Member of Group Check Else REJECT
Hi,
I'm trying to check if a user coming from a particular NAS, then check in
that user is also a member of a GROUP associated to that NAS, else REJECT
access.
Authorise section..
if(NAS-Identifier == 'OpenVPN' SQL-GROUP == 'openvpn') {
update reply {
Reply-Message := OpenVPN AuthCheck OK
}
reject
}
Wed Feb 1 00:37:59 2012 : Info: ++? if (NAS-Identifier == 'OpenVPN'
SQL-GROUP == 'openvpn')
Wed Feb 1 00:37:59 2012 : Info: ? Evaluating (NAS-Identifier == 'OpenVPN' )
- TRUE
Wed Feb 1 00:37:59 2012 : Info: sql_groupcmp
Wed Feb 1 00:37:59 2012 : Info: expand: %{User-Name} - nev
Wed Feb 1 00:37:59 2012 : Info: sql_set_user escaped user -- 'nev'
Wed Feb 1 00:37:59 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 1
Wed Feb 1 00:37:59 2012 : Info: expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER
BY priority - SELECT groupname FROM radusergroup WHERE
username = 'nev' ORDER BY priority
Wed Feb 1 00:37:59 2012 : Debug: rlm_sql (sql): Released sql socket id: 1
Wed Feb 1 00:37:59 2012 : Info: sql_groupcmp finished: User is NOT a member
of group openvpn
As user 'nev' is not part of group 'openvpn' but is trying to access NAS
'OpenVPN' it should Reject the login and not go any further, but it does
not.
I know I'm missing something, so any help would be greatly appreciated.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter SQL Calculation
Can anyone please help on this as I've googled as cannot find a solution to
the issue I've outlined below.
Thx
Nev
Hi Everyone,
Here is some Debug if anyone can help explain or correct the
[monthlytraffic] Counter calculation.
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{User-Name}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW()) - SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
Sat Oct 30 22:39:39 2010 : Debug: sqlcounter_expand: '%{sql:SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())}'
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand:
%{User-Name} - FTU-GzwgcD
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_set_user escaped
user -- 'FTU-GzwgcD'
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW()) - SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Reserving sql socket id:
4
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat finished
Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Released sql socket id: 4
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand:
%{sql:SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())} - 991187
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Check item is greater
than
query result
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Authorized user
FTU-GzwgcD, check_item=26210, counter=991187
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user
FTU-GzwgcD, Type=Session-Octets-Limit, value=262191221
Sat Oct 30 22:39:39 2010 : Info: ++[monthlytraffic] returns ok
The Important bit is that the counter returns 991187, but then the
Reply-Item Session-Octets-Limit is set to 262191221, which is actually
an
INCREASE of 91221, how is this calculation CORRECT?
Thx
Nev
Hi everyone,
I have a small problem where the counter is not working how I would like
it two work.
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct
WHERE
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
}
The problem with this, is that it the SELECT statement returns a value
Less than the value of Max-Monthly-Traffic, then sets
Session-Octets-Limit is set to equal Max-Monthly-Traffic.
What I need it to do is to populate Session-Octets-Limit with the VALUE
of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement.
E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT
returns a result of 5243 being 50Mb of usage, then
Session-Octets-Limit should be set to 26210 - 523 being
25687
Can anyone point in the right direction on this please.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter SQL Calculation
Hi Everyone,
Here is some Debug if anyone can help explain or correct the
[monthlytraffic] Counter calculation.
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{User-Name}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW()) - SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
Sat Oct 30 22:39:39 2010 : Debug: sqlcounter_expand: '%{sql:SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())}'
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand:
%{User-Name} - FTU-GzwgcD
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_set_user escaped
user -- 'FTU-GzwgcD'
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW()) - SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat finished
Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Released sql socket id: 4
Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{sql:SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())} - 991187
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Check item is greater than
query result
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Authorized user
FTU-GzwgcD, check_item=26210, counter=991187
Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user
FTU-GzwgcD, Type=Session-Octets-Limit, value=262191221
Sat Oct 30 22:39:39 2010 : Info: ++[monthlytraffic] returns ok
The Important bit is that the counter returns 991187, but then the
Reply-Item Session-Octets-Limit is set to 262191221, which is actually an
INCREASE of 91221, how is this calculation CORRECT?
