from:"Mike"

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

2013-10-09 Thread Russell Mike

Thanks Alan D

understood. I will use unlang in accounting.
Thanks

On Wednesday, October 9, 2013, Alan DeKok wrote:

> Russell Mike wrote:
> >> So if you want to do something when the users traffic is over the quota,
> >> you have to do it in the accounting section.
> >
> > Could you please kindly indicate what should i do there ? i tried to
> > perform the check again when user is online by adding counter entry in
> > *session* section. but did not work either.
>
>   Uh... you do know that "session" is not the same as "accounting", right?
>
>   Why are you doing something wrong?
>
> > I am not very clear how to update mysql db & perform the check on
> > frequent basis. base on the output from the counter module
> > (ok,noop,etc..), i understand how to update the reply from un-lang to
> > log off user.
>
>   Do you understand what the server does when it receives an accounting
> packet?
>
>   Have you tried running the server in debugging mode, and seeing what
> happens when it receives an accounting packet?
>
>   Do that before asking more questions.  Watch the server go update SQL.
>
>   Now... how do you query SQL (independent of RADIUS) to see if the
> users session is over quota?
>
>   Then... put that query into the "accounting" section, via "unlang".
> Check if the user is over quota.  If so, send a disconnect message.
>
>   See raddb/sites-available/originate-coa for examples of originating a
> disconnect message.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

2013-10-09 Thread Russell Mike

Thanks Alan. D

So if you want to do something when the users traffic is over the quota,
you have to do it in the accounting section.

Could you please kindly indicate what should i do there ? i tried to
perform the check again when user is online by adding counter entry in *
session* section. but did not work either.

session {
sql
gigawordcounter
}

You have to update the SQL database, and then check if the user is over
quota. If so, send a Disconnect-Message, or exec a program to kick the user
offline.

I am not very clear how to update mysql db & perform the check on frequent
basis. base on the output from the counter module (ok,noop,etc..), i
understand how to update the reply from un-lang to log off user.

Thanks / Regards
RM--

On Wed, Oct 9, 2013 at 1:12 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > All-In-MB counter works. Please note, when a user has downloaded his
> > quota, counter do not force log off .
>
>   The counter modules DOES NOT DO THAT.
>
>   To see why, ask yourself what does FreeRADIUS see when the user has
> downloaded his quota?
>
>   The answer is "nothing".  The users traffic doesn't go through
> FreeRADIUS, because FreeRADIUS isn't a router.
>
>   What FreeRADIUS *may* see is an Accounting-Request for the user.
> Which contains the total traffic for the user.
>
>   So if you want to do something when the users traffic is over the
> quota, you have to do it in the accounting section.  You have to update
> the SQL database, and then check if the user is over quota.
>
>   If so, send a Disconnect-Message, or exec a program to kick the user
> offline.
>
> > Which basically means that initially authorization is done by SQL then
> > "max_all_mb", checks are only done once when the user makes the logon
> > attempt and checks are never done again.
>
>   Yes.  That's what you've configured.  If you want more, you need to
> tell the server to do more
>
> > This is where i have failed.
> > Since you are more in to this, is there a way to perform this check
> > on frequent basis and send reply to NAS to logoff user? then it should
> > work.
>
>   Read the debug output.  You'll see the server receiving
> Accounting-Request packets, with the users traffic over quota.  THAT is
> when FreeRADIUS can do something.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

2013-10-09 Thread Russell Mike

Dear Aran C. Bell

Thanks for everything, Here is update.

1.)

All-In-MB counter works. Please note, when a user has downloaded his
quota, counter
do not force log off . Saying other way, if the user is online, he would
remain online until he log off him self or stop browsing. But point to be
noted that counter prevents from login him again. user cannot login again
if he has already hit quota threshold. Please look the example of reject. This
user is allowed for 7GB, please mind that *check_item which shows
7168*is specified in
MB.

*[gigawordcounter]   expand: %{sql:SELECT SUM(AcctInputOctets) /
(1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE
UserName='quotauser'} -> 7389.1705*

*rlm_sqlcounter: (Check item - counter) is less than zero*

*rlm_sqlcounter: Rejected user quotauser, check_item=7168, counter=7389*

*++[gigawordcounter] returns reject*
Which basically means that initially authorization is done by SQL then
"max_all_mb", checks are only done once when the user makes the logon
attempt and checks are never done again. This is where i have failed. Since
you are more in to this, is there a way to perform this check
on frequent basis and send reply to NAS to logoff user? then it should
work.

Counter:

sqlcounter gigawordcounter {
counter-name = Max-All-MB
check-name = Max-All-MB
reply-name = Max-All-MB
reply-message = "You have reached your bandwidth limit"
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctInputOctets) / (1024*1024) +
SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='%{%k}'"
}


*2.) Solution offered by You. *

I tried your recommendations also, i tried to maintain following in local
FR dictionary *"/etc/freeradius/dictionary"* and Chilli dictionary

ATTRIBUTE   Acct-Input-Octets64 3005integer64

ATTRIBUTE   Acct-Output-Octets643006integer64

Results: failed to start FR

reason for failing: : un recognized value specified in *
"/etc/freeradius/dictionary"*

reason for failing: : un recognized value specified in *
"/usr/share/freeradius/dictionary.chillihotspot"*

Thanks / Regards

RM --

On Tue, Oct 8, 2013 at 3:38 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 8 Oct 2013, at 15:40, Russell Mike  wrote:
>
> > Dear Arran C. Bell,
> >
> > Thank you very much, i am extremely grateful for your advise and
> guidelines for troubleshoot also. i am currently experimenting a different
> rlm_sqlcounter using CoovaChilli dictionary "All-In-MB". In result, i can
> store short number in db. This counter would reset at 2TB with same 32bit
> number. i have actually tested up to 6GB. it just works!!!. Next test is in
> progress to logout user when 7GB downloaded. i really appreciated your
> input and TIME.
> >
> > i will try your proposed solution as well after "All-In-MB" has tested.
> After the successful practical of both solutions. i would like to document
> this topic on one page for archives, so that it can help others. i may need
> your support incase i came across some challenges during the test of your
> solution.
>
> wiki.freeradius.org is the place to do that :)
>
> >
> > Thanks once again !!!
>
> No problem, glad I could help.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

2013-10-08 Thread Russell Mike

Dear Arran C. Bell,

Thank you very much, i am extremely grateful for your advise and guidelines
for troubleshoot also. i am currently experimenting a different
rlm_sqlcounter using CoovaChilli dictionary "All-In-MB". In result, i can
store short number in db. This counter would reset at 2TB with same 32bit
number. i have actually tested up to 6GB. it just works!!!. Next test is in
progress to logout user when 7GB downloaded. i really appreciated your
input and TIME.

i will try your proposed solution as well after "All-In-MB" has tested. After
the successful practical of both solutions. i would like to document this
topic on one page for archives, so that it can help others. i may need your
support incase i came across some challenges during the test of your
solution.

Thanks once again !!!

Regards --RM

On Tue, Oct 8, 2013 at 12:16 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

> >
> >
> > It might actually be an idea to add those to the internal dictionary to
> make it a bit easier.
>
> Just to clarify there are two reasons why your current config isn't
> working:
> 1. rlm_sql stores the value as a proper 64bit integer, not in the two
> 32bit chunks represented by Acct-Input-Gigawords and Acct-Input-Octets.
> When this value is pulled out into rlm_sqlcounter the value is truncated
> because internally it only deals with 32bit unsigned ints. I've now fixed
> this.
>
> 2. You're comparing gigawords to bytes, with no conversion, so even with
> the updated module you'll find the user is rejected way way too early.
>
> You also invented "counter-type" and "check-unit" config pairs. The server
> isn't magic, just because it doesn't error out, doesn't mean it knows about
> those config pairs or will use values assigned to them.
>
> Arran Cudbard-Bell 
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Managing Data Volume Control More Than 4GB FR & CoovaChilli

2013-10-08 Thread Russell Mike

Hi List Members

i have been reading archives and tying to understand for some days now, but
unsuccessful. i am currently working to extend data volume control up to
10GB, which is requirement for the organization. Is anyone able to manage
more then 4GB using CoovaChilli & Freeradius? Since there is no one piece
of information available on the net. Until now, i am unclear about the
components needs to be fine tune. i understand that FR has 32 bit integers but
it is not the limitation to manage more than 4GB, if NAS supports the
"Gigaword" attributes. It seems that my "sql_counter" or MySQL it self is
the problem.

*NOTE: It is working setup up to 4GB, if i assigne 6GB to a user, counter
rolls up on 4GB*

1.) I came across a post where guys are tell that sqlcounter module uses
32-bit integers in it's source code. Should it be change to 64-bit integers?
2.) CoovaChilli has built in support for "gigaword" attributes, which is
enable.
3.) is it possible by rlm_sql or rlm_perl must be used
4.) Counter rolls up on 4GB.

sqlcounter gigawordcounter {
counter-name = Total-Max-Octets
check-name = Acct-Input-Gigawords
reply-name = Acct-Input-Gigawords
sqlmod-inst = sql
key = User-Name
reset = never
counter-type = data
check-unit = KibiOctets
query = "SELECT SUM(acctinputoctets) + SUM(acctoutputoctets)
FROM radacct WHERE username='%{%k}'"
}


Thanks / Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql_counter module doesn't count

2013-09-10 Thread Russell Mike

Hi,

I am willing to help, What kind of NAS do you use? Does your NAS support
accounting ?
Thanks
RM --


On Mon, Aug 12, 2013 at 9:50 PM, lucia  wrote:

>  Thanks for quick reply,
>
> well I guess not. Can you give me a hint how I can figure it out how I can
> configure this ?
>
> I'm I right that I have to configure the accounting in the RADIUS
> conf-files or is it part of the NAS it self.
> Well OK I had a look into Wikipedia RADIUS and it looks like it is part of
> the NAS.
> But I do not find any comments via google about Synology and accounting
>
> I'm a bit confused now ...
>
> Regards,
> Lu
>
>
>
>
>
> On 12.08.2013 23:34, Alan Buxey wrote:
>
> Hi
>
>  That's just an authentication request accounting packets is what you
> need.  Is your kit configured to send accounting to this RADIUS server?
>
>  alan
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Vouchers Top Up

2013-07-16 Thread Russell Mike

Hi List

is anyone able to implement top up for hotspot vouchers ? Top up means, if
a hotspot user is browsing and his 3600 seconds are getting finish. he wish
to top up another 1800 seconds to avoid disconnection.

Thanks / Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang and update section

2013-06-13 Thread Russell Mike

Yes, i have come across this error once. there is little mistake in your
unlang code. understand form following working code.


## Authorization Area Starts Here
# If user not present allow them free access
# Between 10:00 and 12:59PM ('Any1000-1259')
# Whole Day ('Any-2359')

# File Module Retuns "noop" & sql Module Returns "notfound"

server accept_everyone {

   authorize {

sql

 if(ok) {

 update control {

  Login-Time := 'Any-1259'

  Auth-Type := "Accept"

}

}

update reply {

WISPr-Redirection-URL := "http://www.yale.edu";

}

else {


update control {

Auth-Type := "Reject"

}

update reply {

WISPr-Redirection-URL := "http://41.139.28.1";

   }

}

}

pap

files

logintime

expiration

preprocess

dailycounter

forevertimecounter

# Fix ForThe  WARNING That Says: Unknown Value Specified For
Post-Auth-Type. Cannot Perform Requested Action #

# Do Not Remove The "Post-Auth" Configuration From Authorization Section
(Here): #

post-auth {

Post-Auth-Type REJECT {

noop

notfound

}

 }


 }


authenticate {

Auth-Type PAP {

pap

}

Auth-Type CHAP {

chap

}

Auth-Type MS-CHAP {

mschap

}


digest

unix

eap

}

# END

Thanks

--RM



On Thu, Jun 13, 2013 at 3:07 PM, Bill Schoolfield  wrote:

> Can update sections contain if conditions? I get the following error:
>
> /etc/raddb/sites-enabled/**default[573]: "update" sections cannot have
> subsections
> /etc/raddb/sites-enabled/**default[465]: Errors parsing post-auth section.
>
> The documentation says "The only contents permitted in an "update" section
> are attributes
> and values which I assume is the issue. Please confirm.
>
> Bill  -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WARNING: Unknown value specified for Post-Auth-Type

2013-06-07 Thread Russell Mike

Hi, It is not default virtual server). Following error occurs, when user
attempt to login with invalid password, otherwise not. is it normal? or
should be troubleshooted.

Info:   WARNING: Unknown value specified for Post-Auth-Type.  Cannot
perform requested action


My postauth section

post-auth {
sql
exec
Post-Auth-Type REJECT {
   attr_filter.access_reject
   noop
   notfound
}
}

Thanks / Regards
--RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

2013-06-06 Thread Russell Mike

Greetings Everyone, My goal is to use only ONE "A" (Authorization Only) as
starting of FR implementation. i do have different system to authenticate
users. Plan is to replace that with FR but one step at a time.

i tried with the following virtual server to accept everyone. With that
done, Everyone is accepted, regardless of user exists in MySQL_DB or not.
And replay message is sent correctly as well.

*Check Items in unlang code:*
1.) Login time is verified correctly - if users attempts to access outside
of time slot, then rejected, else accepted. (First Attribute Works)
2.) Everyone is accepted (Second Attribute also Works)
3.) Users are not disconnected after 10 minutes (Third Attribute do not
work)

*Reply Items **in unlang code**: *

1.) Users are successfully redirected to the URL specified for "
WISPr-Redirection-URL" (First Reply Item Works)
2.) Users are not disconnected after 10 minutes (Second Attribute do not
work)

server accept_everyone {
   authorize {

# If user not present in MySQL Database still allow them access
# Only Between 10:00 and 12:59PM
# File Module Retunes "noop" & sql Module Returns "notfound"

#files
  #if(noop) {

sql

if(notfound) {
   update control {
   Login-Time := 'Any1000-1259'
   Auth-Type := "Accept"
   Max-All-Session := "600"
}
  }
# Redirect Everyone To Yale Website
   update reply {
   WISPr-Redirection-URL := "http://www.yale.edu";
   Max-All-Session := "600"
   }

}
   authenticate {
   Auth-Type PAP {
pap

}
  }
}
pap
logintime
forevertimecounter

## Authorization Area ENDs Here

Can someone give little hint ? Only hint would be enough, i will study the
rest. is it even posible to control that (Max-All-Session) using "unlang"
code ?

Thanks / Regards
--RM

On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Hi John & Alan, Kindly clarify
>
>   This isn't a private list.  Messages should NOT be addressed to
> individual people.
>
>   Just reply to a message.  It's simpler, and more polite.
>
> > Does this means, it is posible to use only authorize function of FR and
> > process all authentication requests with following virtual server?
>
>   Did you try it?  What does it do?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

2013-06-05 Thread Russell Mike

On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Hi John & Alan, Kindly clarify
>
>   This isn't a private list.  Messages should NOT be addressed to
> individual people.
>

Apologies Everyone. Well noted for future

>
>   Just reply to a message.  It's simpler, and more polite.
>

Thanks for correction Alan D.

>
> > Does this means, it is posible to use only authorize function of FR and
> > process all authentication requests with following virtual server?
>
>   Did you try it?  What does it do?
>

Not really, i wanted to know, if it make sense form experts point of view.
should i try ?

Regards
-- RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

2013-06-05 Thread Russell Mike

Hi John & Alan, Kindly clarify

Does this means, it is posible to use only authorize function of FR and
process all authentication requests with following virtual server?


   1.

   server accept_all_requests {
  authorize {

  update control {
  Auth-Type := "Accept"

   }

  }

}

Thanks / Regards
--RM


On Wed, Jun 5, 2013 at 1:34 PM, Alan DeKok wrote:

> John Dennis wrote:
> > You're both right, now shake hands and make up :-) The problem with the
> > term authorization in radius is used in a non-standard way that leads to
> > confusion. The normal use of the term authorization (authz) indicates
> > what a principal is permitted to do and a principal must be validated
> > via authentication (authn) first. In radius authorization means
> > collecting information necessary to perform the authentication
> > operation. It's an unfortunate semantic difference that leads to a fair
> > amount of confusion (myself included), but after a while you get used to
> > it.
>
>   It was a historical mistake in FreeRADIUS which has been kept for too
> long.
>
>   After 3.0 is released, we'll transition to a naming scheme that's a
> little more complex, but much clearer.  The idea is that every packet
> has 3 stages:
>
> recv = receive the packet
> process = process the packet
> send = send the reply
>
>   We can map the existing authorize / authenticate / etc. to these
> processing stages.  That change will be initially confusing, but will be
>  simpler.  It will also enable the server to do more protocols that are
> in the works. :)
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

2013-06-05 Thread Russell Mike

Dear Alan DeKok & John Dennis

Thanks for your input, words and clarification. Explanation was very good.
Moreover, good to have people like you on the list.
Regards
Prabhpal Singh


On Wed, Jun 5, 2013 at 1:34 PM, Alan DeKok wrote:

> John Dennis wrote:
> > You're both right, now shake hands and make up :-) The problem with the
> > term authorization in radius is used in a non-standard way that leads to
> > confusion. The normal use of the term authorization (authz) indicates
> > what a principal is permitted to do and a principal must be validated
> > via authentication (authn) first. In radius authorization means
> > collecting information necessary to perform the authentication
> > operation. It's an unfortunate semantic difference that leads to a fair
> > amount of confusion (myself included), but after a while you get used to
> > it.
>
>   It was a historical mistake in FreeRADIUS which has been kept for too
> long.
>
>   After 3.0 is released, we'll transition to a naming scheme that's a
> little more complex, but much clearer.  The idea is that every packet
> has 3 stages:
>
> recv = receive the packet
> process = process the packet
> send = send the reply
>
>   We can map the existing authorize / authenticate / etc. to these
> processing stages.  That change will be initially confusing, but will be
>  simpler.  It will also enable the server to do more protocols that are
> in the works. :)
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accouting time duratin calculation

2013-06-05 Thread Russell Mike

Hi,




On Wed, Jun 5, 2013 at 7:43 AM, Miha  wrote:

> Hi,
>
> how does freeradius calculate duration time?


