have record of at least the connection start time. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: UPCASE all incoming passwords
David Lomax escreveu: Has anyone ever configured the server to UPCASE all incoming access-request etc. The database I am using was all in UPCASE so I want to UPCASE all incoming to match the DB There is an option in the radius.conf file - lower_pass that converts the password the user types to lower case. But you want upper case. If you're using sql the sql.conf has examples of case insensitive queries to check passwords. Hope that helps. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Special users only allowed to login to certain ras ports
JAMIE CRAWFORD escreveu: Hello, Is there a way to limit the users to login to certain ports on the ras server. For example, I need to allow the president of the company to dialin to the 1800number configured which would be port 3 on the ras sever. I need to make sure that he can get in at any time and no one else can take that port. The other ports are all local dialin numbers. Just to clarify. I have a patton 2960/16 connected to a bit-robbed T1. This allows us to have 16 concurrent dialup connections. But I only want 15 for general use, and the 16th for only the president. There is a NAS-Port-Id attribute. You'd have to check the authenticate packets that are arriving from your RAS to see if that contains 3 for port 3. If it does you can add a line to your users file: DEFAULT Nas-Port-Id == 3, User-Name != presidentlogin, Auth-Type := Reject That should reject anyone else but the president who tries to login on port 3. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Message Hi all, Please help me how to write a perl script to control user account: When prepaid user log on(authenticate), the script will check in database and send session-timeout to radiusd. If you're trying to do what I think you are, you don't need to use perl. Take a look at the rlm_counter (or rlm_sqlcounter) modules. You can use the Max-All-Session attribute to define the total number of seconds a user can be logged into your network. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to limit Upload/Download Rate
[EMAIL PROTECTED] escreveu:
Hi All,
I am working on a Wireless ISP project.
I have installed Freeradius 0.9.3 with mysql under Mandrake LINUX 9.1
and everything is working fine.
Freeradius can authenticate users against Mysql DB and I could use
DIALUP_ADMIN for Radius user management.
Couple of questions here:
1. How can I set a bandwidth limit for
upload/download against each user
Depends how your NAS limits bandwidth. Your NAS documentation show tell
you which attributes you need to send.
2. How to receive user statistics in MySQL DB table
Radacct?
Add sql to the accounting {} section of the radiusd.conf file.
I would like to have statistics on data
uploaded/downloaded by each individual user.
Look at the AcctInputOctets, AcctOutputOctets fields in the radacct table.
Keith Yoder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radcheck entries
Klaus Heck wrote: Hi, the radcheck table in my implementation specifies the MAC addresses of the users trying to access the net, e.g. idUserNameAttribute Valueop 1Charlie Brown Calling-Station-Id00025b3c48c3== Now I want allow more than one computer per user name, meaning I want to add another entry with the same name Charlie Brown, but with a different MAC address value. In the standard implementation of freeradius, this does not work. It seems as if it just checks the first value it read, or it checks more than one, but all need to match simultaneously. The first time the condition does not hold, the reject is sent. Is there a way to change the behavior of freeradius in order to have more than one entry for the same UserName? It should send an access-accept whenever at least one entry is true. As far as I know you can't do this with database tables. The user file will do this just fine. List each user with the Calling-Station-Ids. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about accounting.
If you were using mysql for accounting you could use the following query to find the accounting record: SELECT * FROM radius.radacct WHERE FramedIPAddress = xxx.xxx.xxx.xxx AND 2003-12-12 06:00:00 BETWEEN AcctStartTime AND AcctStartTime Keith Yoder Drew Weaver wrote: Right but I need to be able to do this when an abuse report crosses my desk from a week ago that says Johnny-jackhole decided to spam 900 people on one of my dial-ups and I need to figure out who it was so I can throttle them. -Drew -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 1:54 PM To: [EMAIL PROTECTED] Subject: Re: Quick question about accounting. Drew Weaver [EMAIL PROTECTED] wrote: Hi, I'm authenticating from System and accounting to text files. Is there a way (a php script?) for me to find out what user was using an IP address at a specific time? radwho, to see who's logged on, and then grep for the IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dictionary file for Star-OS
I am attaching the dictionary file for Valemount Network's Star-OS - a wireless acess point. If someone is interested it could be included with the server distribution. Thanks, Keith Yoder # # Valemount Networks Corporation specific radius attributes # [EMAIL PROTECTED] # # Version 1.0 - March 26, 2003 # VENDOR ValemountNetworks 16313 BEGIN-VENDORValemountNetworks # Rates to give PPPoE customers, can be used in Authentication replies. (in bits/s) ATTRIBUTE VNC-PPPoE-CBQ-RX1 integer ATTRIBUTE VNC-PPPoE-CBQ-TX2 integer # Fallback support for each direction. (1 / 0) ATTRIBUTE VNC-PPPoE-CBQ-RX-Fallback 3 integer ATTRIBUTE VNC-PPPoE-CBQ-TX-Fallback 4 integer END-VENDOR ValemountNetworks