Thx
Nev
Hi everyone,
I have a small problem where the counter is not working how I would like
it two work.
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
}
The problem with this, is that it the SELECT statement returns a value
Less than the value of Max-Monthly-Traffic, then sets
Session-Octets-Limit is set to equal Max-Monthly-Traffic.
What I need it to do is to populate Session-Octets-Limit with the VALUE
of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement.
E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT
returns a result of 5243 being 50Mb of usage, then
Session-Octets-Limit should be set to 26210 - 523 being 25687
Can anyone point in the right direction on this please.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter SQL Calculation
Anyone got any pointers at all on this one?
Thx
Nev
- Original Message -
From: Neville n...@itsnev.co.uk
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, October 20, 2010 5:14 PM
Subject: Counter SQL Calculation
Hi everyone,
I have a small problem where the counter is not working how I would like
it two work.
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
}
The problem with this, is that it the SELECT statement returns a value
Less than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit
is set to equal Max-Monthly-Traffic.
What I need it to do is to populate Session-Octets-Limit with the VALUE of
Max-Monthly-Traffic, then subtract the VALUE of the Select Statement.
E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT
returns a result of 5243 being 50Mb of usage, then
Session-Octets-Limit should be set to 26210 - 523 being 25687
Can anyone point in the right direction on this please.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counter SQL Calculation
Hi everyone,
I have a small problem where the counter is not working how I would like it
two work.
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
}
The problem with this, is that it the SELECT statement returns a value Less
than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set
to equal Max-Monthly-Traffic.
What I need it to do is to populate Session-Octets-Limit with the VALUE of
Max-Monthly-Traffic, then subtract the VALUE of the Select Statement.
E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT
returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit
should be set to 26210 - 523 being 25687
Can anyone point in the right direction on this please.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ulang AND / OR Condition
Hi,
I'm having problems with huntgroups working correctly, so I would like to
continue to use if,elseif condition.
Instead of having a line for each NAS-IP-Address e.g.
elsif(NAS-IP-Address == 1.1.1.10 SQL-GROUP == GROUP1){
ok
}
elsif(NAS-IP-Address == 1.1.1.20 SQL-GROUP == GROUP1){
ok
}
elsif(NAS-IP-Address == 1.1.1.30 SQL-GROUP == GROUP1){
ok
} else {
reject
}
Can I do something like
if(NAS-IP-Address == 1.1.1.10 OR 1.1.1.20 OR 1.1.1.30 AND SQL-GROUP ==
GROUP1){
ok
} else {
reject
}
Or is there a better way of doing this?
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Monthly-Traffic
Anyone please, as this is driving me mad...
Thx
Nev
- Original Message -
From: Neville
To: freeradius-users@lists.freeradius.org
Sent: Sunday, February 07, 2010 1:28 PM
Subject: Max-Monthly-Traffic
Sorry for troubling everyone on this, but I cannot work out why
Session-Octets-Limit is not calculating the differences between the counter and
the check_item and setting an higher limited than the check_item?
Log below
Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Check item is greater than
query result
Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Authorized user FT-memjxa,
check_item=26210, counter=151223038
Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user
FT-memjxa, Type=Session-Octets-Limit, value=263954010
Sun Feb 7 12:59:50 2010 : Info: ++[monthlytraffic] returns ok
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime)
= Year(NOW())
}
Any pointers would help.
Thx
Nev-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max-Monthly-Traffic
Sorry for troubling everyone on this, but I cannot work out why
Session-Octets-Limit is not calculating the differences between the counter and
the check_item and setting an higher limited than the check_item?
Log below
Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Check item is greater than
query result
Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Authorized user FT-memjxa,
check_item=26210, counter=151223038
Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user
FT-memjxa, Type=Session-Octets-Limit, value=263954010
Sun Feb 7 12:59:50 2010 : Info: ++[monthlytraffic] returns ok
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Session-Octets-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0)
FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND
Year(acctstoptime) = Year(NOW())
}
Any pointers would help.