MySQL query grabs the information from "radacct"

i.e.

sqlcounter forevertimecounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
count-attribute = "Acct-Session-Time"
reply-name = "Session-Timeout"
sqlmod-inst = "sql"
key = "User-Name"
reset = "never"
cache-size = "5000"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{%k}'"
}




> My NAS sends start and stop packet. In mysql table I can see accstarttime
> and accstoptime. Is the duration time automaticly created from start time
> and stop time or should NAS also send duration time?
>

No. Value is stored in "radacct"; rlm_sqlcounter sum the total time.

hope this helps !


> In other words is it possbile that freeradius automaticly calculate
> duration from start and stop packet:)?
>
> tnx!
>
> miha
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

2013-06-04 Thread Russell Mike

Hi List

After googling for few days still not so much clear. Therefore, i have
decided to implement three *"A"* in three different steps. For now, i only
want to use Authorize function of FR. i do not want authentication &
Accounting BUT authorization.

Using MySQL as a backend, Trying to make something like this:

A remote user would hit Cisco NAS gateway router (in ISP NOC Data Center)
---> Cisco NAS is going to ask FreeRadius, if IP is authorize to pass
through. i need little idea how this can be achieved. something like this
or equivalent idea.

| 66 | *41.157.61.88* |   | := | *Accept *  |

| 67 | *41.157.61.30* |   | := | *Reject*|


Thanks Everyone

Regards
--RM


On Tue, May 28, 2013 at 4:12 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Dear Mulindawa / Marinal & Alan Dekok
> >
> > Thanks you very much for your advice, very much valuable for ME. Saw
> > some light end of the tunnel. i really need help, One more question
> > please. Such as as MAC authentication, is it possible to authenticate a
> > device using IP address FR? then i can further attach the attributes
> > with group of IP address.
>
>   No.  RADIUS authentication occurs *before* network access.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

2013-05-28 Thread Russell Mike

Dear Mulindawa / Marinal & Alan Dekok

Thanks you very much for your advice, very much valuable for ME. Saw some
light end of the tunnel. i really need help, One more question please. Such
as as MAC authentication, is it possible to authenticate a device using IP
address FR? then i can further attach the attributes with group of IP
address.

i want this because the devices those would send auth requests, would come
from the behind of layer3 device (Router). Thanks for everything sir(s).

Thanks / Regards
--RM

On Tue, May 28, 2013 at 1:51 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Currently, We do manually connection / disconnection. If a customer did
> > not pay until 31st, somebody manually disconnect the link. And manually
> > connect when customer comes to pay.
>
>   That's what Session-Timeout is for.  Set it to 1 day (86400 seconds).
>  That way they have to re-authenticate every day.  On the 31st, you just
> refuse to re-authenticate them.
>
>   Or, use Disconnect-Request.  But the NAS has to support it.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Service Provisioning Using AAA (FreeRadius)

2013-05-28 Thread Russell Mike

Dear FreeRadius Gurus Greetings,

I work with an ISP, i have been asked to research about "service
provisioning using AAA". I am NOT very new to FreeRadius. Have implemented
and managing central CoovaChilli hotspot solution where we run more than 35
hotspots across the city using CoovaChilli + Freeradius.

Currently, We do manually connection / disconnection. If a customer did not
pay until 31st, somebody manually disconnect the link. And manually connect
when customer comes to pay.

i am somehow not clear with the idea, how that would work and where to
start from. I am looking for advice from those have already setup such
system. Any kind of help would be highly appreciated. i am further willing
to study, if i know which direction to move on. Someone please help

Thanks / Regards
 --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupcheck attributes and test client

2013-05-06 Thread Russell Mike

On Sun, May 5, 2013 at 6:51 PM,  wrote:

>
> Von: Russell Mike 
>
> > You said same setup is working with Coovachilli, same groups / profiles?
> > Else cross chech your reply & check items, if in place. If FR groups are
> > same check NAS side.
> > Thanks
>
> I'll check reply and check items when I'm in office again, but I'm quite
> sure they are the same.
>
> How can I check NAS side?


Documentation will tell


> One is Coovachilli, the other is a radius test client (NTRadPing and
> Radius Test Rig Utily)
>

you need to create NAS entry in MySQL or File for the ip address of the
machine. The machine from where you would run NTRadping.

>
> Thank you!
>
> Chris
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupcheck attributes and test client

2013-05-05 Thread Russell Mike

You said same setup is working with Coovachilli, same groups / profiles?
Else cross chech your reply & check items, if in place. If FR groups are
same check NAS side.
Thanks

On Friday, May 3, 2013, wrote:

> Hi,
>
> Von: Russell Mike >
>
> > FR should be able to know if the allowed time used / consumed before it
> can
> > deny request. have you setup rlm_sqlcounter ?
>
> Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess
> it is a client issue.
>
> Chris
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupcheck attributes and test client

2013-05-03 Thread Russell Mike

FR should be able to know if the allowed time used / consumed before it can
deny request. have you setup rlm_sqlcounter ?

Thanks RM --


On Fri, May 3, 2013 at 7:49 AM,  wrote:

> All,
>
> I'm a newbie in radius.
>
> I've setup freeradius with mySQL and max-daily-session. When I set
> max-daily-session := 10 in radgroupcheck table, a user of this group can
> login (accept packet after authentication), even if he already has been
> logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig
> Utily as a client. I've sent accounting packages. Radacct table got
> populated (beginning and end of session, no octets).
>
> Is it a client issue? Must NTRadPing send any additional parameters?
>
> Any help is appreciated.
>
> Chris
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Digest using an external database for the Password

2013-04-30 Thread Mike Brennan

Ok - I think I get it, if I just want to use the default I should
remove the soft link in the site-enabled to the inner-tunnel. This should
be sufficient for my deployment at the moment - although I will be looking
into clustering this and using potentially LVS (this no doubt will be
another world of pain - my database backend is going to be an Oracle
cluster.)

As for RFC 4590 support,  I believe IEA Software support it. I confused
the fact that on your web site you list RFC 4590 in the "list of RFCs" as
a tacit indication of support. Is RFC 4590 on your roadmap?

The client generating the DIGEST  is an ACME SBC it supports a number of
DIGEST RFC's

Sorry for being a pain

Regards
Mike

-Original Message-
From: freeradius-users-bounces+mbrennan=thrupoint@lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 30 April 2013 13:36
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
> From the previous e-mail I put the sql query in the inner-tunnel (this
> was confirmed by Alan), however, I think this maybe incorrect - I
> believe it should go in the default file (AM I CORRECT?)

  (a) you can wander around making random changes to "fix" things, or

  (b) you can understand what's going on.

  It's not hard.  And no, I'm not going to spoon-feed you.  The answer is
in front of you.  It's in the debug logs you posted.  Have you read them,
looking for "inner-tunnel"?

> The other test fails - see the following two files:
> rfc4590_freeradius_debug and the radiusclient_rfc4590. The
> authentication fails, I suspect that the attributes passed seems to
> cause FreeRadius to reject the authentication. Not sure whether it is
> the client causing the trouble with erroneous setting of the
> attributes or whether Freeradius is interpreting them incorrectly

  FreeRADIUS doesn't implement RFC 4590.  So far as I've seen, no one else
does, either.

> It would be good to get to the bottom of the problem with using RFC
> 4590 - I hope the debug files help. In the debug some fields are set
> as removed - this is what I replaced sensitive information with.

  What client are you using to generate the digest authentication?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Note: The information contained in this message may be privileged and 
confidential 
and protected from disclosure. If the reader of this message is not the 
intended 
recipient, or an employee or agent responsible for delivering this message to 
the 
intended recipient, you are hereby notified that any dissemination, 
distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message 
and 
deleting it from your computer. Thank you. Thrupoint, Inc.
nXaR2cC3

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Digest using an external database for the Password

2013-04-25 Thread Mike Brennan

Hi Alan

Did as you suggested - the error has gone
I did put in the correct text in the sql statement (just did not want  to
rewrite in e-mail) and it was not this that was failing.
The error was because I overwrote in the sql.conf file the radius_db with
my database name - I commented out this and the error disappeared.

Thx for your help

Mike

-Original Message-
From: freeradius-users-bounces+mbrennan=thrupoint@lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 25 April 2013 16:20
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
> Hi Alan
> Thx for your input I did the following:
> In radiusd.conf file, within the instantiate section the following was
> added:
> sql
> authorize {
>   ...
>   update control {
>   Cleartext-Password := "%{sql: SELECT password FROM fusion
...}"
>   }
>   ...
> }

  That is *not* what I said to do.  Some amount of independent thought is
required.

  List "sql" in the "instantiate" section.  DON'T put the rest of the text
above.

  DO edit the "inner-tunnel" file.  Look for the "authorize" section.
The text above shows an EXAMPLE of what you put in the "authorize"
section.  That's why it uses the word "authorize"

  DON'T put the "..." text in the config files.  That was meant to show
that OTHER text was also in the "authorize" section.

  DON'T put the "..." text in the SQL query.  That was meant to show the
REST of the SQL query

  DO think about what you're doing.

  DO put the ENTIRE sql SELECT statement into the example text I showed
above.

> In the inner-tunnel file I commented out the sql in the authorize
section.
>
> It seemed to work - see attached small snippet from my debug. In the
> attached file there is still a rlm_sql_mysql: MYSQL check_error: 1146
> received message I have missed something else?

  Yes.

  That error is a MySQL error.  You've mis-typed the query.  Go read MySQL
documentation to see how to create a correct query.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Note: The information contained in this message may be privileged and 
confidential 
and protected from disclosure. If the reader of this message is not the 
intended 
recipient, or an employee or agent responsible for delivering this message to 
the 
intended recipient, you are hereby notified that any dissemination, 
distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message 
and 
deleting it from your computer. Thank you. Thrupoint, Inc.
nXaR2cC3

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Digest using an external database for the Password

2013-04-25 Thread Mike Brennan

Hi Alan
Thx for your input I did the following:
In radiusd.conf file, within the instantiate section the following was
added:
sql
authorize {
...
update control {
Cleartext-Password := "%{sql: SELECT password FROM fusion
...}"

}
...
}
In the inner-tunnel file I commented out the sql in the authorize section.

It seemed to work - see attached small snippet from my debug. In the
attached file there is still a rlm_sql_mysql: MYSQL check_error: 1146
received message
I have missed something else?

Thx again
Mike

-Original Message-
From: freeradius-users-bounces+mbrennan=thrupoint@lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 25 April 2013 13:47
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
> * Use Digest Authentication
> * The password is stored in an external database (it has a
>   complicated schema) that I am connecting to via sql.conf.
> * I want to extract the password from this database so that it can
>   be used in Digest Authentication (SIP - using RFC 4590)

  Is the password stored in clear-text?  If so, it can work.  If not, it's
impossible.

> Is it possible to get the Cleartext-Password (or is it the
> User-Password) from my external database through authorize_check_query ?

  Yes.  But you need to edit it.

> If so, how do I assign this attribute to the value returned in my query?

  You create an "Attribute = value", like with everything else in the
server.

> I can't store any information in my external database as I am not
> allowed to create any tables

  That's fine.

> The following query would return the password - can I use it in
> authorize_check_query?
>
> authorize_check_query="SELECT password FROM fusion.cdm_credentials
> WHERE person_id=(SELECT person_id FROM fusion.cdm_person WHERE
> user_name='%{User-Name}');"

  No.  The authorize_check_query needs to return "Attribute = value", as
shown by the default configuration.  You can update your query to return
that.

  Or, don't use "sql" in the "authorize" section, as it expects to see the
default FreeRADIUS schema.  List "sql" in "instantite", and then do:

authorize {
...
update control {
Cleartext-Password := "%{sql: SELECT password FROM fusion
...}"

}
...
}


  i.e. if you have a SELECT which returns a password, you can assign that
directly to the Cleartext-Password attribute yourself.

> Or am I totally off track?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

Note: The information contained in this message may be privileged and 
confidential 
and protected from disclosure. If the reader of this message is not the 
intended 
recipient, or an employee or agent responsible for delivering this message to 
the 
intended recipient, you are hereby notified that any dissemination, 
distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message 
and 
deleting it from your computer. Thank you. Thrupoint, Inc.
nXaR2cC3
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 38839, id=106, 
length=26
User-Name = "test"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radcheck   
WHERE username = ''   ORDER BY id
rlm_sql_mysql: MYSQL check_error: 1146 received
rlm_sql_getvpdata: database query error
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_r

RE: Digest using an external database for the Password

2013-04-25 Thread Mike Brennan

Hi Alan
Yes the password is in clear text.
Thx - I will let you know if I am successful
Regards
Mike

-Original Message-
From: freeradius-users-bounces+mbrennan=thrupoint@lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 25 April 2013 13:47
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
> * Use Digest Authentication
> * The password is stored in an external database (it has a
>   complicated schema) that I am connecting to via sql.conf.
> * I want to extract the password from this database so that it can
>   be used in Digest Authentication (SIP - using RFC 4590)

  Is the password stored in clear-text?  If so, it can work.  If not, it's
impossible.

> Is it possible to get the Cleartext-Password (or is it the
> User-Password) from my external database through authorize_check_query ?

  Yes.  But you need to edit it.

> If so, how do I assign this attribute to the value returned in my query?

  You create an "Attribute = value", like with everything else in the
server.

> I can't store any information in my external database as I am not
> allowed to create any tables

  That's fine.

> The following query would return the password - can I use it in
> authorize_check_query?
>
> authorize_check_query="SELECT password FROM fusion.cdm_credentials
> WHERE person_id=(SELECT person_id FROM fusion.cdm_person WHERE
> user_name='%{User-Name}');"

  No.  The authorize_check_query needs to return "Attribute = value", as
shown by the default configuration.  You can update your query to return
that.

  Or, don't use "sql" in the "authorize" section, as it expects to see the
default FreeRADIUS schema.  List "sql" in "instantite", and then do:

authorize {
...
update control {
Cleartext-Password := "%{sql: SELECT password FROM fusion
...}"

}
...
}

  i.e. if you have a SELECT which returns a password, you can assign that
directly to the Cleartext-Password attribute yourself.

> Or am I totally off track?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

Note: The information contained in this message may be privileged and 
confidential 
and protected from disclosure. If the reader of this message is not the 
intended 
recipient, or an employee or agent responsible for delivering this message to 
the 
intended recipient, you are hereby notified that any dissemination, 
distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message 
and 
deleting it from your computer. Thank you. Thrupoint, Inc.
nXaR2cC3

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Digest using an external database for the Password

2013-04-25 Thread Mike Brennan

Hi

I am running version 2.1.12.



I want to use FreeRadius in the following way:

   - Use Digest Authentication
   - The password is stored in an external database (it has a complicated
   schema) that I am connecting to via sql.conf.
   - I want to extract the password from this database so that it can be
   used in Digest Authentication (SIP – using RFC 4590)



Now I have tested FreeRadius with the radclient using digest authentication
by placing the Cleartext-Password in the users file – this worked.



Is it possible to get the Cleartext-Password (or is it the User-Password)
from my external database through authorize_check_query ?

If so, how do I assign this attribute to the value returned in my query? I
can’t store any information in my external database as I am not allowed to
create any tables



The following query would return the password – can I use it in
 authorize_check_query?

authorize_check_query="SELECT password FROM fusion.cdm_credentials WHERE
person_id=(SELECT person_id FROM fusion.cdm_person WHERE
user_name='%{User-Name}');"



As you can see in the query I have to use password as it is a column entry
in my database



There is a similar mechanism for LDAP where you can use the
passsword_attribute





Or am I totally off track?



Thx

Mike

 

Note: The information contained in this message may be privileged and 
confidential 
and protected from disclosure. If the reader of this message is not the 
intended 
recipient, or an employee or agent responsible for delivering this message to 
the 
intended recipient, you are hereby notified that any dissemination, 
distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message 
and 
deleting it from your computer. Thank you. Thrupoint, Inc.
nXaR2cC3

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Volume Control

2013-04-17 Thread Russell Mike

Dear Arrran,

Thanks you very(32) much. Thats what i wanted to know if it is not FR
limitation.