Thx
Nev-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Thanks, this works a treat and its just what I needed.
Is there anyway to strip the \r\n at the start and end of the
Reply-Message before writing the TABLE, as it ends up in the tables as:-
=0D=0AYou are already logged in - access denied=0D=0A=0A
Thx
Nev
hi,
configure postauth_query in dialup.conf,
postauth_query=UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}'
WHERE USERNAME='%{SQL-User-Name}'
than , you can query the message from DB SERVER.
BTW:
if reject user, then ...
#
# Access-Reject packets are sent through the REJECT sub-section of
the
# post-auth section.
#
#
Post-Auth-Type REJECT {
%{sql:UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE
USERNAME='%{SQL-User-Name}' }
}
Message: 1
Date: Sat, 16 Jan 2010 20:55:45 -
From: Neville n...@itsnev.co.uk
Subject: Reply-Message
To: freeradius-users@lists.freeradius.org
Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc
Content-Type: text/plain; charset=iso-8859-1
Hi,
Is there any way to get the reply message loaded into a SQL TABLE, which a
user can then query on to see the last reply based on there username?
Thx
Nev
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html
--
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
You can put an entry for the Reply-Message attribute in the radreply
table.
For example, if you want to send the message Hi Bob to user bob, you
would
add this entry to radreply:
usernameattribute op
value
bob Reply-Message :=Hi Bob
The Reply-Message attribute will be sent back in the Access-Accept packet
sent back to the NAS. Of course, this assumes that you have FreeRADIUS
configured to use SQL, which is documented in the raddb/sql.conf file and
http://wiki.freeradius.org/SQL_HOWTO.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message
Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject Calling-Station-Id
First, please let me wish everyone a Happy New Year in the list. I've learned
a lot in the past 12 months and have a fairly stable installation of 2.1.6 on
CentOS 5.4.
The question, I would like to ask is how can I improve on this and use a DB
List/Table to Blacklist certain IP addresses.
if(Calling-Station-Id == 218.18.XX.XX){
reject
}
if(Calling-Station-Id == 113.237.XX.XX){
reject
}
The reason I'm having to do this is that we offer a 1hr Free Trial of our
services and use the Email Address and IP address at the point of registration
to ensure that the same person does not keep requesting more and more free
trials. Obviously this not perfect and manages to address most of our
requirements.
However, there are a view people out there, that registered with a spoof IP
Address and another free hotmail account etc, thus getting another Free Trial
over and over again. The way I'm stop this currently, is manually check the
record we had at the point of request for the Free Trial, and the IP address
used to access the Service, if these are different then I block the IP address
using the unlang above.
There is only a few currently, but should this increase and I would like a more
fool proof way to manage this and register the fact that someone has abused our
free trial service and BLOCK there IP from accessing our service, even if they
have been given a Username/Password via the Free Trial Page.
Thanks in advance,
Nev-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject Calling-Station-Id
From: Arran Cudbard-Bell arran.cudbard-b...@hp.com
Subject: Re: Reject Calling-Station-Id
if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE
mac='%{Calling-Station-Id}'}) {
update reply {
Reply-Message = Hello Hello Hello
}
reject
}
Read Uncle Alan has replied this.
To save the followup exchange:
update reply {
Reply-Message := Hello Hello Hello
}
Uncle Alan?...
-Arran
Spot on Arran, thanks so much.
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenVPNAS Accounting Issues
Neville wrote: I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. It's a string. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Because the NAS isn't sending the same information in stop as it sent in start. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? No. As always, run the server in debugging mode to see what's happening. Alan DeKok. Thanks Alan, acctsessionid field was limited to vchar(32), increased to vchar(64) and all is working correctly. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenVPNAS Accounting Issues
Neville wrote: I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. It's a string. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Because the NAS isn't sending the same information in stop as it sent in start. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? No. As always, run the server in debugging mode to see what's happening. Alan DeKok. Thanks Alan, acctsessionid field was limited to vchar(32), increased to vchar(64) and all is working correctly. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenVPNAS Accounting Issues
Hi all, I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Check_item still wraps at 4gb
Hi Marcel, Are you able to share your work around, because I have the same problem. Either on-list or direct email? Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied edit the munin/plugins/freeradius* files and put the correct user into the RADMIN= part. you really should NEVER be using the root user - simply use the user that you run radiusd as (once again, should never be root) - check the radiusd.sock to see who/what owns it (ls -l /usr/local/var/run/radiusd/radiusd.sock) Thx Alan, the problem is that the radiusd is owned by root, so not quite sure how to ensure at system startup that /etc/init.d/radiusd is actual run by the radiusd user in /etc/passwd. I've done a chown -R radiusd:radiusd on the programme and /usr/local/etc/raddb, but this the radiusd.sock file is owned by root. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied Any ideas Running direct from root works fine, just [r...@vpn1 munin]# radmin -f /usr/local/var/run/radiusd/radiusd.sock -e stats client auth requests273 responses 273 accepts 206 rejects 67 challenges 0 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Munin Plugins
Hi everyone, This is not directly FreeRadius related, but I would really appreciate if anyone share any munin plugins that would monitoring number of users connected during the day or anything else worth monitoring. I've googled and can only find ones for login attempts by parsing the radius.log. I'm currently using MYSQL to store the current open connections and get retrieve the current connections by doing... SELECT COUNT(*) FROM radacct WHERE (radacct.AcctStopTime IS NULL OR radacct.AcctStopTime = '-00-00 00:00:00'); Apologies if anyone feels offend by me posting to the list for such a basic request. Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
noresetcounter + NULL radacct records (First Connection)
Hi,
On occasions sqlcounter does not seem to work correctly, especially for NEW
User that have no radacct details.
After doing some digging, I've identified the issue only to happen on the
first ever connect of the user in a new account.
As you will see from the sql below, if no integer is returned (NULL), then
Max-All-Sessions and the correct setting of is ignored and Session-Timeout
is skipped.
How can I address the NULL response for newly created accounts?
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}''
[noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='%{User-Name}' - SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='6cmy75HS'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='6cmy75HS'}'
[noresetcounter] sql_xlat
[noresetcounter]expand: %{User-Name} - 6cmy75HS
[noresetcounter] sql_set_user escaped user -- '6cmy75HS'
[noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='6cmy75HS' - SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='6cmy75HS'
rlm_sql (sql): Reserving sql socket id: 3
[noresetcounter] row[0] returned NULL
rlm_sql (sql): Released sql socket id: 3
[noresetcounter]expand: %{sql:SELECT SUM(AcctSessionTime) FROM
radacct WHERE UserName='6cmy75HS'} -
rlm_sqlcounter: No integer found in string
The ABOVE line is the problem, due to the SELECT returning a NULL
++[noresetcounter] returns noop
Sending Access-Accept of id 177 to XX.XX.XX.XX port 54355
Idle-Timeout := 1800
Framed-MTU = 1488
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300
Session-Timeout = 603484
MS-CHAP2-Success =
0xd2533d313841413133343635363245363732354243394137463446324541363944434634394938
MS-MPPE-Recv-Key = 0xaab9e0a9c6918c64dfa042b3d84e808e
MS-MPPE-Send-Key = 0xd2411e9ea8653fd25e550e5cbdbfa3e3
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Framed-IP-Address = 192.168.0.27
Framed-IP-Netmask = 255.255.255.0
After connecting and disconnecting in order to create some entrys for this
user in radacct table, success as session-timeout is set correctly.