Regards / RM --


On Wed, Apr 17, 2013 at 2:13 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 17 Apr 2013, at 05:27, Russell Mike  wrote:
>
> > Hi Aran, thanks for clarification through your response
> > If I understand your answer is that you are saying is that currently as
> is freeRadius is using 64bits data types in some areas and not in others,
> am I Right?. Also is it possible to allow free radius to validate traffic
> above 4GB?
>
> If the NAS provides the Gigawords attributes, yes.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: captive portal auth with freeradius

2013-04-17 Thread Russell Mike

Hi,

Can you please revise your question and put it in better way, i am not
clear, do some more typing. if captive portal (NAS) is CoovaChilli, this
works for me.

HS_RAD_PROTO=pap


Thanks / Regards


On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava <
chitrang.srivast...@gmail.com> wrote:

> I am facing a issue that captive portial server is sending a auth request
> which is not a EAP message and hence freeradius server is rejecting ,  it
> goes to users file and found the last line Auth-Type: Reject
>
> Anyone can point how to fix this ? I guess if captive portal send a eap
> message , it will be looked into eap.conf and then a valid authenticate
> section can be chosen ?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Volume Control

2013-04-17 Thread Russell Mike

 Hi Aran, thanks for clarification through your response

If I understand your answer is that you are saying is that currently as is
freeRadius is using 64bits data types in some areas and not in others, am I
Right?. Also is it possible to allow free radius to validate traffic above
4GB?
Thanks / Regards

On Tue, Apr 16, 2013 at 5:42 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Dear Alan D.
>
>   I may create a new rule.  People who address mail to me personally get
> unsubscribed.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Volume Control

2013-04-16 Thread Russell Mike

Dear Alan D.

What Freeraidus is using currently as to keep track. Is it 64bit or 32bit.

Thanks  / Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session section is not working

2013-04-07 Thread Russell Mike

Do you mean simultaneous session? If you using MySQL, Please check if
enabled under session section. Thanks
RM --

On Friday, April 5, 2013, Mehdi Ravanbakhsh wrote:

> Hi All
>
> my Session Section in site enable in not woking ! i do not have any log
> about that section in my radius.log file .
>
>
> Do you have any Ideas why?
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius "Expire-After" How To .. ?

2013-04-02 Thread Russell Mike

Thanks Muhammed,

Expiration module (Attribute) works for me already, if i want to expie a
account on the calendar date. it does the job just fine. i need to expire
the account after 90 days but count must start after first login.
Your help is appreciated / Thanks


On Tue, Apr 2, 2013 at 9:58 AM, Muhammad Nuzaihan bin Kamal Luddin <
muham...@taqisystems.com> wrote:

> Hi,
>
> Have you tried "expiration" module?
>
> sqlcounter expiration {
>count-attribute = "Acct-Session-Time"
>counter-name = "Max-Allowed-Session"
>check-name = "Expiration"
>sqlmod-inst = "sql"
>key = "User-Name"
>reset = "never"
>query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \
>  MIN(AcctStartTime))),0) FROM radacct WHERE \
>  UserName='${key}' ORDER BY AcctStartTime LIMIT 1;"
> }
>
> of course you have to put "expiration" (without quotes) in:
>
> instantiate portion of radiusd.conf
> accounting section of sql.conf (or sites-available/default file in
> debian)
>
> You may have to add "Expiration" in the check attributes as well.
>
>
> From what i have looked within daloradius code, you will need to set the
> time settings in "Plan".
>
> Regards,
> Muhammad Nuzaihan Bin Kamal Luddin
>
> On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote:
> > Hi List,
> >
> >
> > i need to expire the prepaid card after three months of first login.
> > after reading mail achieves, i was able to figured out that i need to
> > use "Expire-After"  FR attribute and value in seconds. i was bit of
> > unclear how to bring the module in to the action because i am unable
> > to locate "Expire-After" attribute to users (Through Daloradius).
> > Someone please help ...
> >
> >
> > # Default Module Came With FR v2.2
> >
> >
> > sqlcounter expire_on_login {
> > counter-name = Expire-After-Initial-Login
> > check-name = Expire-After
> > sqlmod-inst = sql
> > key = User-Name
> > reset = never
> > query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
> >  FROM radacct \
> >  WHERE UserName='%{${key}}' \
> >  ORDER BY acctstarttime \
> >  LIMIT 1;"
> > }
> >
> >
> >
> >
> > Thanks / Regards
> >
> >
> > RM --
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

auto-config of 802.1x supplicant windows 8 fail (wpa2-ent/peap)

2013-04-01 Thread mike . albano

Trying post again (hopefully html email turned off this time). If someone knows 
how to delete a previous/duplicate post let me know.:
I've been running FR for a while w/ out issue. Windows 8, however fails, when 
using auto-config (selecting the network and letting Windows figure out 
supplicant settings). I believe it's failing b/c of: "[mschap] FAILED: 
MS-CHAP2-Response is incorrect"
This only happens on Windows 8 "auto-configuration" of it's 802.1x supplicant. 
In other words, if I manually add the network, selecting only 
"wpa2-enterprise", it works. It also works on OSX, Linux, Android and every 
other version of Windows, using 'autoconfiguration'...ie I do not need to 
manually configure the supplicant.
I've debugged my wireless lan controller, but nothing interesting (I can attach 
if requested). It shows the EAP messages back/forth endinig up with processing 
the Access-Reject packet.
Like many environments, I'm doing PEAP, with an OpenLDAP directory, though for 
this test the user is local. (test user is 'steve')
I've got VM's of fresh-installed Win8 & Win7, passing same USB wireless NIC & 
same driver version. As previously mentioned, Win7 works with no manual 
supplicant configuration. I've included the -X at the bottom of the win7 auth. 
I do not believe this to be a FR issue, but I am wondering if anyone else has 
seen this. We are a large campus with ~30K auth's/day, though I'm concerned 
that Win8 is new enough that we havn't had any complaints yet.


dpkg -l | grep freerad
ii  freeradius2.1.12+dfsg-1.1   
amd64high-performance and highly configurable RADIUS server
ii  freeradius-common 2.1.12+dfsg-1.1   
all  FreeRADIUS common files
ii  freeradius-ldap   2.1.12+dfsg-1.1   
amd64LDAP module for FreeRADIUS server
ii  freeradius-utils  2.1.12+dfsg-1.1   
amd64FreeRADIUS client utilities
ii  libfreeradius22.1.12+dfsg-1.1   
amd64FreeRADIUS shared library

Debugs at pastebin (too large):
http://pastebin.com/gXhwSzZb
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius "Expire-After" How To .. ?

2013-04-01 Thread Russell Mike

Hi List,

i need to expire the prepaid card after three months of first login. after
reading mail achieves, i was able to figured out that i need to use "
Expire-After"  FR attribute and value in seconds. i was bit of unclear how
to bring the module in to the action because i am unable to locate
"Expire-After"
attribute to users (Through Daloradius). Someone please help ...

# Default Module Came With FR v2.2

sqlcounter expire_on_login {
counter-name = Expire-After-Initial-Login
check-name = Expire-After
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
 FROM radacct \
 WHERE UserName='%{${key}}' \
 ORDER BY acctstarttime \
 LIMIT 1;"
}


Thanks / Regards

RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

auto-config of 802.1x supplicant not working windows 8 only (wpa2-ent/peap)

2013-04-01 Thread mike . albano

I've been running FR for a while w/ out issue. Windows 8, however fails, when using auto-config (selecting the network and letting Windows figure out supplicant settings). I believe it's failing b/c of: "[mschap] FAILED: MS-CHAP2-Response is incorrect"This only happens on Windows 8 "auto-configuration" of it's 802.1x supplicant. In other words, if I manually add the network, selecting only "wpa2-enterprise", it works. It also works on OSX, Linux, Android and every other version of Windows, using 'autoconfiguration'...ie I do not need to manually configure the supplicant.I've debugged my wireless lan controller, but nothing interesting (I can attach if requested). It shows the EAP messages back/forth endinig up with processing the Access-Reject packet.Like many environments, I'm doing PEAP, with an OpenLDAP directory, though for this test the user is local. (test user is 'steve')I've got VM's of fresh-installed Win8 & Win7, passing same USB wireless NIC & same driver version. As previously mentioned, Win7 works with no manual supplicant configuration. I've included the -X at the bottom of the win7 auth. I do not believe this to be a FR issue, but I am wondering if anyone else has seen this. We are a large campus with ~30K auth's/day, though I'm concerned that Win8 is new enough that we havn't had any complaints yet.dpkg -l | grep freeradii  freeradius                            2.1.12+dfsg-1.1                           amd64        high-performance and highly configurable RADIUS serverii  freeradius-common                     2.1.12+dfsg-1.1                           all          FreeRADIUS common filesii  freeradius-ldap                       2.1.12+dfsg-1.1                           amd64        LDAP module for FreeRADIUS serverii  freeradius-utils                      2.1.12+dfsg-1.1                           amd64        FreeRADIUS client utilitiesii  libfreeradius2                        2.1.12+dfsg-1.1                           amd64        FreeRADIUS shared libraryDebugs at pastebin (too large):http://pastebin.com/gXhwSzZb ( pastbin link to debugs )-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: noresetcounter

2013-04-01 Thread Russell Mike

Because you have disable the valid check item & Query using "#"

sqlcounter forevertimecounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
count-attribute = "Acct-Session-Time"
reply-name = "Session-Timeout"
sqlmod-inst = "sql"
key = "User-Name"
reset = "never"
cache-size = "5000"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{%k}'"

*Check Items:*
Max-All-Session 3600
Session-Timeout 3600

*Reply Items: *
Session-Timeout 3600
Idle-Timeout 60

Thanks RM --


On Mon, Apr 1, 2013 at 1:35 PM, Muhammad Nuzaihan Kamal Luddin <
muham...@taqisystems.com> wrote:

> Hi,
>
> My objective to configure freeradius is that the user automatically gets
> logged out during the accounting process by noresetcounter statement.
>
> But currently, the user that is logged in keeps being connected even
> when the time is up.
>
> Here's my counter.conf:
>
> ---
>
> sqlcounter noresetcounter {
> counter-name = Session-Timeout
> #check-name = Max-All-Session
> check-name = Session-Timeout
> reply-name = Session-Timeout
> sqlmod-inst = sql
> key = User-Name
> reset = never
> #query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
> UserName='%{%k}'"
>  query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
> UserName='%{%k}'"
> }
>
>


> And the logs:
>
> rad_recv: Access-Request packet from host 192.168.233.9 port 2052, id=0,
> length=200
> User-Name = "34"
> User-Password = "EEawKbR3"
> NAS-IP-Address = 0.0.0.0
> Service-Type = Login-User
> Framed-IP-Address = 192.168.182.2
> Calling-Station-Id = "00-26-82-15-4E-3D"
> Called-Station-Id = "00-0F-66-59-DD-33"
> NAS-Identifier = "taqihotspot1"
> Acct-Session-Id = "515a0884"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 0
> Message-Authenticator = 0x48faf6d6c674bceef3469467121e5eae
> WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
> Mon Apr  1 21:22:51 2013 : Info: # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> Mon Apr  1 21:22:51 2013 : Info: +- entering group authorize {...}
> Mon Apr  1 21:22:51 2013 : Info: ++[preprocess] returns ok
> Mon Apr  1 21:22:51 2013 : Info: ++[chap] returns noop
> Mon Apr  1 21:22:51 2013 : Info: ++[mschap] returns noop
> Mon Apr  1 21:22:51 2013 : Info: ++[digest] returns noop
> Mon Apr  1 21:22:51 2013 : Info: [suffix] No '@' in User-Name = "34",
> looking up realm NULL
> Mon Apr  1 21:22:51 2013 : Info: [suffix] No such realm "NULL"
> Mon Apr  1 21:22:51 2013 : Info: ++[suffix] returns noop
> Mon Apr  1 21:22:51 2013 : Info: [eap] No EAP-Message, not doing EAP
> Mon Apr  1 21:22:51 2013 : Info: ++[eap] returns noop
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: %{User-Name} -> 34
> Mon Apr  1 21:22:51 2013 : Info: [sql] sql_set_user escaped user --> '34'
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 4
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT id, username,
> attribute, value, op   FROM radcheck   WHERE username =
> '%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, attribute,
> value, op   FROM radcheck   WHERE username = '34'
> ORDER BY id
> Mon Apr  1 21:22:51 2013 : Info: [sql] User found in radcheck table
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT id, username,
> attribute, value, op   FROM radreply   WHERE username =
> '%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, attribute,
> value, op   FROM radreply   WHERE username = '34'
> ORDER BY id
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT groupname
> FROM radusergroup   WHERE username = '%{SQL-User-Name}'
> ORDER BY priority -> SELECT groupname   FROM radusergroup
> WHERE username = '34'   ORDER BY priority
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT id, groupname,
> attribute,   Value, op   FROM radgroupcheck   WHERE
> groupname = '%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
> attribute,   Value, op   FROM radgroupcheck   WHERE
> groupname = '3mins'   ORDER BY id
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sql (sql): Released sql socket id: 4
> Mon Apr  1 21:22:51 2013 : Info: ++[sql] returns ok
> Mon Apr  1 21:22:51 2013 : Info: ++[logintime] returns noop
> Mon Apr  1 21:22:51 2013 : Info: ++[pap] returns updated
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sqlcounter: Entering module
> authorize code
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sqlcounter: Could not find Check
> item value pair
> Mon Apr  1 21:22:51 2013 : Info: ++[noresetcounter] re

Re: how i can check if password is not correct ?

2013-03-30 Thread Russell Mike

Debian, Ubuntu: freeradius -XXX

Redhat CentOS: radiusd -XXX

Thank / RM --


On Sat, Mar 30, 2013 at 9:12 AM, Mehdi Ravanbakhsh wrote:

> Hi All
>
> if password in request is not correct wich module handele this and reject
> the client?
>
> where i can check if password is not correct ? and what the module return
> when password is not match ?
>
> Best regards.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread Russell Mike

Hi Dan,
What Reject ? And MAC address listed where? Are you working around MAC
authentication? FR MAC auth is working for me, I use CoovaChilli as NAS.

0.) MAc address would exist as user in MySQL DB or file
1.) Configure NAS to send MAC-Addr as username to Freeradius
2.)  And do the following at Freeradius side.
username="";attribute="Auth-Type";op=":=";value="Accept"

Thanks / Regards
RM --


On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan <
danny.kurnia...@fairchildsemi.com> wrote:

> Hi Russel,
>
> Thanks for that. However it seems the check-name cant even populated. as
> you can see from my log file.
>
> +- entering group authorize {...}
> ++[preprocess] returns ok
> rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8
>
> rlm_checkval: *Could not find attribute named *
> *Calling-Station-Id in check pairs*
> ++[checkval] returns notfound
> [auth_log]  expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
> [auth_log]  expand: %t -> Wed Mar 13 17:47:09 2013
>
>
> I check the ldap.attrmap and its correctly mapped to the LDAP attribute.
>
> So how to make sure that Radius reject the request when the MAC address is
> not listed.. thats what i want to achieve
>
> Thanks
> Danny
>
>
> On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike wrote:
>
>> checkval can helpful when you need to apply NAS-identifier &
>> Calling-Station-Id - FR attributes.
>>
>> checkval calledstationid {
>>item-name = Called-Station-Id
>>check-name = Called-Station-Id
>>data-type = string
>>notfound-reject = no
>> }
>>
>>
>> checkval nasidentifier {
>> item-name = NAS-Identifier
>> check-name = NAS-Identifier
>> data-type = string
>> notfound-reject = no
>> }
>>
>>
>> Thanks / Regards
>> RM --
>>
>>
>>
>> On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan <
>> danny.kurnia...@fairchildsemi.com> wrote:
>>
>>> Hi All.
>>>
>>> I found this error when enabled checkval
>>>
>>> rlm_checkval: Could not find attribute named Calling-Station-Id in check
>>> pairs
>>> ++[checkval] returns notfound
>>> ++[expiration] returns noop
>>>
>>> What is the meaning of that error?
>>>
>>> Thanks in advance
>>>
>>> --
>>> Best Regards,
>>> Danny
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards,
> Danny
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread Russell Mike

checkval can helpful when you need to apply NAS-identifier &
Calling-Station-Id - FR attributes.

checkval calledstationid {
   item-name = Called-Station-Id
   check-name = Called-Station-Id
   data-type = string
   notfound-reject = no
}


checkval nasidentifier {
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject = no
}


Thanks / Regards
RM --



On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan <
danny.kurnia...@fairchildsemi.com> wrote:

> Hi All.
>
> I found this error when enabled checkval
>
> rlm_checkval: Could not find attribute named Calling-Station-Id in check
> pairs
> ++[checkval] returns notfound
> ++[expiration] returns noop
>
> What is the meaning of that error?
>
> Thanks in advance
>
> --
> Best Regards,
> Danny
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR Login-Time Vs Unix-Time-Based-Login

2013-03-12 Thread Russell Mike

Hi, Please mind my mistake
1.) "Unix-Time-Based-Login" using unlang rather than "Login-Time" FR
attribute.


On Tue, Mar 12, 2013 at 11:06 AM, Russell Mike  wrote:

> Hi Freeradius List,
>
> Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR
> attribute? Does it offer more flexibility or control over each other.
>
> Actually, we want to implement login based on time. i am reading mail
> archives since yesterday to understand basic functionality of the
> model. And have also come across where people are talking about both
> techniques. But unable to know what is better way to go with.
>
> Thanks for attending to this material
>
> Thanks / Regards
> RM --
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR Login-Time Vs Unix-Time-Based-Login

2013-03-12 Thread Russell Mike

Hi Freeradius List,

Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR
attribute? Does it offer more flexibility or control over each other.

Actually, we want to implement login based on time. i am reading mail
archives since yesterday to understand basic functionality of the
model. And have also come across where people are talking about both
techniques. But unable to know what is better way to go with.

Thanks for attending to this material

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cannot access radius server from remote host

2013-03-10 Thread Russell Mike

Hi, note for ever. FR will simply ignore the request if NAS (client) in not
configured. As Mohammed has explained by giving full example earlier. when
your NAS will change in future and may need additional NAS support. You
need to define second client entry in the same file or in MySQL DB, only if
using.

Thanks
RM --

On Sat, Mar 9, 2013 at 10:43 AM, Muhammad Nadeem wrote:

> For this you have to define the IP address and shared secret on the Radius
> server in client.config
> following is an entry that define that  you can send request from an
> computer having 192.168.0.102 IP address.
> client 192.168.0.102 {
> ipaddr = 192.168.0.102
> secret = testing123
> }
> Please read client.config for further details
>
>
> On Sat, Mar 9, 2013 at 3:35 PM, Iftakhul Anwar  wrote:
>
>> Hi All,
>>
>> I just try connect radius server remotely.
>> i've try to radtest with command :
>>
>> radtest user1 meruvian localhost 1812 testing123
>> Sending Access-Request of id 133 to 127.0.0.1 port 1812
>>  User-Name = "user1"
>> User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>>  NAS-Port = 1812
>> Message-Authenticator = 0x
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=133,
>> length=20
>>
>> ## i get accept response from radius server.
>>
>> But when i try with command bellow i got error message like a no respon
>> from radius server:
>>
>> radtest user1 meruvian 192.168.2.3 1812 testing123
>> Sending Access-Request of id 12 to 192.168.2.3 port 1812
>> User-Name = "user1"
>>  User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>>  Message-Authenticator = 0x
>> Sending Access-Request of id 12 to 192.168.2.3 port 1812
>> User-Name = "user1"
>>  User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>>  Message-Authenticator = 0x
>> Sending Access-Request of id 12 to 192.168.2.3 port 1812
>> User-Name = "user1"
>>  User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>>  Message-Authenticator = 0x
>> radclient: no response from server for ID 12 socket 3
>>
>>
>>
>> Note:192.168.2.3 is ip of radius server.
>>
>> How i can try to  connect radius server from another host  ? i've try to
>> disable my firewall. but still get no respon from server.
>>
>> Help me to solve this.
>>
>> Thanks
>>
>>
>> --
>> *M.Iftakhul Anwar*
>> Meruvian Integrator
>> High Performance Computing / Cloud Computing (HPC/CC)
>>
>>
>> Office Phone  : 021-93586577
>> Mobile Phone : 085215331477
>> Blog   :  http://blog.mervpolis.com/roller/anwar
>> FB :  http://www.facebook.com/troya.adromeda
>> Website : www.meruvian.org
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards
> Muhammad Nadeem
> Muhammad Ali Jinnah University
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redirecting Reject Request To Webpage

2013-03-10 Thread Russell Mike

Thanks Dear Arran. your input is very much appreciated. I will check on NAS
side.
Thanks


On Fri, Mar 8, 2013 at 4:30 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 8 Mar 2013, at 11:22, Russell Mike  wrote:
>
> > Thanks Dear Alan D.
> >
> > Good answer with explanations. Appreciated your input. I am using
> CoovaChilli as NAS, i will check with them also. But i would appreciate if
> you could please indicate the FR attribute may can use.
>
> Consult the CoovaChilli docs for attributes. If we have an attribute
> define it's either for internal use, for an RFC, or because someone has
> contributed dictionaries that define it.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redirecting Reject Request To Webpage

2013-03-08 Thread Russell Mike

Thanks Dear Alan D.

Good answer with explanations. Appreciated your input. I am using
CoovaChilli as NAS, i will check with them also. But i would appreciate if
you could please indicate the FR attribute may can use.

Thanks / Regards
RM --

On Fri, Mar 8, 2013 at 2:14 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > *Question:* Redirecting Reject Request To Webpage
> >
> > For example, a customer would get reject from FR due to non payment. but
> > at this stage customer do not know, what is happening. Why internet in
> > down. We want the request to redirected to a web page that will display
> > the cause of disconnection.
>
>   RADIUS doesn't do that.  It does authorization or authentication.  It
> doesn't do firewalling or routing.
>
>   Read the NAS documentation to see if it's possible.  It might be, but
> it would involve FreeRADIUS sending an attribute to the NAS saying "do
> this".  The NAS would then be responsible for firewalling.
>
>   Remember, RADIUS carries *suggestions*.  The RADIUS protocol isn't
> involved in routing, filtering, firewalling, web serving, etc.  No user
> traffic ever goes through a RADIUS server, so redirecting user traffic
> in RADIUS is *impossible*.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Redirecting Reject Request To Webpage

2013-03-08 Thread Russell Mike

Hi FreeRadius List Members,

Thanks for all the support ever. i am having difficulty to understand
something, i need help. i am able to configure mac authentication base on
the following logic. it Works !!

username="";attribute="Auth-Type";op=":=";value="Accept"

username="";attribute="Auth-Type";op=":=";value="Reject"

*Question:* Redirecting Reject Request To Webpage

For example, a customer would get reject from FR due to non payment. but at
this stage customer do not know, what is happening. Why internet in down.
We want the request to redirected to a web page that will display the cause
of disconnection.

Thanks

RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Using "Framed-IP-Address"

2013-03-07 Thread Russell Mike

Hi Arran,

Thanks for the answer to my question. Nothing wrong to say thanks but
perhaps to see it from that angle.

Regards / RM --

On Thu, Mar 7, 2013 at 3:12 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 7 Mar 2013, at 09:50, Russell Mike  wrote:
>
> > Dear Alan. De. & List Greetings
> >
> > May i please ask your opinion, if it possible to accept & reject users
> base on "Framed-IP-Address".
>
> Yes if the Framed-IP-Address is available in the request. There are
> however, no IP specific operators,
> so it's more difficult to check whether an IP address is in a certain
> range.
>
> Also, Alan doesn't need his ego stroking any more, addressing questions to
> the list works just as well.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

2013-02-24 Thread Russell Mike

Understood, Thanks dear David. P, for participating in my troubleshoot. i
am grateful.
Thanks / Regards
RM --

On Sun, Feb 24, 2013 at 3:31 PM, David Peterson <
dav...@wirelessconnections.net> wrote:

> He approached the problem differently than most people.  He already had a
> database with the MAC addresses.  Due to a deployment mistake in the past
> he did not have the passwords from each of 500 EAP clients.  So rather than
> going out and changing those addresses he matches up the MAC address with a
> paying customer from the database.
>
> ** **
>
> The person is in charge of a wireless ISP so scheduling 500 home visits
> was a worse option than writing some code to authorize the CPE.
>
> ** **
>
> David
>
> ** **
>
> *From:* Russell Mike [mailto:radius@gmail.com]
> *Sent:* Sunday, February 24, 2013 10:00 AM
> *To:* David Peterson-WirelessConnections; FreeRadius users mailing list
> *Subject:* Re: MAC-Auth + Freeradius + MySQL Database
>
> ** **
>
> ** **
>
> ** **
>
> On Sun, Feb 24, 2013 at 1:55 PM, David Peterson <
> dav...@wirelessconnections.net> wrote:
>
> I know of one person doing something similar to what you are looking to
> do.  If your NAS sends the MAC of the device with the EAP request, you can
> extract the MAC from the request using unlang and check that against a
> database of MACs.
>
>  
>
> No clue how to do this, I just know it can be done.
>
>
> David
>
>  
>
> Dear David, thanks for attending to the request, what do you mean when you
> say 
>
> "one person doing something similar to what you are looking to do". Does
> other do the MAC-Auth in different way i am doing? 
>
> ** **
>
> I read the response from Mr. Alan De. about storing MAC in to Database.
> Following wiki also explain how to rewrite calling-station-id using unlang
> and further compair against file or DB. 
>
> ** **
>
>
> http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL
> 
>
> ** **
>
> Your information is appreciable. 
>
> ** **
>
> Thanks / Regards
>
> RM --
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

2013-02-24 Thread Russell Mike

On Sun, Feb 24, 2013 at 1:55 PM, David Peterson <
dav...@wirelessconnections.net> wrote:

> I know of one person doing something similar to what you are looking to
> do.  If your NAS sends the MAC of the device with the EAP request, you can
> extract the MAC from the request using unlang and check that against a
> database of MACs.
>
> ** **
>
> No clue how to do this, I just know it can be done.
>
>
> David
>
> ** **
>
> Dear David, thanks for attending to the request, what do you mean when you
say
"one person doing something similar to what you are looking to do". Does
other do the MAC-Auth in different way i am doing?

I read the response from Mr. Alan De. about storing MAC in to Database.
Following wiki also explain how to rewrite calling-station-id using unlang
and further compair against file or DB.

http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL

Your information is appreciable.

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

2013-02-24 Thread Russell Mike

On Sun, Feb 24, 2013 at 2:20 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Thanks for guidelines. exactly, as you stated I simple want to store MAC
> > address somewhere & compair against the request. Can they be in
> > "radcheck"?
>
>   I wouldn't do that.  Just create your own table of MAC addresses.  If
> all you want is to list known MACs, you can do that with a custom table.
>
>   Then, do:
>
> if ("%{sql: SELECT ...}") {
> # known MAC
> }
>
>   Use a SQL client to write the correct SELECT statement, and then put
> it into the example above.  Then apply any "known MAC" rule inside of
> the "if" statement.
>
> > Secondly, i would have list of maximum 500 MACs, how about listing them
> > in a file. Would it be considerably slow reading from file than DB? I
> > have no idea because I never used radius with files.
>
>   See "man rlm_passwd".  It contains examples.  You could put the MACs
> into a group via that module, and then do group checking.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


Dear Alan De.

Thanks for your input, you are so helpful. And the information sent is also
very much useful, i will try to more forward base on your guidelines.
Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

2013-02-24 Thread Russell Mike

On Sunday, February 24, 2013, Alan DeKok wrote:

> Russell Mike wrote:
> >i also
> > came across where guys are discussing EAP and MAC authentication. i
> > could not conclude, if it is a better way of doing
> > MAC authentication using EAP.
>
>   To be clear: you don't.  EAP is authentication.  MAC "authentication"
> is just checking if the MAC address is in a known list.
>
>   Terminology matters.  Using the right terminology means that the
> solution is usually simple.  Using the wrong terminology means you're
> using the wrong design.
>
> > How to store MACs in MySQL database. Perhaps, i need to
> > create additional table to store MAC, Honestly, i am not sure how to go
> > about it. Is there any documentation that i may do NOT know of. and i
> > can follow to finish the setup.
>
>   If all you want is a "known MAC" list, then just put them into a table
> in SQL.  Then, select MAC addresses from the table at run time.  If
> they're found, continue.  If not, reject.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Dear Alan D.

Thanks for guidelines. exactly, as you stated I simple want to store MAC
address somewhere & compair against the request. Can they be in
"radcheck"? Would you recommend that? or seperate table? Storing MAC in
radcheck, would it be correct terminology?

Secondly, i would have list of maximum 500 MACs, how about listing them in
a file. Would it be considerably slow reading from file than DB? I have no
idea because I never used radius with files.

Thanks Alan De. for your support ever
Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC-Auth + Freeradius + MySQL Database

2013-02-23 Thread Russell Mike

Greetings Dear Alan D. & List Members,

First of all, thank you very much for developing such application. I need
help, i have functional Freeradius server with MySQL backend. i have been
asked to add MAC address authentication support for the servers. i googled
the topic and got many many mail archive results, i tried to read those for
about a day before posting to the maling list. Most of them, administrators
are discussing troubleshoot topics, but i was searching how to.. start
implementation and the REQUIREMENTS. i also came across where guys
are discussing EAP and MAC authentication. i could not conclude, if it is a
better way of doing MAC authentication using EAP.

Finally, i came across wiki documentation. almost everything is there and it
is well explained as well, thanks.  i have now understand how it works. But
SQL part is not still a question.

http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL

How to store MACs in MySQL database. Perhaps, i need to create additional table
to store MAC, Honestly, i am not sure how to go about it. Is there any
documentation that i may do NOT know of. and i can follow to finish the
setup.

Grate thanks for attending to this request and thanks for your support ever
since !

additional Information: FR_v2.2 With Coova 1.3.0

Regards -- RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

On Tue, Feb 19, 2013 at 5:28 PM, Phil Mayers wrote:

> On 19/02/13 16:09, Russell Mike wrote:
>
>  *A.) *Enable interim accounting
>>
>
> Yes
>
>  *B.)* Enable
>>
>> post-auth {
>>update reply {
>>  Acct-Interim-Interval = 900
>>}
>> }
>>
>
> Yes
>
>
>> C.) *You Said:* You also need to ensure the
>> "accounting_update_query{,___**alt}" are configured in your sql.conf;
>> this
>>
>> is the default.
>>
>> C1.) Unclear to this, i have nothing like this in my sql.conf
>>
>>  $INCLUDE sql/${database}/dialup.conf
>>
>
> See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf
>
>  *D.) * *You Said:* I also found that sometimes removing the last
>>
>> accounting record for the locked user in the radacct table won't work
>> and you need to set "/var/log/freeradius/radutmp" to null, to unlock
>> that user.
>>
>
> No, I didn't say that. Someone else did.
>
>
>> *D1.)* I use "radutmp" For Simultaneous-Use tracking. Do you mean it
>> should be disable ?
>>
>
> radutmp is inferior to SQL. There is no point in using both, and radutmp
> has problems.
>
>  I am clear with A&B. I need more help to tell us more about *"C"* what
>> exactly should be added in "sql.conf"  and *"D"* how to set null
>>
>
> The default SQL schema and queries that come with the server support
> interim accounting. If you haven't changed them, you don't need to do thing
> for "C". Just tell the NAS to send interim accounting, and then check using
> debug/tcpdump/radsniff/**whatever that it's actually doing that.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>



Dear Phil Mayers,

Thank you very much for your kind assistance also being patience with slow
learners. You are so gental man indeed, i have no words to thank you for
helping us out step by step. Everything is clear at this point after
reading your message. i wish to thank once again for attending to us in
your time.

Thanks / REGARDS   --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

>The more I read about this, the more complicated it gets!
>>
>
> It's quite simple in principle.
>
>
>Dear Phil, the first and third solutions you provided will work great
>> but their implementation is not that easy. As you said above, following
>> the first approach needs packet monitoring as well, which is not easy to
>> implement unless there be a log file/table in freeradius for this
>>
>
> I don't know what this means, I'm afraid.
>
>
>  packets. And the value for "acctsessiontime" is 0 until the user
>> disconnects and freeradius sets the correct value for this field and
>> some other fields in radacct table.
>>
>
> As I said, you need to enable interim accounting. If you do this, the NAS
> should send accounting packets at frequent intervals that update
> acctsessiontime, amongst other things.
>
> If your NAS doesn't support interim accounting, you're stuck.
>
> If it does, you should just need to set the interim interval, either
> statically on the NAS  or dynamically in the Access-Accept, like so:
>
> post-auth {
>   ...
>   update reply {
> # accounting packets every 15 minutes
> Acct-Interim-Interval = 900
>   }
>   ...
> }
>
> You also need to ensure the "accounting_update_query{,_**alt}" are
> configured in your sql.conf; this is the default.
>
>
>
>>   I also found that sometimes removing the last accounting record for
>> the locked user in the radacct table won't work and you need to set
>> "/var/log/freeradius/radutmp" to null, to unlock that user.
>>
>
> Don't use utmp; disable the module if you are using SQL, it's unnecessary
> and bug prone.
>
>
>
>>   I wish there was a table for online users in NAS and we could compare
>> online user in NAS and online users in RADIUS and decide what to do.
>>
>
> Some devices do have this. It's vendor-specific, and often accessible via
> SNMP. Consult the docs for your NAS. Since this isn't a RADIUS question,
> it's best to look elsewhere for this.
>
>
>I am still looking forward for your helpful comments and suggestion on
>> this topic.
>>
>
> As above: enable interim accounting. The effects should be obvious if it
> works, and the next steps clear.
>
>
>


Hi Phil, thanks for taking the time to attend to this material. i am sure i
need to study more to work around the issue.


i understand three steps from your guidelines to get rid of this problem,
you can respond with just yes or no.