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}''
[noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='%{User-Name}' - SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='6cmy75HS'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='6cmy75HS'}'
[noresetcounter] sql_xlat
[noresetcounter]expand: %{User-Name} - 6cmy75HS
[noresetcounter] sql_set_user escaped user -- '6cmy75HS'
[noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='6cmy75HS' - SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='6cmy75HS'
rlm_sql (sql): Reserving sql socket id: 2
[noresetcounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 2
[noresetcounter]expand: %{sql:SELECT SUM(AcctSessionTime) FROM
radacct WHERE UserName='6cmy75HS'} - 23
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user 6cmy75HS, check_item=3600, counter=23
rlm_sqlcounter: Sent Reply-Item for user 6cmy75HS, Type=Session-Timeout,
value=3577
++[noresetcounter] returns ok
Sending Access-Accept of id 180 to XX.XX.XX.XX port 60642
Idle-Timeout := 1800
Framed-MTU = 1488
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300
Session-Timeout = 3577
MS-CHAP2-Success =
0x21533d37374337313930393839303834464630413633303846464535443634343243314435313930373942
MS-MPPE-Recv-Key = 0xd1fff368e638b09b9960d9dba58f08cc
MS-MPPE-Send-Key = 0x2df743dda88067b995ffc736a5345f71
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Framed-IP-Address = 192.168.0.137
Framed-IP-Netmask = 255.255.255.0
Finished request 10.
Best Regards
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool - Duplicate IP
Neville wrote:
I've facing a problem since rebuild, where every user is being allocated
the same IP from the sqlippool, and I'm not sure why this is happening.
...
pppd does not pass back Client-IP-Address or Client-Station-Id
Calling-Station-Id.
table structure for radipool is
Yes... we have access to the source code, too.
rad_recv: Access-Request packet from host NASIPHERE port 53621, id=117,
length=147
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = TESTUSER
MS-CHAP-Challenge = 0xe325bfbeb22fbbb7a33a21326e5ce18a
MS-CHAP2-Response =
0x51009da7f84750dd0f01bed231e11bab1f9a2b9f4dad6844332eaec4aabcc1d8f03911ff654b6a7a8e96
NAS-Identifier = NASIPHERE
NAS-Port = 0
OK. So how is the IP pool module supposed assign a unique IP for each
user? There's no MAC address in the request (i.e. Calling-Station-Id).
The SQL queries (if you read them) use Calling-Station-Id. How are
they supposed to work if there's no Calling-Station-Id?
Fix your PPPd so that it sends *useful* information.
Dear Alan,
It's not as simple as your making it. Also, I am using %{NAS-Port} and not
%{Calling-Station-Id} due to the Lack of Calling-Station-Id.
pool-key = %{NAS-Port}
# pool-key = %{Calling-Station-Id}
$INCLUDE sql/mysql/ippool.conf
#$INCLUDE sql/postgresql/ippool.conf
if I use ippool module, it works fine so something wrong with the SQL.
Please can you confirm in want sections I have to add sqlippool module in
order that I can test this again, but given the flakiness of sqlippool I
might just stick with ippool module.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool - Duplicate IP
Neville wrote:
It's not as simple as your making it. Also, I am using %{NAS-Port} and
not %{Calling-Station-Id} due to the Lack of Calling-Station-Id.
Why didn't you say that in the first message? Giving out *part* of
the information is annoying.
I Understand, but I was trying to make the message SHORT.
pool-key = %{NAS-Port}
# pool-key = %{Calling-Station-Id}
$INCLUDE sql/mysql/ippool.conf
#$INCLUDE sql/postgresql/ippool.conf
if I use ippool module, it works fine so something wrong with the SQL.
Well, it's not using the allocate-find query, so something is wrong
with the configuration.
Are you able to provide some pointers please, e.g. where sqlippool should be
placed or what other files should I look into or order to track the error
down.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool - Duplicate IP
Hi,
I've facing a problem since rebuild, where every user is being allocated the
same IP from the sqlippool, and I'm not sure why this is happening.