*
*
*A.) *Enable interim accounting
*
*
*B.)* Enable
post-auth {
  update reply {
Acct-Interim-Interval = 900
  }
}

C.) *You Said:* You also need to ensure the "accounting_update_query{,_**alt}"
are configured in your sql.conf; this is the default.

C1.) Unclear to this, i have nothing like this in my sql.conf

sql {
server = "localhost"
database = "mysql"
driver = "rlm_sql_mysql"
driver = "rlm_sql_${database}"
port = 3306
login = "root"
password = "x"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = yes
read_groups = yes
nas_table = "nas"
sqltrace = yes
$INCLUDE sql/${database}/dialup.conf
}


*D.) * *You Said:* I also found that sometimes removing the last accounting
record for the locked user in the radacct table won't work and you need to
set "/var/log/freeradius/radutmp" to null, to unlock that user.

*D1.)* I use "radutmp" For Simultaneous-Use tracking. Do you mean it should
be disable ?


*E.)* Testing

I am clear with A&B. I need more help to tell us more about *"C"* what
exactly should be added in "sql.conf"  and *"D"* how to set null
"/var/log/freeradius/radutmp".

Please do not think i want you to do all for me, Since you have help us
this far please clarify with CD for us to put the fix in place.

Thanks Phil

Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

On Tue, Feb 19, 2013 at 11:23 AM, Mobin Yazarlou wrote:

>
> On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike wrote:
>
>>
>>
>> On Monday, February 18, 2013, Mobin Yazarlou wrote:
>>
>>>
>>>
>>> On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers wrote:
>>>
>>>> On 18/02/13 18:02, Mobin Yazarlou wrote:
>>>>
>>>>> Hi,
>>>>>   I am using freeradius v2.1.12 with MySQL support and noticed if a
>>>>> user
>>>>> disconnect when radius server is down, NAS can not inform radius about
>>>>> user being disconnected and radius assume user is still online after
>>>>> coming up again. This restricts user from connecting again when you set
>>>>> simultaneous-use to 1.
>>>>>   Is there any solution for this? My NAS is pptpd on Debian 6.
>>>>>
>>>>
>>>> RADIUS uses UDP, and NASes don't "save" accounting packets which don't
>>>> get a reply; they usually send 1-5 attempts over a few seconds, then give
>>>> up (or move to the 2nd RADIUS server).
>>>>
>>>> You need to take this into account.
>>>>
>>>> Possible solutions include some combination of:
>>>>
>>>>  1. Use interim accounting. Then, use a script to expire any sessions
>>>> which have not seen accounting packets in X*interim-interval; X==3 for
>>>> example
>>>>
>>>>  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
>>>> servers configured. Use one of several configs to write the accounting data
>>>> to a robust, replicated database. One way to do this is with the "robust"
>>>> accounting that comes with FreeRADIUS.
>>>>
>>>>  3. Use a script to check your NASes active sessions and compare to
>>>> accounting data at a certain interval.
>>>>
>>>> ...and so on.
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>>>> list/users.html <http://www.freeradius.org/list/users.html>
>>>>
>>>
>>>
>>> Hi,
>>>  That you for the quick reply Phil. The solutions you have provided
>>> brought new thing into my mind.
>>>  I was thinking about similar scenarios that I found out if NAS crashes,
>>> same thing will happen. Clients will get disconnected due to NAS
>>> unavailability and when NAS is unavailable, radius won't be notified about
>>> users getting disconnected.
>>>  By taking this into consideration, the most effective solution would be
>>> the first or the third approach you have listed. And between this two
>>> solutions, the last one seems to be easier to implement.
>>>
>>>  Please correct me if I am wrong.
>>>
>>> Thank you,
>>> Moby
>>>
>>
>> Hi Phil & Moby,
>>
>> I am also interested in this solution since experiencing the same
>> problem.  I liked the solution no1.
>>
>> But I have no idea where I can get that script but I can modify if I have
>> one.
>>
>> Thanks / RM--
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> Hi Mike,
>  Now it is an hour that I am looking for a built-in solution or a
> ready-to-use script. The only thing I found was 
> Idle-Timeout<http://freeradius.org/rfc/rfc2865.html#Idle-Timeout> attribute.
> This problem could be solved if RADIUS was responsible for handling this
> attribute but from what I read, it's the NAS's responsibility.
>
>  I hope someone helps us to find the easiest and most effective solution.
>
> Thank you,
> Moby
>
>
>
Dear Moby,

That is brilliant, i also read after your advise, and i feel that nothing
can be easiest and effective than this, once Freeraiuds knows the ideal
timeout value, user can be logged out by Freeradius this is what we were
trying to do. Lets use it and see, i trust that it would do.

Great Thanks !! For Helping Community By Sharing Solutions.

Thanks Moby & Phil


Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

On Tue, Feb 19, 2013 at 11:08 AM, Phil Mayers wrote:

> On 19/02/13 06:53, Russell Mike wrote:
>
>> Hi Phil & Moby,
>>
>> I am also interested in this solution since experiencing the same
>> problem.  I liked the solution no1.
>>
>> But I have no idea where I can get that script but I can modify if I
>> have one.
>>
>
> It's a pretty simple script. Depending on your SQL database, you just do a
> "select from radacct where acctstarttime + acctsessiontime < 'now - 2
> hours'" or whatever.
>
> It should be a 1-line SQL query.
>
> However - I should emphasise that interim accounting and expiring dead SQL
> sessions is no substitute for a resilient RADIUS service; you should really
> have two servers, and look to use robust accounting *as well* as interim
> acct.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>

Dear Phil,

Thanks for the guidelines again, maintaing two radius seems to be simple
and right solution, whereas it also offer high availability within the fix.
do you think problem would be solve? if i have two radius configured in
coova "config"

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-18 Thread Russell Mike

On Monday, February 18, 2013, Mobin Yazarlou wrote:

>
>
> On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers 
>  'p.may...@imperial.ac.uk');>
> > wrote:
>
>> On 18/02/13 18:02, Mobin Yazarlou wrote:
>>
>>> Hi,
>>>   I am using freeradius v2.1.12 with MySQL support and noticed if a user
>>> disconnect when radius server is down, NAS can not inform radius about
>>> user being disconnected and radius assume user is still online after
>>> coming up again. This restricts user from connecting again when you set
>>> simultaneous-use to 1.
>>>   Is there any solution for this? My NAS is pptpd on Debian 6.
>>>
>>
>> RADIUS uses UDP, and NASes don't "save" accounting packets which don't
>> get a reply; they usually send 1-5 attempts over a few seconds, then give
>> up (or move to the 2nd RADIUS server).
>>
>> You need to take this into account.
>>
>> Possible solutions include some combination of:
>>
>>  1. Use interim accounting. Then, use a script to expire any sessions
>> which have not seen accounting packets in X*interim-interval; X==3 for
>> example
>>
>>  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
>> servers configured. Use one of several configs to write the accounting data
>> to a robust, replicated database. One way to do this is with the "robust"
>> accounting that comes with FreeRADIUS.
>>
>>  3. Use a script to check your NASes active sessions and compare to
>> accounting data at a certain interval.
>>
>> ...and so on.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html 
>>
>
>
> Hi,
>  That you for the quick reply Phil. The solutions you have provided
> brought new thing into my mind.
>  I was thinking about similar scenarios that I found out if NAS crashes,
> same thing will happen. Clients will get disconnected due to NAS
> unavailability and when NAS is unavailable, radius won't be notified about
> users getting disconnected.
>  By taking this into consideration, the most effective solution would be
> the first or the third approach you have listed. And between this two
> solutions, the last one seems to be easier to implement.
>
>  Please correct me if I am wrong.
>
> Thank you,
> Moby
>

Hi Phil & Moby,

I am also interested in this solution since experiencing the same problem.
 I liked the solution no1.

But I have no idea where I can get that script but I can modify if I have
one.

Thanks / RM--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-18 Thread Russell Mike

On Monday, February 18, 2013, Phil Mayers wrote:

> On 18/02/13 18:02, Mobin Yazarlou wrote:
>
>> Hi,
>>   I am using freeradius v2.1.12 with MySQL support and noticed if a user
>> disconnect when radius server is down, NAS can not inform radius about
>> user being disconnected and radius assume user is still online after
>> coming up again. This restricts user from connecting again when you set
>> simultaneous-use to 1.
>>   Is there any solution for this? My NAS is pptpd on Debian 6.
>>
>
> RADIUS uses UDP, and NASes don't "save" accounting packets which don't get
> a reply; they usually send 1-5 attempts over a few seconds, then give up
> (or move to the 2nd RADIUS server).
>
> You need to take this into account.
>
> Possible solutions include some combination of:
>
>  1. Use interim accounting. Then, use a script to expire any sessions
> which have not seen accounting packets in X*interim-interval; X==3 for
> example
>
>  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
> servers configured. Use one of several configs to write the accounting data
> to a robust, replicated database. One way to do this is with the "robust"
> accounting that comes with FreeRADIUS.
>
>  3. Use a script to check your NASes active sessions and compare to
> accounting data at a certain interval.
>
> ...and so on.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>


Hi,

Very good & elaborated response, it also helped me. Quality of Information
was superB. Thanks Man
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd starts but rejects test user

2013-02-15 Thread Russell Mike

On Fri, Feb 15, 2013 at 3:50 PM,  wrote:

> Hi,
>
> >I am new to radius. I have installed the freeradius to my linux and
> after
> >starting radiusd -X
> >I executed radtest tool for testing as below but it could not get
> >authenticated and Access-Reject returned.
> >$ radtest testing password localhost 0 testing123
> >Can any one plz help me in fixing this issue?  below is radtest and
> >radiusd log in debug mode.
> >/root>radtest testing password 127.0.0.1 0 testing123
> >Sending Access-Request of id 251 to 127.0.0.1 port 1812
> >User-Name = "testing"
> >User-Password = "password"
> >NAS-IP-Address = 127.0.1.1
> >NAS-Port = 0
> >rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251,
> >length=20
>
> I *assume* that you put
>
> testing Cleartext-Password := "password"
>
> at the top of the $RADDB/users  file?
>
>
> alan
> -
>
>

Hi,
might you would have see the error in debug. As Alan indicated, it is
authentication problem. He has also told the solution.

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT

Thanks
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP reply don't go out

2013-02-12 Thread Russell Mike

Is there any layer 3 device between client and dhcp server? Then you need
dhcp relay agent, if that is not the case chk firewall.
Thanks

On Tuesday, February 12, 2013, Michele Pinassi wrote:

> Hi all,
>
> i've just installed a FreeRadius server 2.2.0 with DHCP support because
> i need a dhcp server that use MySQL ad a backend.
>
> My network topology is:
>
> eth0  inet addr:193.205.4.xxx [PUBLIC]
> eth1  inet addr:172.20.1.2 [PRIVATE]
>
> all dhcp requests and reply should come from eth1. Here is freeradius -X
> dump:
>
> FreeRADIUS Version 2.2.0, for host i486-pc-linux-gnu, built on Sep 20
> 2012 at 13:37:59
> Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/clients.conf
> including files in directory /etc/freeradius/mods-enabled/
> including configuration file /etc/freeradius/mods-enabled/replicate
> including configuration file /etc/freeradius/mods-enabled/smsotp
> including configuration file /etc/freeradius/mods-enabled/preprocess
> including configuration file /etc/freeradius/mods-enabled/ldap
> including configuration file /etc/freeradius/mods-enabled/counter
> including configuration file /etc/freeradius/mods-enabled/detail.log
> including configuration file /etc/freeradius/mods-enabled/otp
> including configuration file /etc/freeradius/mods-enabled/inner-eap
> including configuration file /etc/freeradius/mods-enabled/acct_unique
> including configuration file /etc/freeradius/mods-enabled/wimax
> including configuration file /etc/freeradius/mods-enabled/dynamic_clients
> including configuration file /etc/freeradius/mods-enabled/etc_group
> including configuration file /etc/freeradius/mods-enabled/redis
> including configuration file /etc/freeradius/mods-enabled/cui
> including configuration file /etc/freeradius/mods-enabled/ntlm_auth
> including configuration file /etc/freeradius/mods-enabled/cache
> including configuration file /etc/freeradius/mods-enabled/mac2ip
> including configuration file /etc/freeradius/mods-enabled/dhcp_sqlippool
> including configuration file /etc/freeradius/sql/mysql/ippool-dhcp.conf
> including configuration file /etc/freeradius/mods-enabled/policy
> including configuration file /etc/freeradius/mods-enabled/expiration
> including configuration file /etc/freeradius/mods-enabled/logintime
> including configuration file /etc/freeradius/mods-enabled/radutmp
> including configuration file /etc/freeradius/mods-enabled/smbpasswd
> including configuration file /etc/freeradius/mods-enabled/ippool
> including configuration file /etc/freeradius/mods-enabled/rediswho
> including configuration file /etc/freeradius/mods-enabled/pam
> including configuration file /etc/freeradius/mods-enabled/soh
> including configuration file /etc/freeradius/mods-enabled/
> detail.example.com
> including configuration file /etc/freeradius/mods-enabled/realm
> including configuration file /etc/freeradius/mods-enabled/mac2vlan
> including configuration file /etc/freeradius/mods-enabled/attr_filter
> including configuration file /etc/freeradius/mods-enabled/exec
> including configuration file /etc/freeradius/mods-enabled/pap
> including configuration file /etc/freeradius/mods-enabled/unix
> including configuration file /etc/freeradius/mods-enabled/passwd
> including configuration file /etc/freeradius/mods-enabled/echo
> including configuration file /etc/freeradius/mods-enabled/sradutmp
> including configuration file /etc/freeradius/mods-enabled/always
> including configuration file /etc/freeradius/mods-enabled/checkval
> including configuration file /etc/freeradius/mods-enabled/chap
> including configuration file /etc/freeradius/mods-enabled/mschap
> including configuration file /etc/freeradius/mods-enabled/krb5
> including configuration file /etc/freeradius/mods-enabled/sql_log
> including configuration file /etc/freeradius/mods-enabled/attr_rewrite
> including configuration file /etc/freeradius/mods-enabled/files
> including configuration file /etc/freeradius/mods-enabled/perl
> including configuration file /etc/freeradius/mods-enabled/radrelay
> including configuration file
> /etc/freeradius/mods-enabled/sqlcounter_expire_on_login
> including configuration file /etc/freeradius/mods-enabled/expr
> including configuration file /etc/freeradius/mods-enabled/linelog
> including configuration file /etc/freeradius/mods-enabled/opendirectory
> including configuration file /etc/freeradius/mods-enabled/detail
> including configuration file /etc/freeradius/mods-enabled/digest
> including configuration file /etc/freeradius/eap.conf
> including configuration file /etc/freeradius/sql.conf
> including configuration file /etc/freeradius/sqlippool.c

Re: Load Balancing Issue

2013-02-12 Thread Russell Mike

There are many different things you are talking at the same time.

You want increase the response time of auth. Is your database indexed?
Thanks

On Tuesday, February 12, 2013, Muhammad Nadeem wrote:

> thanks alan
> Actually I am using load balancing for rapid authentication of users. let
> suppose i have one prosy server that is proxying incoming requests to these
> five servers. Theoratically the speed of authentication should be fast. But
> in case of mine it is too slow.
> I have changed 'max_requests' in radiusd.config. And also remove
> unnecessary processing on radius server (that is proxying requests). Now
> tell me what else can I do?? :(
>
> Though i am a new bee in RADIUS, but I think Proxy server is the bottle
> neck???
>
>
> On Tue, Feb 12, 2013 at 1:44 PM,  'cvml', 'a.l.m.bu...@lboro.ac.uk');>
> > wrote:
>
>> Hi,
>>
>> >I am using Freeradius 2.2.0 on redhat 5. My goal was to increase the
>> speed
>> >of user authentication. To achieve this I configured Load Balancing
>> (with
>> >realms). I have a proxy Freeradius server, that is just proxying
>> requests
>> >to 2 other freeradius servers.
>>
>> you only asked this question less than 2 hours ago.
>>
>> okay, you need to see why the proxy is causing a x3 factor in slowdown?
>>  run the servers
>> in full debug mode with timestamps and check to see where your delay
>> isdont throw
>> 10 million requests at it though, just a dozen should be enought in the
>> first instance
>> to see where the hit is.  I'd assume that you havent made any
>> configuration changes
>> or tweaked any configs...in which case your proxy box is probably not
>> ready to be dealing with
>> that many in transit requests (whereas the authentication servers can
>> handle multiple
>> requests per thread) - so, some basic tweaking will probably do
>> something
>>
>> ..though I think you've already found that you dont need to load-balance
>> ;-)
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards
> Muhammad Nadeem
> Muhammad Ali Jinnah University
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: free radius output attributes configuration

2013-02-06 Thread Russell Mike

what is output attributes ?