I have a DaloRadius / FreeRadius2.1.6 / Poptop (pptpd) 1.3.4 / ppp 2.4.4.-2 /
mysql 5.0.45
pppd does not pass back Client-IP-Address or Client-Station-Id
table structure for radipool is
( `id` int(11) unsigned NOT NULL auto_increment,
`pool_name` varchar(30) NOT NULL,
`framedipaddress` varchar(15) NOT NULL default '',
`nasipaddress` varchar(15) NOT NULL default '',
`calledstationid` varchar(30) NOT NULL,
`callingstationid` varchar(30) NOT NULL,
`expiry_time` datetime default NULL,
`username` varchar(64) NOT NULL default '',
`pool_key` varchar(30) NOT NULL, PRIMARY KEY (`id`) )
1st Login
Ready to process requests.
rad_recv: Access-Request packet from host NASIPHERE port 53621, id=117,
length=147
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = TESTUSER
MS-CHAP-Challenge = 0xe325bfbeb22fbbb7a33a21326e5ce18a
MS-CHAP2-Response =
0x51009da7f84750dd0f01bed231e11bab1f9a2b9f4dad6844332eaec4aabcc1d8f03911ff654b6a7a8e96
NAS-Identifier = NASIPHERE
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/NASIPHERE/auth-detail-20090831
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/NASIPHERE/auth-detail-20090831
[auth_log] expand: %t - Mon Aug 31 22:47:05 2009
++[auth_log] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[sql] expand: %{User-Name} - TESTUSER
[sql] sql_set_user escaped user -- 'TESTUSER'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'TESTUSER' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'TESTUSER' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'TESTUSER' ORDER
BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'USUKTV' ORDER BY id
[sql] User found in group USUKTV
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER
BY id - SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'USUKTV' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for TESTUSER with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
+- entering group session {...}
++[sql] returns noop
Login OK: [TESTUSER/via Auth-Type = mschap] (from client VPN1-UK port 0)
+- entering group post-auth {...}
rlm_sql (sql): Reserving sql socket id: 2
[sqlippool] expand: %{User-Name} - TESTUSER
[sqlippool] sql_set_user escaped user -- 'TESTUSER'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
[sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time = NULL WHERE
expiry_time = NOW() - INTERVAL 1 SECOND AND nasipaddress =
'%{Nas-IP-Address}' - UPDATE radippool SET nasipaddress = '', pool_key = 0,
callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time
= NOW() - INTERVAL 1 SECOND AND nasipaddress = 'NASIPHERE'
[sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name
= '%{control:Pool-Name}' AND (expiry_time NOW() OR expiry_time IS NULL)
ORDER BY (username '%{User-Name}'), (callingstationid
'%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE - SELECT
framedipaddress FROM radippool WHERE pool_name = 'tvpool' AND (expiry_time
NOW() OR expiry_time IS NULL) ORDER BY (username 'TESTUSER'),
(callingstationid ''), expiry_time LIMIT 1 FOR UPDATE
[sqlippool] expand: UPDATE radippool SET nasipaddress =
MAX-Monthly-Traffic V2 Post.
Hi everyone,
I've decided to submit this question again as it was not quite worded
correctly, and to send as PLAIN TEXT.
I'm trying to setup a new counter maxmonthlytraffic, which uses the same
method to disconnect a user by sending the Session-Timout Reply Atrribute as
with MAX-ALL-Sessions.
This is what I've done so far...
I've added to ./raddb/sql/mysql/counter.conf
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets))
\
FROM radacct WHERE username='%{%k}' AND \
Month(acctstoptime) =(Month(NOW())) AND \
Year(acctstoptime) = Year(NOW())
}
authorize {
.
monthlytraffic
.
}
instantiate {
.
monthlytraffic
.
}
created a dictionary entry in daloradius database of:-
id 9433
Type integer
Attribute Max-Monthly-Traffic
Value NULL
Format NULL
Vendor dictionary.freeradius.internal
RecommendedOP :=
RecommendedTable check
RecommendedHelper
RecommendedTooltip Check Monthly Traffic Allowance
User created as testmaxm, with the following attributes set:-
Check
Simultaneous-Use := 1
Pool-Name := tvpool
Cleartext-Password := testmaxm
Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the
Check, the user connects fine, so everything else is working)
Reply
Framed-MTU = 1400
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300(Every 5 mins for testing)
=
Although this seems to be working on the initial Connection, it does not
send the Session Time Out Reply during the Interim Acct Updates if the Usage
has execeed.
From the Debug below, the usages is shown as 37940156 during a Acct
Update e.g. 906612 + 3733544 and is more than the initial check value of
Max-Monthly-Traffic := 1049, so I would have expected a Session-Timout
Reply to be sent.
However this is working ok on disconnect and reconnect, as I get...
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user testmaxm, check_item=1049,
counter=89021682
++[monthlytraffic] returns reject
Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
[testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1)
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user testmaxm, check_item=1049,
counter=89021682
++[monthlytraffic] returns reject
Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
[testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1)
Any Ideas why I did not get disconnect during the original session as this
is what I'm after.
FreeRadius2 Debug
.
.
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411
rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout,
value=11601138
++[monthlytraffic] returns ok
.
.
rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637,
id=47, length=140
Acct-Session-Id = 4A8B6FA0721900
User-Name = testmaxm
Acct-Status-Type = Interim-Update
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 600
Acct-Output-Octets = 37033544
Acct-Input-Octets = 906612
Acct-Output-Packets = 27837
Acct-Input-Packets = 15791
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.29
NAS-Identifier = aaa.bbb.ccc.ddd
NAS-Port = 1
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
4A8B6FA0721900,User-Name = testmaxm'
[acct_unique] Acct-Unique-Session-ID = 049e959019a363e4.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = testmaxm, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t - Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} - testmaxm
[sqlippool] sql_set_user escaped user -- 'testmaxm'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}'
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
Message: 2
Date: Tue, 14 Jul 2009 08:32:18 +0430
From: Eric bbah...@gmail.com
Subject: Re: How to control users traffic ?
To: freeradius-users@lists.freeradius.org
Message-ID:
38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
freeradius-1.1.3-1.4 !!
Is it the reason of problem ?
I set reply-name = Session-Octets-Limit in sqlcounter
but freeradius sends Seesion-Timeout in reply with value equal to the
deduct of octets used until now from check-name = Max-Input-Octets.
How should change the session-timeout to Session-Octets-Limit in
auth-reply?
That shouldn't happen. What freeradius version? Post the debug from server
startup and request processiong.
Ivan Kalik
Kalik Informatika ISP
Hi Ivan,
I have this working, other that I cannot set a Session-Octets-Limit higher
that 4Gb.
Is there anyway to get around this as I'm allocating 5GB of Usage Per Month?
Max-Traffic-Monthly := 429497 (4Gb)
[monthlytraffic]expand: %{sql:SELECT
(sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct
WHERE username='test1000' AND Month(acctstoptime)
=(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user test1000, check_item=4294967295, counter=0
rlm_sqlcounter: Sent Reply-Item for user test1000,
Type=Session-Octets-Limit, value=1029889
++[monthlytraffic] returns ok
Sending Access-Accept of id 144 to 193.33.186.190 port 46294
Idle-Timeout := 1800
Framed-MTU = 1488
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300
Session-Timeout = 3600
Session-Octets-Limit = 1029889
Session-Octets-Limited is set to 1Mb instead of 4Gb
Framed-IP-Address = 192.168.0.22
Max-Traffic-Monthly := 42 (3.9Gb)
[monthlytraffic]expand: %{sql:SELECT
(sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct
WHERE username='test1000' AND Month(acctstoptime)
=(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user test1000, check_item=42, counter=0
rlm_sqlcounter: Sent Reply-Item for user test1000,
Type=Session-Octets-Limit, value=4201030340
++[monthlytraffic] returns ok
Sending Access-Accept of id 98 to 193.33.186.190 port 34040
Idle-Timeout := 1800
Framed-MTU = 1488
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300
Session-Timeout = 3600
Session-Octets-Limit = 4201030340
Framed-IP-Address = 192.168.0.23
Thx
Nev
Message: 2
Date: Tue, 14 Jul 2009 08:32:18 +0430
From: Eric bbah...@gmail.com
Subject: Re: How to control users traffic ?
To: freeradius-users@lists.freeradius.org
Message-ID:
38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
freeradius-1.1.3-1.4 !!