On Wed, Feb 6, 2013 at 10:19 AM, Lakshmi Narayana Baliah <
lb0074...@techmahindra.com> wrote:

> Hi All,
>
> How can configure output attributes in free-radius?
> How do i do that ??? please help
>
>
> Thanks
> Lakshmi
>
>
>
>
> 
> Disclaimer:  This message and the information contained herein is
> proprietary and confidential and subject to the
>  Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html";>
> http://www.techmahindra.com/Disclaimer.html
> externally and http://tim.techmahindra.com/tim/disclaimer.html";>
> http://tim.techmahindra.com/tim/disclaimer.html internally within
> Tech Mahindra.
>
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Realm

2013-01-23 Thread Russell Mike

On Wed, Jan 23, 2013 at 2:47 PM, Miha  wrote:

>  Hi,
>
> my radius client is sending with user-name and password aslo realm. I can
> not disable sending realm, is it possible to configure radius that will not
> user realm with user-name (user-name@realm)?
>
> i only know that it is function of proxy (realm), if helps. Are you
> including proxy.conf ?
>

R M
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Usage Limit and Accounting Plan

2013-01-22 Thread Russell Mike

On Tue, Jan 22, 2013 at 10:17 AM, Sokphak TOUCH wrote:

> Thanks Russell for your respond. It would more appreciate if you can share
> some document. At the mean time I will doing research about it.
>
> Regards,
> Sokphak
>
> Understand the concept here, it is very easy with FreeRadius
http://wiki.freeradius.org/modules/Rlm_sqlcounter
Thanks


>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Usage Limit and Accounting Plan

2013-01-22 Thread Russell Mike

1. I need to limit the user monthly usage, for example bandwidth 2Mbps with
5GB monthly usage.

1a.) You would not need script, you need "RLM SQLCOUNTER"  to limit
daily/weekly/monthly traffic quota
1b.) you need to control the bandwidth using radius and radius client
attributes, such as WISPr-Bandwidth-Max-Down; WISPr-Bandwidth-Max-Up

Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter always return 0 Resolved !!!!!

2013-01-07 Thread Mike Russell

On Tue, Jan 8, 2013 at 12:05 AM, Alan DeKok 
 wrote:

>
> Alan DeKok Wrote:
>

> The sqlcounter module should be pretty simple.  Configure accounting data
> to go into SQL, and ensure that the server is receiving accounting packets.
>  Then, configure the sqlcounter module.
>

> My rlm_sqlnoresetcounter module:
>
> sqlcounter noresetcounter {
> counter-name = Max-All-Session-Time
> check-name = Max-All-Session
> sqlmod-inst = sql
>
key = User-Name

>  reset = never
>  query = "SELECT IFNULL(SUM(AcctSessionTime),0)
> FROM radacct WHERE UserName='${key}'"
>
>

Alan DeKok Wrote:

You edited the default configuration, and broke it.  Don't do that. The
default uses %{${key}}, not ${key}.  They're different.

Russell Wrote:
Yes, Alan D.
That's Brilliant, You hit the nail in the head strate, your advice fixed
the problem. Configuration is now working!!!

Counter is retuning the values back and prepaid users are in control now.
I was struggling about a week now. Billion of thanks man. World
is grateful for the work you are doing.

Secondly, You are right, i broke the server by changing the veritable in
query. I was advised to change make changes and i did it wrong **my
mistake**. Kindly advice me for this warnings as well. Can i safely ignore
them? They caused me to change the default query

When i start the server is debug mode and users authenticate. i get this
two lines. Are they safe to ignore?

WARNING: Please replace '%k' with '${key}'
WARNING: Please replace '%S' with '${sqlmod-inst}'

Thanks Alan you saved my life.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: rlm_sqlcounter always return 0

2013-01-07 Thread Mike Russell

Dear Alan D. & List Users,

I am reposting this message only because it bounced last due to size error.
I tried to reduce the size but less information to see. Apologies if it was
sent but i received bounce and no response from any member.

---: Orignal Message : ---

I tried to search the mail archives for the similar topic but did not find
matched results. Then read wiki again to crosscheck that if i have done it
well before posting on the mailing list. I am sorry if similar post has
been answered before. I have problem with "rlm_sqlcounter" module. That is
"noresetcounter" it always return "0". But if i manually run the query to
gerp the users accounting data from MySQL DB, i get accounting results. it
seems that everything is in place but unable to know why sql counter still
returns zero. whereas dailycounter works fine without any problem.

My rlm_sqlnoresetcounter module:

sqlcounter noresetcounter {
driver = rlm_sqlcounter
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='${key}'"
}

To Prove the point i would also need to send radtest results for comparison:

rad_recv: Access-Request packet from host 127.0.0.1 port 47871, id=159,
length=84
User-Name = "KV60Rp2vtrEe5B"
User-Password = "yuxNtwKbSH"
NAS-IP-Address = 31.241.205.211
NAS-Port = 1812
Message-Authenticator = 0x2e53acc3936310719d3dc335a640afd4
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "KV60Rp2vtrEe5B", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql]   expand: %{User-Name} -> KV60Rp2vtrEe5B
[sql] sql_set_user escaped user --> 'KV60Rp2vtrEe5B'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY
id -> SELECT id, username, attribute, value, op   FROM radcheck
  WHERE username = 'KV60Rp2vtrEe5B'   ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY
id -> SELECT id, username, attribute, value, op   FROM radreply
  WHERE username = 'KV60Rp2vtrEe5B'   ORDER BY id
[sql]   expand: SELECT groupname   FROM radusergroup
WHERE username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username =
'KV60Rp2vtrEe5B'   ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,   Value, op
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,   Value, op
  FROM radgroupcheck   WHERE groupname = 'One_Hour_Access'
  ORDER BY id
[sql] User found in group One_Hour_Access
[sql]   expand: SELECT id, groupname, attribute,   value, op
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,   value, op
  FROM radgroupreply   WHERE groupname = 'One_Hour_Access'
  ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[pap] returns updated
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='User-Name''
[noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='User-Name' -> SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='User-Name'


*WARNING: Please replace '%S' with '${sqlmod-inst}'*


sqlcounter_expand:  '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='User-Name'}'
[noresetcounter] sql_xlat
[noresetcounter]expand: %{User-Name} -> KV60Rp2vtrEe5B
[noresetcounter] sql_set_user escaped user --> 'KV60Rp2vtrEe5B'
[noresetcounter]expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='User-Name' -> SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='User-Name'
rlm_sql (sql): Reserving sql socket id: 2
[noresetcounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
[noresetcounter]expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='User-Name'} -> 0
rlm_sqlcounter: Check item is greater than query result




 rlm_sqlcounter: Authorized use

Re: Eduroam & FreeRadius not working so well

2012-12-10 Thread Mike Diggins



On Sun, 9 Dec 2012, Alan Buxey wrote:


Hi,


This looks like something I should be doing but I have no idea where
to insert this section. Is it in proxy.conf or somewhere else? And


in the authorize section of your virtual server, straight after the 
preprocess/suffix/realm
module calls (ie before any real authorization action)


With this configuration, I guess I don't need realm's LOCAL or NULL?


correct - you will deal with your LOCAL realm by handling your defined realm,
with eduroam you dont want to EVER authenticate a user you hasnt provided
a realm - because , for your own users, they may work finewhen they are at 
your
sitethey then think/believe their configuration works...and then find it
doesnt work when they go to another eduroam site...and then they'll blame
that site, your site or eduroam.   best policy for eduroam is ALWAYS ensure
a realm is defined on the client



ok, both the default and inner-tunnel, I assume?

I added the section to "authorize", but the DEBUG output indicates the 
regular expression is rejecting a valid user. Is there someone that could 
confirm the RE?


if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
...

[suffix] Looking up realm "domain.ca" for User-Name = "mdigg...@domain.ca"
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Proxying request from user mdiggins to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/)
? Evaluating (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -> 
FALSE

++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -> FALSE
++- entering else else {...}
+++[reply] returns noop
+++[reject] returns reject
++- else else returns reject

-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eduroam & FreeRadius not working so well

2012-12-09 Thread Mike Diggins



On Thu, 6 Dec 2012, Phil Mayers wrote:


On 12/06/2012 10:16 AM, Alan Buxey wrote:

Hi,


home_server_pool EDUROAM-FTLR {
 type= fail-over
 home_server = proxy1
 home_server = proxy2
}


I would use:

type = client-port-balance


to balance between the 2. (that method ensures the EAP goes to one remote 
server)



realm DEFAULT {
 pool = EDUROAM-FTLR
 nostrip
}


h, this isnt best practice if thats all you have for throwing stuff 
upstream. woulf
strongly recommend using unlang to validate that the user has valid realm 
etc and then
update the request to use a realm identifier (eg eduroam) and use that in 
proxy.conf instead -
thus you are only sending valid users upstream (and not all the random 
typos and junk)
as the upstream servers will like you more for that - and wont be dropping 
requests and messing

you up.



To expand on Alan's statement a bit here - it's possible that users are 
associating with your eduroam SSID and sending all kinds of nonsense (I think 
the best I've seen is:


user@domainuser@domain

...and that the upstream RADIUS servers are not replying, which is causing 
you to get these dropouts.


You probably want something like this:

authorize {
 if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
   # user has a valid-looking realm
   update request {
 Stripped-User-Name := "%{1}"
 Realm = "%{toupper:%{2}}"
   }
 }
 else {
   # malformed NAI
   update reply {
 Reply-Message := "malformed username"
   }
   reject
 }

 if (Realm == MY.REALM) {
  ...
 }
 else {
   update control {
 Proxy-To-Realm := DEFAULT
   }
 }



This looks like something I should be doing but I have no idea where to 
insert this section. Is it in proxy.conf or somewhere else? And that last 
section for my own realm, would it look like this (you're converting the 
Realm to upper case, right?)


  if (Realm == MY.REALM) {
   update control {
  Proxy-To-Realm := MY.REALM
}
  }
  else {
update control {
  Proxy-To-Realm := DEFAULT
}
  }

With this configuration, I guess I don't need realm's LOCAL or NULL?

-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eduroam & FreeRadius not working so well

2012-12-05 Thread Mike Diggins



This is my proxy.conf. The only value I've adjusted so far is response 
window (from 20 down to 5). Otherwise, I believe it's configured correctly 
to failover between the two home servers. I'll have to work on the debugs.



proxy server {
default_fallback= yes
}

home_server proxy1 {
type= auth+acct
ipaddr  = x.x.x.x
port= 1812
secret  = xx
response_window = 5
zombie_period   = 40
revive_interval = 60
status_check= status-server
check_interval  = 30
num_answers_to_alive= 3
}

home_server proxy2 {
type= auth+acct
ipaddr  = x.x.x.x
port= 1812
secret  = 
response_window = 5
zombie_period   = 40
revive_interval = 60
status_check= status-server
check_interval  = 30
num_answers_to_alive= 3
}

home_server_pool EDUROAM-FTLR {
type= fail-over
home_server = proxy1
home_server = proxy2
}

realm mydomain.ca {
  strip
}

realm LOCAL {
  nostrip
}

realm NULL {
  nostrip
}

realm DEFAULT {
pool = EDUROAM-FTLR
    nostrip
}

-Mike



On Wed, 5 Dec 2012, Alan Buxey wrote:


Hi,


This is the RedHat RPM which I believe are maintained by RedHat.
Hopefully they've back ported any major security issues!


got the changelog for the 2.1.12 RPM release you are running?


It does both autentication and proxy and I do have status-check
enabled. On the contraller I increased the default timeout from 2
seconds up to 8 seconds. At the same time I lowered the


2 seconds is very low for international RADIUS proxying...the traffic
needs to get to the end site...and then be dealt with by the end site
(which may take 1 - many seconds to actually authenticate the user
once the tunnel is created). somewhere around 10 seconds is the maximum
I would expect for global roaming authentication via multple proxy peers

the RADIUS server is at the mercy of the controller and the remote sites...
who might not be answering at all...they could just reject.

I havent seen a sanity error message like that since the troublesome 2.1.7 - 
2.1.9
days when the proxy code got some rewrites in places.

I wonder if your proxy.conf for the home server stuff is correct and not
flipping requests between remote proxys?

what does the server show/say in full debug mode with a test remote account?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eduroam & FreeRadius not working so well

2012-12-05 Thread Mike Diggins



On Wed, 5 Dec 2012, John Dennis wrote:


On 12/05/2012 12:02 PM, Mike Diggins wrote:

On Wed, 5 Dec 2012, Alan Buxey wrote:


In the first instance, upgrade. There is a major security problem
with 2.1.x release. Get 2.2.x onto your system asap.


This is the RedHat RPM which I believe are maintained by RedHat.
Hopefully they've back ported any major security issues!


Red Hat takes security issues very seriously and we immediately addressed 
this issue, as we do all security issues.


However simply stating it's a Red Hat RPM does not answer the question as to 
whether you've been updated. For RHEL customers security fixes are one of the 
benefits of having a valid current subscription.


I have a valid current subscription and yum reports no updates for my 
freeradius install, so I'm assuming it's okay. I didn't want to dwell on 
the version though as I just upgraded from a much older release which 
didn't help with my problem.


-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eduroam & FreeRadius not working so well

2012-12-05 Thread Mike Diggins




On Wed, 5 Dec 2012, Alan Buxey wrote:


In the first instance, upgrade. There is a major security problem with 2.1.x 
release. Get 2.2.x onto your system asap.


This is the RedHat RPM which I believe are maintained by RedHat. Hopefully 
they've back ported any major security issues!




What are your NAS (cisco controllers) timeouts? Is this box a pure proxy or 
does it do authentication too? Have you enabled ciscos status-check system so 
it knows the RADIUS server isn't dead but just hasn't had a remote response yet?


It does both autentication and proxy and I do have status-check enabled. 
On the contraller I increased the default timeout from 2 seconds up to 8 
seconds. At the same time I lowered the response_window for the two Home 
Servers from 20 seconds to 5 seconds, thinking the proxy would give up 
trying and respond to the controller before it timed out. That hasn't 
helped though. Perhaps I need to increase the controller timeout further.




Around 67% of eduroam sites in the UK use freeradius


I assumed it should work better than it is.

-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Eduroam & FreeRadius not working so well

2012-12-04 Thread Mike Diggins



I'm running FreeRadius 2.1.12 on RedHat 6 as an Eduroam proxy server and 
having problems. My cisco wireless controllers are constantly failing back 
and forth between the primary and secondary systems. My logs show these 
errors when it happens:


Dec  4 19:12:18 server radiusd[32588]: Internal sanity check failed for 
child state
Dec  4 19:12:18 server radiusd[32588]: Reply from home server x.x.x.x port 
1812  - ID: 210 arrived too late for request 76479. Try increasing 
'retry_delay' or 'max_request_time'
Dec  4 19:13:18 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495
Dec  4 19:13:26 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495
Dec  4 19:13:34 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495
Dec  4 19:13:41 server radiusd[32588]: Internal sanity check failed for 
child state
Dec  4 19:13:41 server radiusd[32588]: Reply from home server x.x.x.x port 
1812  - ID: 102 arrived too late for request 76495. Try increasing 
'retry_delay' or 'max_request_time'
Dec  4 19:13:42 server radiusd[32588]: Discarding duplicate request from 
client ct5508 port 32770 - ID: 148 due to unfinished request 76495


I'm look for some advice as to what timeouts to adjust that might help 
with the errors. I didn't want to start changing retry_delay or 
max_request_time without some advice first. Any suggestions? I have no 
control over the Home Servers or how long a request takes to complete and 
I don't know what's causing the sanity check failure!?


-Mike


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreedRadius mysql Redhat 6.3 missing?

2012-10-13 Thread Mike Diggins


On 13/10/2012 3:50 AM, Eero Volotinen wrote:
> 2012/10/12 Francois Gaudreault :
>> On 2012-10-12 1:22 PM, Mike Diggins wrote:
>>> Unable to read consumer identity
>> Because your RHN stuff appears to be broken.
> note that some of freeradius stull are located in rhn-optional
> channel, that you must speficy in management portal for that machine.
>
That was it! Enabled the rhn-optional channel and now I see the other
FreeRadius rpms.

(Fixed my RHN stuff too. Didn't work but thanks for the suggestion)

-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreedRadius mysql Redhat 6.3 missing?

2012-10-12 Thread Mike Diggins

That's odd, why am I only seeing freeradius?

# yum info freeradius\* | grep Name
Unable to read consumer identity
Name: freeradius

-Mike

On 12/10/2012 12:22 PM, John Dennis wrote:
> On 10/12/2012 11:37 AM, Mike Diggins wrote:
>> I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier,
>> not realizing it didn't include mysql. However, I don't see a mysql
>> version available. Is there one that is updated by RedHat?
>
> $ yum info freeradius\* | grep Name
> Name: freeradius
> Name: freeradius-debuginfo
> Name: freeradius-krb5
> Name: freeradius-ldap
> Name: freeradius-mysql
> Name: freeradius-perl
> Name: freeradius-postgresql
> Name: freeradius-python
> Name: freeradius-unixODBC
> Name: freeradius-utils
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreedRadius mysql Redhat 6.3 missing?

2012-10-12 Thread Mike Diggins

I installed the RedHat 6.3 freeradius-2.1.12-4.el6_3.x86_64 rpm earlier,
not realizing it didn't include mysql. However, I don't see a mysql
version available. Is there one that is updated by RedHat?

-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RedHat FreeRadius reload or restart?

2012-10-05 Thread Mike Diggins

I've been running the RedHat "version" of FreeRADIUS Version 2.1.3 for a
few years. Each morning I update the users authorization file and run
"service radius reload" for the changes to take affect. I recently
patched the system, which updated FreeRADIUS to version 2.1.12. I find
now that after reloading, using the same script, it appears to reload
successfully but my authentications (through ntlm_auth to an MS AD)
begin failing. If I instead use "service radiusd restart", it's fine.
Did anything change between versions that would explain this?

Oct  5 07:30:02 radserv radiusd[3825]: Login OK: [] (from client
wlc-7 port 0 via TLS tunnel)
Oct  5 07:30:02 radserv radiusd[3825]: Login OK: [x] (from client
wlc-7 port 13 cli 6c-c2-6b-98-06-52)
Oct  5 07:30:02 radserv radiusd[15741]: Loaded virtual server 
Oct  5 07:30:02 radserv radiusd[15741]: Loaded virtual server inner-tunnel
Oct  5 07:30:02 radserv radiusd[15741]:  ... adding new socket proxy
address * port 0
Oct  5 07:30:02 radserv radiusd[3825]: Received HUP signal.
Oct  5 07:30:02 radserv radiusd[3825]: HUP - Re-reading configuration files
Oct  5 07:30:02 radserv radiusd[3825]: HUP - loading modules
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module "radutmp"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module "suffix"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module
"attr_filter.access_reject"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module
"attr_filter.accounting_response"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module "detail"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module "mschap"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module "pap"
Oct  5 07:30:02 radserv radiusd[3825]:  Module: Reloaded module "files"
Oct  5 07:30:02 radserv radiusd[3825]: Loaded virtual server 
Oct  5 07:30:02 radserv radiusd[3825]: Loaded virtual server inner-tunnel
Oct  5 07:30:04 radserv radiusd[3825]: Login incorrect (mschap: External
script says ): [x] (from client wlc-6 port 0 via TLS tunnel)
Oct  5 07:30:04 radserv radiusd[3825]: Login incorrect: [x] (from
client wlc-6 port 13 cli 00-26-08-e6-13-90)
Oct  5 07:30:04 radserv radiusd[3825]: Login incorrect (mschap: External
script says ): [x] (from client wlc-7 port 0 via TLS tunnel)
Oct  5 07:30:04 radserv radiusd[3825]: Login incorrect: [] (from
client wlc-7 port 13 cli 7c-11-be-c3-20-72)
Oct  5 07:30:05 radserv radiusd[3825]: Login incorrect (mschap: External
script says ): [x] (from client wlc-6 port 0 via TLS tunnel)
Oct  5 07:30:05 radserv radiusd[3825]: Login incorrect: [x] (from
client wlc-6 port 13 cli 48-60-bc-f4-1d-31)
Oct  5 07:30:07 radserv radiusd[3825]: Login incorrect (mschap: External
script says ): [x] (from client wlc-7 port 0 via TLS tunnel)
Oct  5 07:30:07 radserv radiusd[3825]: Login incorrect (mschap: External
script says ): [xx] (from client wlc-6 port 0 via TLS tunnel)
Oct  5 07:30:07 radserv radiusd[3825]: Login incorrect: [] (from
client wlc-6 port 13 cli 48-60-bc-f4-1d-31)

-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Address already in use but server is not running

2012-05-28 Thread Mike Coles

Can you run lsof to see what process has the port open?
On May 28, 2012 5:35 PM, "Michael Aldridge"  wrote:

> I recently had to install debian 6.0 on one of my servers after a hard
> drive crash, and while I had freeradius running before, I can't seem to get
> it running now.
>
> I ran sudo apt-get install freeradius and hit enter to accept the
> additional packages, and I also installed dialup admin with the intention
> of getting to it after getting freeradius running, but now I am running
> into trouble with starting freeradius.  The install completed without
> errors, but running sudo ./freeradius -X produces the following:
>
>
> Failed binding to authentication address * port 1812: Address already in
> use
> /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port
> 1812
>
>
> I can post the full contents of the debug dump, but this appears to be the
> only point at which an error is encountered.  I am quite sure that there is
> not an instance already running, so I don't know what else could be using
> the port.  Any ideas?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re:re: Re: Ldap attribute in pre-proxy possible?

2012-05-11 Thread Mike

>  Phil,

I meant to say proxy-request, not proxy-reply.

Secondly, why would you need a log file to show an attribute expanding to 
nothing? I just told you it is expanding to nothing aka it has no assigned 
value once reaching the pre-proxy stage.



> Message: 3
> Date: Fri, 11 May 2012 18:07:40 +0100
> From: Phil Mayers 
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Ldap attribute in pre-proxy possible?
> Message-ID: <4fad475c.7090...@imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> On 11/05/12 16:39, Mike wrote:
>> Hello,
>> 
>> Is it possible store and access an ldap attribute in pre-proxy? 1.
>> Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
>> 2. Trying to access using:
>> 
>> pre-proxy { If (%{reply:attributename} == "cookies" { update
>> proxy-reply { Whatever = "cookies" }} }
> 
> You can't update the proxy-reply in pre-proxy; there is no proxy-reply 
> at this stage.
> 
>> 
>> the problem is the attribute is expanding to nothing. This does work
>> in the auth section but i need to update the proxy msg. What am i
>> doing wrong?
> 
> We don't know, because we're not psychic and you didn't include a debug 
> of it failing.
> 
> 
> 
> --
> 
> Message: 4
> Date: Fri, 11 May 2012 13:42:29 -0400
> From: "Luo, Frank Y.F. Mr." 
> To: "freeradius-users@lists.freeradius.org"
>
> Subject: max_request
> Message-ID: <200cb918-2061-4829-a888-8901a235e...@muohio.edu>
> Content-Type: text/plain; charset="us-ascii"
> 
> So there is this setting max_request  that the server keeps track of. The 
> question is how i can find the current active request that the server keeps 
> track of. 
> 
> My experience is the sever silently drops the connection if max_request is 
> reached. So I want to find out more info about the current status of the 
> server.
> 
> Thanks
> 
> Frank
> 
> 
> 
> --
> 
> Message: 5
> Date: Fri, 11 May 2012 20:25:06 +0200
> From: Alan DeKok 
> To: FreeRadius users mailing list
>
> Subject: Re: max_request
> Message-ID: <4fad5982.1080...@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Luo, Frank Y.F. Mr. wrote:
>> So there is this setting max_request  that the server keeps track of. The 
>> question is how i can find the current active request that the server keeps 
>> track of. 
>> 
>> My experience is the sever silently drops the connection if max_request is 
>> reached. So I want to find out more info about the current status of the 
>> server.
> 
>  In 2.1.12, there's no way to see that number in a "live" server.
> 
>  Alan DeKok.
> 
> 
> --
> 
> Message: 6
> Date: Fri, 11 May 2012 14:31:09 -0400
> From: "Luo, Frank Y.F. Mr." 
> To: FreeRadius users mailing list
>
> Subject: Re: max_request
> Message-ID: <0c11c863-c520-491d-ad91-320b65e54...@muohio.edu>
> Content-Type: text/plain; charset="us-ascii"
> 
> are you sure? 
> 
> Then how do i know I run out of request number and need to increase it?
> 
> Thanks
> 
> Frank
> On May 11, 2012, at 2:25 PM, Alan DeKok wrote:
> 
>> Luo, Frank Y.F. Mr. wrote:
>>> So there is this setting max_request  that the server keeps track of. The 
>>> question is how i can find the current active request that the server keeps 
>>> track of. 
>>> 
>>> My experience is the sever silently drops the connection if max_request is 
>>> reached. So I want to find out more info about the current status of the 
>>> server.
>> 
>> In 2.1.12, there's no way to see that number in a "live" server.
>> 
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> 
> 
> 
> --
> 
> Message: 7
> Date: Fri, 11 May 2012 20:39:03 +0200
> From: Alan DeKok 
> To: FreeRadius users mailing list
>
> Subject: Re: max_request
> Message-ID: <4fad5cc7.1090...@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Luo, Frank Y.F. Mr. wrote:
>> are you sure? 
>> 
>> Then how do i know I run out of request number and need to increase it?
> 
>  You read the logs.
> 
>  You CANNOT increase it while the server is running.
> 
>  The best approach is to set it to a large value, and ignore it.  If
> you get errors in the logs

Ldap attribute in pre-proxy possible?

2012-05-11 Thread Mike

Hello,

Is it possible store and access an ldap attribute in pre-proxy? 
1. Attribute defined in dictionary
2. Attribute mapped in ldap.attrmap
2. Trying to access using:

pre-proxy {
If (%{reply:attributename} == "cookies" {
update proxy-reply {
Whatever = "cookies"
}}
}

the problem is the attribute is expanding to nothing. This does work in the 
auth section but i need to update the proxy msg. What am i doing wrong?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accessing attribute in control list

2012-05-09 Thread Mike

Can anyone provide an answer? I have spent much time trying to make this work, 
trying different things so if its not possible please let me know.

On 2012-05-08, at 5:05 PM, Mike  wrote:

> 
>> 
>> Hi guys,
>> 
>> I am setting an attribute in the auth section of my config . I am able to 
>> access the attribute in the same section and preform unlang operations on 
>> said attribute, however, i am unable to access the same from the pre-proxy 
>> section of my config. The attribute just expands as blank.
>> 
>> Is this a limitation of the software or is there a way I can access this 
>> attribute set in one section from another?
>> 
>> Small background, originally i wanted to use ldap-group for group checking 
>> which turns out not to be possible due to the clients ldap not being 
>> configured correctly for groups, they are unwilling to change. So i want to 
>> be able to check against a different attribute set manually.
>> 
>> An example would be appreciated if it is possible.  
>> 
>> 
>> 
>> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accessing attribute in control list

2012-05-08 Thread Mike


> 
> Hi guys,
> 
> I am setting an attribute in the auth section of my config . I am able to 
> access the attribute in the same section and preform unlang operations on 
> said attribute, however, i am unable to access the same from the pre-proxy 
> section of my config. The attribute just expands as blank.
> 
> Is this a limitation of the software or is there a way I can access this 
> attribute set in one section from another?
> 
> Small background, originally i wanted to use ldap-group for group checking 
> which turns out not to be possible due to the clients ldap not being 
> configured correctly for groups, they are unwilling to change. So i want to 
> be able to check against a different attribute set manually.
> 
> An example would be appreciated if it is possible.  
> 
> 
> 
> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Total Data download

2012-02-25 Thread Mike


Here is how I do it (this is for traffic in a particular month)

SELECT
username,
truncate(sum(acctinputoctets + acctoutputoctets) / 100, 
1) traffic

FROM radacct
WHERE
month(acctstarttime) = 12 AND
year(acctstarttime) = 2011
GROUP BY username

This assumes you are using mysql for accounting.

Mike

On 25/02/12 17:49, Fazal Ahmed Malik wrote:


Hi,

Is there any tool or script with help of which I can get to know how 
much data downloaded by all user in last 30 days.


Please share the solution.

Best regards,

Fazal Ahmed Malik


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_perl and returning > 1 attribute with same name

2012-02-17 Thread Mike


Hello,

I am using rlm_perl and I have an application where I would like to 
return possibly more than 1 Filter-Id in my response.


In perl, the relevent code would be this:

$RAD_REPLY{'Filter-Id'} = "some_filter"

Unfortunately, this also will only create 1 avpair by the name 'Filter-Id'.

How would I go about returning more than 1 or am I stuck because of perl?

Mike-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -X works just fine, daemon stops responding early

2012-02-15 Thread Mike




I'm not familiar with *BSD, but this problem is precisely why I like
Ubuntu more and more. If the official package is too old, chances are
someone already create a PPA (which is very easy to set up) with an
up-to-date version.

... or you can build the package yourself, with the same recipe used
in official BSD package.

   
Yes, I use Debian now, but I am familiar with OpenBSD and it is the one 
I can confidently install on PC Engines boxes, a confidence gained 
through many installs. Bullet-proof except for, apparently, Freeradius 
:-)  My rainy day Linux learning is waiting for, well, a rainy day.


Thanks.

Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -X works just fine, daemon stops responding early

2012-02-14 Thread Mike





there are alternatives for packages too eg

http://openports.se/net/freeradius

   


Thanks for that. I'll make a note for a rainy day.

Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd -X works just fine, daemon stops responding early

2012-02-14 Thread Mike


I just tried

radiusd -s &

and it is 30 minutes up so far. Will report back overnight.

I am reluctant to upgrade since I prefer OpenBSD packages, but if it 
comes right down to it, then I will.


Mike


On 15/02/12 17:47, Fajar A. Nugraha wrote:

On Wed, Feb 15, 2012 at 11:33 AM, Mike  wrote:
   

One day my requests to my Freeradius server began to timeout. When I
restarted it, it would behave normally for a few seconds and then stop
responding. But when I run it as radiusd -X, nothing untoward happens and it
will continue to respond for ever.
 

Probably threads-related?

   

This is the case whether my requests come from a remote client, or from
radtest on the local host or a remote host.

I am running Freeradius 2.1.10 on OpenBSD 5.0 against a mysql server
 

I suggest you try latest stable (2.1.12) or v2.1.x branch from git to
see if the problem is fixed there. Also, snippet from the man page

  -X Debugging mode.  Equivalent to "-sfxx -l stdout"
  -s Run in "single server" mode
  -x Finer-grained debug mode

If it's really a thread issue, you might be able to reproduce it and
get more information with "radiusd -fxx -l stdout"

   


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd -X works just fine, daemon stops responding early

2012-02-14 Thread Mike

One day my requests to my Freeradius server began to timeout. When I 
restarted it, it would behave normally for a few seconds and then stop 
responding. But when I run it as radiusd -X, nothing untoward happens 
and it will continue to respond for ever.


This is the case whether my requests come from a remote client, or from 
radtest on the local host or a remote host.


I am running Freeradius 2.1.10 on OpenBSD 5.0 against a mysql server

I have spent a few hours looking for log entries that might explain it - 
to no avail.


Can anyone suggest where I should continue looking?

Thanks

Mike




FreeRADIUS Version 2.1.10, for host i386-unknown-openbsd5.0, built on 
Aug 16 2011 at 10:46:39

Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = "_freeradius"
group = "_freeradius"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loading Realms

Re: WPA Enterprise Certificate renewal for FreeRadius

2012-01-09 Thread Mike Diggins



On Mon, 9 Jan 2012, Phil Mayers wrote:


On 09/01/12 17:42, Mike Diggins wrote:


I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius
authentication certificate currently. My eap.conf 'certificate file'
contains the certificate only, not the root and/or intermediates. That
seems to be ok, since most clients already have the Thawte Root
certificate installed.

I renewed the new certificate just recently and discovered that Thawte
is no longer issuing certificates under the old root so my clients will
likely be asked to trust the new certificate when I install it. All my
documentation changes as well but that's another story.

My question is, what is the value of adding the roots/intermediates to
the certificate file i.e certificate_file = ${certdir}/certificate.crt?
Does it really allow a client without the Root already installed to
verify this certificate?


Most clients:

1. Have all the common "top-level" CAs installed
2. May or may not have the intermediate CAs

We put the server & intermediate certs (NOT the top-level) into the cert 
file, and in our experience this lets all clients (Windows, MacOS, iOS, 
Android) connect without errors.


I believe that, if the client really does lack the top-level CA, you're 
screwed. You will have to manually install at least the top-level cert, 
except on MacOS (and possibly iOS, but not sure).

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


Do the certificates need to be listed in any particular order in the 
certificate_file?


-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WPA Enterprise Certificate renewal for FreeRadius

2012-01-09 Thread Mike Diggins



I use a Thawte Premium Server CA for my WPA2 Enterprise freeradius 
authentication certificate currently. My eap.conf 'certificate file' 
contains the certificate only, not the root and/or intermediates. That 
seems to be ok, since most clients already have the Thawte Root 
certificate installed.


I renewed the new certificate just recently and discovered that Thawte is 
no longer issuing certificates under the old root so my clients will 
likely be asked to trust the new certificate when I install it. All my 
documentation changes as well but that's another story.


My question is, what is the value of adding the roots/intermediates to the 
certificate file i.e certificate_file = ${certdir}/certificate.crt? Does 
it really allow a client without the Root already installed to verify this 
certificate?


-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

2011-10-14 Thread Mike Diggins



On Fri, 14 Oct 2011, Alan DeKok wrote:


Mike Diggins wrote:

Accounting feature on the WLAN controllers (for now), I noticed that a
similar failure is a happening on the Authentication side. Some
authentication requests proxied to other radius servers (via Eduroam)
are either failing or taking a long time to respond, which also causes
my FreeRadius to mark the Home Server as DOWN. That also seems to cause
a chain reaction of backed up requests, causing my WLAN controllers to
failover the radius server.


 There's really very little you can do about that in RADIUS.
FreeRADIUS figures out that a home server is down because it stops
responding to requests.

 So if it stops responding... it looks like it's dead.


Does FreeRadius work synchronously only, so a slow response from one remote 
server stops any other pending authentications from completing until that 
first one is finished?





So, similar to my Accounting problem, is there anyway to prevent a
single Authentication failure from backing up the works!? Does FR answer
queries in sequence only? I don't really understand why this sort of
failure has such a nasty consequence.


 What, exactly, is the server supposed to do when the next hop isn't
responding to packets?  Is the next hop up?  Is it down?  How can you tell?


I'm not sure. If my assumption above is correct, then I don't see a good 
solution. I'm thinking of a method like Squid proxy server, where a number 
of authenticators are used, so one that's slow or fails doesn't affect 
the others.


The only suggestion I can think of right now is to send the server-status 
message to the next hop first before marking it dead. I think that would 
be a safer assumption when proxying anyway.





 It's this kind of thing that makes me think keep-alives should become
standard for eduroam.  The extra few packets every couple of seconds are
a small cost to pay for ensuring that authentication works.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

2011-10-13 Thread Mike Diggins



On Tue, 4 Oct 2011, Mike Diggins wrote:



I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an 
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly 
failing over the Accounting Servers, due to lack of response from the Home 
Servers, or so says the log. However, I believe the issue is that some remote 
institutions Radius Servers are ignoring the Accounting packets, and timing 
out my end, making it believe the Home Servers have failed to respond. 
FreeRadius responds by marking the Home server dead. It then sends a 
status-server query, to which is gets a reply, and enables the Dead Home 
server. I believe that's the sequence of events anyway. I captured some of 
that in debug mode:


Rejecting request 288 due to lack of any response from home server x.x.x.x 
port 1813


Finished request 288.

Cleaning up request 288 ID 205 with timestamp +1161

PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is 
dead).


Sending Status-Server of id 55 to x.x.x.x port 1813
   Message-Authenticator := 0x
   NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.

rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806

I don't have any control over Accounting Packets being accepted, or not, by 
other Eduroam members. Some do, some don't I imagine. Is there a 
configuration for FreeRadius that handles this situation cleanly? Seems to me 
that FR should check the Home server first, before marking it dead (at 
least).


Accounting feature on the WLAN controllers (for now), I noticed that a 
similar failure is a happening on the Authentication side. Some 
authentication requests proxied to other radius servers (via Eduroam) are 
either failing or taking a long time to respond, which also causes my 
FreeRadius to mark the Home Server as DOWN. That also seems to cause a 
chain reaction of backed up requests, causing my WLAN controllers to 
failover the radius server.


So, similar to my Accounting problem, is there anyway to prevent a single 
Authentication failure from backing up the works!? Does FR answer queries 
in sequence only? I don't really understand why this sort of failure has 
such a nasty consequence.


-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

2011-10-13 Thread Mike Diggins



On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:



Thanks for your suggestion. Do I drop this into my existing 
..sites-available/default file? Does this add to what's there already, or do I 
replace what's there with this (and does the order matter)? Sorry, I have a 
very basic configuration and haven't had to delve into this.


Add it to sites-available/default in the existing sections (put replicate in 
the accounting {} section, put the other stuff in the preacct section...


Tried this today but got an error. I'm running 2.1.3.

 Module: Checking accounting {...} for more modules to load
/usr/local/freeradius/etc/raddb/sites-enabled/default[339]: Failed to find 
module "replicate".
/usr/local/freeradius/etc/raddb/sites-enabled/default[336]: Errors parsing 
accounting section.


-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with Eduroam - Accounting

2011-10-05 Thread Mike Diggins




On Wed, 5 Oct 2011, Arran Cudbard-Bell wrote:



On 5 Oct 2011, at 02:20, Mike Diggins wrote:



I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an 
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are constantly 
failing over the Accounting Servers, due to lack of response from the Home 
Servers, or so says the log. However, I believe the issue is that some remote 
institutions Radius Servers are ignoring the Accounting packets, and timing out 
my end, making it believe the Home Servers have failed to respond. FreeRadius 
responds by marking the Home server dead. It then sends a status-server query, 
to which is gets a reply, and enables the Dead Home server. I believe that's 
the sequence of events anyway. I captured some of that in debug mode:

Rejecting request 288 due to lack of any response from home server x.x.x.x port 
1813

Finished request 288.

Cleaning up request 288 ID 205 with timestamp +1161

PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it is 
dead).

Sending Status-Server of id 55 to x.x.x.x port 1813
   Message-Authenticator := 0x
   NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.

rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, length=806

I don't have any control over Accounting Packets being accepted, or not, by 
other Eduroam members. Some do, some don't I imagine. Is there a configuration 
for FreeRadius that handles this situation cleanly? Seems to me that FR should 
check the Home server first, before marking it dead (at least).



No i've talked about this with Alan. The proposed solution is an enhancement to 
the detail writer/reader functionality where the server automagically spawns 
new reader instances to listen on per domain detail files.

For now i'd recommend using rlm_replicate, this allows you to send an entirely 
new request to the homeserver, whilst sending an Accounting-Response to the 
NAS. FR does not track the new request and so won't be able to retransmit.

Just use something like:

preacct {
if(Realm && Realm != 'local'){
update control {
Proxy-To-Realm := 'local'
Replicate-To-Realm = 'eduroam'
}
}
}

accounting {
replicate
}


Thanks for your suggestion. Do I drop this into my existing 
..sites-available/default file? Does this add to what's there already, or 
do I replace what's there with this (and does the order matter)? Sorry, I 
have a very basic configuration and haven't had to delve into this.


-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius with Eduroam - Accounting

2011-10-04 Thread Mike Diggins



I'm running FreeRadius 2.1.3 on RedHat Enterprise Linux configured as an 
Eduroam Radius proxy server. My Cisco Wireless Lan Controllers are 
constantly failing over the Accounting Servers, due to lack of response 
from the Home Servers, or so says the log. However, I believe the issue is 
that some remote institutions Radius Servers are ignoring the Accounting 
packets, and timing out my end, making it believe the Home Servers have 
failed to respond. FreeRadius responds by marking the Home server dead. It 
then sends a status-server query, to which is gets a reply, and enables 
the Dead Home server. I believe that's the sequence of events anyway. I 
captured some of that in debug mode:


Rejecting request 288 due to lack of any response from home server x.x.x.x 
port 1813


Finished request 288.

Cleaning up request 288 ID 205 with timestamp +1161

PROXY: Marking home server x.x.x.x port 1813 as zombie (it looks like it 
is dead).


Sending Status-Server of id 55 to x.x.x.x port 1813
Message-Authenticator := 0x
NAS-Identifier := "Status Check. Are you alive?"
Waking up in 3.9 seconds.

rad_recv: Access-Accept packet from host x.x.x.x port 1813, id=55, 
length=806


I don't have any control over Accounting Packets being accepted, or not, 
by other Eduroam members. Some do, some don't I imagine. Is there a 
configuration for FreeRadius that handles this situation cleanly? Seems to 
me that FR should check the Home server first, before marking it dead (at 
least).


-Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Relation between NAS and FreeRADIUS

2011-05-18 Thread Mike Mackenna

I would think usually the answer is neither.  The internet connection
is usually supplied by a third box on the network.  The NAS is the
point of contact and the RADIUS server is the box that handles the
authentication requests.  If authentication succeeds the client is
allowed to connect through the NAS on to the network.  Once on the
network it is free to make DHCP requests or whatever and then get
routed accordingly.  Only then does it get default gateway information
that it can use to connect to the internet so to speak.

I think that is correct.

Mike

On Wed, May 18, 2011 at 2:16 PM, googerdi  wrote:
> Hi
> It is possible that my question is low level but it is key for me. I want to
> ask that NAS provide internet or FreeRADIUS. I mean i should connect
> internet connection to NAS or FreeRADIUS.
> Does NAS just use FreeRADIUS or any Radius Server to authenticate user and
> register accounting data in Radius.
>
> Thanks
>
>
>
> --
> View this message in context: 
> http://freeradius.1045715.n5.nabble.com/Relation-between-NAS-and-FreeRADIUS-tp4407443p4407443.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-- 
Michael MacKenna
mpmacke...@gmail.com
Got Chrome?
http://www.google.com/chrome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Running FreeRadius daemon in debug mode

2011-04-17 Thread Mike Hale

Hi All,

I'm running the latest yum version of freeradius2 on a 32bit CentOS 5.5 install.

I'm using "service radius start" to launch the daemon.  I'm trying to figure 
out how to use the service method to launch the process in debug mode.  I can 
start it in debug mode when calling it from the command line just fine.

I thought it might be as simple as modifying the radiusd script file in /init.d 
with the -x switch, but that causes errors.  Does anyone have a working copy of 
the init.d script I could look at?  

Thank you in advance!

- Mike


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sporadic Windows 802.1x-PEAP-MSchapv2 failures solved with 2.1.10

2010-11-15 Thread Cannady, Mike

I just wanted to let everyone know that the 2.1.10 release fixed a
sporadic problem that we were having with PEAP-MSchapv2 and 802.1x.  We
had several PCs that would work only sometimes with freeradius, but they
would always work with Microsoft's IAS.  I would move a problem PC from
a switch authenticating with windows to another switch authenticating
through freeradius and back and the problem stayed with the freeradius
one. 

I was running 2.1.7 at the time.  I installed 2.1.10 to get to the
latest version before using this list for help, just to have it fix the
problem.  I suspect bug#17 was the issue.

If the issue hadn't been solved, we were preparing to go to two MS
server datacenter servers to do just the radius work (we have a *lot* of
switches) which I thought was a lot of overkill and wouldn't give us the
flexibility to do what we plan with the radius server in the future.
Now we don't need the MS servers now!

Thanks a bunch  You made me very happy!

Mike Cannady



**
HTC Disclaimer:  The information contained in this message may be privileged 
and confidential and protected from disclosure. If the reader of this message 
is not the intended recipient, or an employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified that 
any dissemination, distribution or copying of this communication is strictly 
prohibited.  If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer.  
Thank you.
**


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AD authenication issue with machine authentication

2010-10-19 Thread Cannady, Mike

7c3d2146332065d255b7f853aecb601d00e05082badb10
Exec-Program output: Logon failure (0xc06d) 
Exec-Program-Wait: plaintext: Logon failure (0xc06d) 
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/IS-MCANNADY-L.htc.com/]
(from client MikeDeskSwitch port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 52 to 172.21.17.59 port 1025
EAP-Message =
0x010a00261900170301001b3533c7101e632bc436b65822b9b7bb11e5d9f923547accf9
5234e0
Message-Authenticator = 0x
State = 0x29be35a421b42c776aa21593a54d8f6e
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=53,
length=276
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a421b42c776aa21593a54d8f6e
EAP-Message =
0x020a00261900170301001bb9ad6307193ba51867e2ddc8c1bf3bff13a3e96d71fcce70
12c592
Message-Authenticator = 0xd7b1be5082f5a55d993d5de076606a4c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this
session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [host/IS-MCANNADY-L.htc.com/]
(from client MikeDeskSwitch port 17 cli 00-1e-e5-87-61-d6)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
host/IS-MCANNADY-L.htc.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 53 to 172.21.17.59 port 1025
EAP-Message = 0x040a0004
Message-Authenticator = 0x
Waking up in 3.8 seconds.
Cleaning up request 0 ID 44 with timestamp +110
Cleaning up request 1 ID 45 with timestamp +110
Cleaning up request 2 ID 46 with timestamp +110
Cleaning up request 3 ID 47 with timestamp +110
Cleaning up request 4 ID 48 with timestamp +110
Cleaning up request 5 ID 49 with timestamp +110
Cleaning up request 6 ID 50 with timestamp +110
Cleaning up request 7 ID 51 with timestamp +110
Cleaning up request 8 ID 52 with timestamp +110
Waking up in 1.0 seconds.
Cleaning up request 9 ID 53 with timestamp +110
Ready to process requests.

[r...@htcradius1 etc]#

Mike Cannady
Information Services
Horry Telephone Cooperative (HTC)
Phone: (843)369-8212
Fax..: (843)369-7195
Pager: (843)828-5899
Email: mike.cann...@htcinc.net
 


**
HTC Disclaimer:  The information contained in this message may be privileged 
and confidential and protected from disclosure. If the reader of this message 
is not the intended recipient, or an employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified that 
any dissemination, distribution or copying of this communication is strictly 
prohibited.  If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer.  
Thank you.
**


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: Combining ntlm_auth and mac address verification in freeradius

2010-10-15 Thread Langen Mike

Hi Phil.

Thank you very much.
That would do for now!

Kind regards

Mike

-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org 
[mailto:freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org] Im 
Auftrag von Phil Mayers
Gesendet: Freitag, 15. Oktober 2010 12:03
An: freeradius-users@lists.freeradius.org
Betreff: Re: AW: Combining ntlm_auth and mac address verification in freeradius

On 15/10/10 10:13, Langen Mike wrote:
> Hi Phil.
>
> Thank you for your quick answer. That's exactly, what I need. Where
> do you get this information? It's really hard to retrieve usable
> information from wiki.freeradius.org...

Mainly accumulated knowledge.

>
> Is there a good resource for this kind of information? I do have
> difficulties to understand, how freeradius is processing a request
> and where I can hook my own logic into it.

The docs that come with the server cover a lot of this; have a look in 
particular at:

doc/aaa
doc/module_interface
doc/configurable_failover

If these are unclear, please say how, so they can be improved!

FreeRadius is really quite simple in principle; a radius request 
consists of a list of attribute/value pairs. The request is received and 
two more empty lists are created - the "config" and "reply" items. The 
request is passed through the "authorize" section, with each module 
altering the request/config/reply items and perhaps terminating the 
processing.

The request is then passed through the "authenticate" section obeying 
the "Auth-Type" variable in the "config" item. Finally it's passed 
through the "post-auth" section.

FreeRadius 2.x adds "if ()" statements as special modules so the 
processing can be condition (see "man unlang") but it's all just a chain 
of modules under the hood. Very clever & flexible!

If you really want to understand the way it works, there's no substitute 
for slowly, carefully working through some config options, and watching 
the output from "radiusd -X". The best way is:

  1. build/install freeradius
  2. Put the /etc/raddb directory under version control
  3. Run some test authentications using radclient or eapol_test
  4. Commit the working config
  5. Change *one* thing
  6. goto 3 ;o)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Combining ntlm_auth and mac address verification in freeradius

2010-10-15 Thread Langen Mike

Hi Phil.

Thank you for your quick answer. That's exactly, what I need.
Where do you get this information?
It's really hard to retrieve usable information from wiki.freeradius.org...

Is there a good resource for this kind of information? I do have difficulties 
to understand, how freeradius is processing a request and where I can hook my 
own logic into it.

Cheers Mike

-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org 
[mailto:freeradius-users-bounces+mike.langen=ofwi...@lists.freeradius.org] Im 
Auftrag von Phil Mayers
Gesendet: Freitag, 15. Oktober 2010 10:10
An: freeradius-users@lists.freeradius.org
Betreff: Re: Combining ntlm_auth and mac address verification in freeradius

On 10/15/2010 08:06 AM, Langen Mike wrote:
> Hi there.
>
> I've got the problem that I want to combine active directory
> authentication with mac address verification. So only user can log in
> which hardware is listed in a text file or similar.
>
> In the whole world wide web I didn't find a hint how to combine multiple
> authentication methods in serial.

Really?

MAC "authentication" is really just a key/value lookup. You don't need 
to "combine two types of authentication" - just do a lookup of user->mac 
before doing mschap.

You haven't said, but I'm going to assume you're using 802.1x, with 
PEAP/MS-CHAP via ntlm_auth.

In which case, you want something like this:

in eap.conf:

eap {
   ...
   peap {
 ...
 copy_request_to_tunnel = yes
   }
}

in sites-enabled/inner-tunnel:

authorize {
   ...
   # do e.g. an SQL lookup
   update request {
 Tmp-Integer-0 := "%{sql:select 1 from allowed where 
username='%{SQL-User-Name}' and mac='%{Calling-Station-Id}'"
   }
   if (Tmp-Integer-0 == 1) {
  # this combination is allowed
   }
   else {
  # this one is not
  reject
   }
}

Obviously you'll need to have configured SQL and created the lookup 
table for the above example to work. You could also do this with 
"rlm_passwd", LDAP or even a "users" file. You'll need to be a bit more 
specific about your requirements if you want advice on that.
   # now lookup user/mac

>
> One possibility, but there I didn't find anything at all, seems to be
> using the perl module. Is it possible to run a perl script before
> ntlm_auth will take place ?
>
> Thanks for your answer.
>
> Greetings from Switzerland.
>
> Mike
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Combining ntlm_auth and mac address verification in freeradius

2010-10-15 Thread Langen Mike

Hi there.

 

I've got the problem that I want to combine active directory
authentication with mac address verification. So only user can log in
which hardware is listed in a text file or similar.

In the whole world wide web I didn't find a hint how to combine multiple
authentication methods in serial.

 

One possibility, but there I didn't find anything at all, seems to be
using the perl module. Is it possible to run a perl script before
ntlm_auth will take place ?

 

Thanks for your answer.

 

Greetings from Switzerland.

 

Mike

 

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1 2 3 4 5 >

1 - 100 of 474 matches

Mail list logo