Is it the reason of problem ?
I set reply-name = Session-Octets-Limit in sqlcounter
but freeradius sends Seesion-Timeout in reply with value equal to the
deduct of octets used until now from check-name = Max-Input-Octets.
How should change the session-timeout to Session-Octets-Limit in
auth-reply?
That shouldn't happen. What freeradius version? Post the debug from server
startup and request processiong.
Ivan Kalik
Kalik Informatika ISP
-- next part --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max Monthly Traffic
Hi everyone,
I'm trying to setup a new counter maxmonthlytraffic, but as soon as I
connected, sql_counter sends reply to do a session timout and I get
disconnected.
This is what I've done so far...
I've added to ./raddb/sql/mysql/counter.conf
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) \
FROM radacct WHERE username='%{%k}' AND \
Month(acctstoptime) =(Month(NOW())) AND \
Year(acctstoptime) = Year(NOW())
}
authorize {
..
monthlytraffic
}
instantiate {
monthlytraffic
}
created a dictionary entry in daloradius as..
id 9433
Type integer
Attribute Max-Monthly-Traffic
Value NULL
Format NULL
Vendor dictionary.freeradius.internal
RecommendedOP :=
RecommendedTable check
RecommendedHelper
RecommendedTooltip Check Monthly Traffic Allowance
User created as testmaxm, with the following attributes set:-
Check
Simultaneous-Use := 1
Pool-Name := tvpool
Cleartext-Password := testmaxm
Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the Check,
the user connects fine, so everything else is working)
Reply
Framed-MTU = 1400
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300(Every 5 mins for testing)
Some Debug...
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411
rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout,
value=11601138
++[monthlytraffic] returns ok
rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637,
id=47, length=140
Acct-Session-Id = 4A8B6FA0721900
User-Name = testmaxm
Acct-Status-Type = Interim-Update
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 600
Acct-Output-Octets = 37033544
Acct-Input-Octets = 906612
Acct-Output-Packets = 27837
Acct-Input-Packets = 15791
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.29
NAS-Identifier = aaa.bbb.ccc.ddd
NAS-Port = 1
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
4A8B6FA0721900,User-Name = testmaxm'
[acct_unique] Acct-Unique-Session-ID = 049e959019a363e4.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = testmaxm, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t - Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} - testmaxm
[sqlippool] sql_set_user escaped user -- 'testmaxm'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' - UPDATE
radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress =
'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND
callingstationid = '' AND framedipaddress = '192.168.0.29'
rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND
username = 'testmaxm' AND callingstationid = '' AND framedipaddress =
'192.168.0.29'
[sqlippool] expand: COMMIT - COMMIT
rlm_sql_mysql: query: COMMIT
rlm_sql (sql): Released sql socket id: 1
++[sqlippool] returns ok
[sql] expand: %{User-Name} - testmaxm
[sql] sql_set_user escaped user -- 'testmaxm'
[sql] expand: %{Acct-Input-Gigawords} -
[sql] expand: %{Acct-Input-Octets} - 906612
[sql] expand: %{Acct-Output-Gigawords} -
[sql] expand: %{Acct-Output-Octets} - 37033544
[sql] expand:UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' 32 |
'%{%{Acct-Input-Octets}:-0}',
Re: String Validation
If a connection that comes in with a GROUP NAME from SQL of USUK-XX
or WUK-XX and I want to strip of the -XX, how would I do this with
ulang so I only validate the following?
Using the regexp feature, you can match part of an attribute then
reference it later, like so:
if (SQL-GROUP =~ /(.*)-XX/) {
update request {
SQL-GROUP := %{1}
}
}
--Mike
Thx Mike,
Sorry, I don't think my example help as XX could be ANYTHING.
E.g. USUK-5GB ; USUK-1GB ; USUK-10GB, so looking to STRIP everying after the
- and including the - to the end of the string.
The reason for doing this as I only want to validate against the first part
of the String, otherwise the Nested IF Statment will be Huge.
If your able, would appreciate if you can update the IF statement below to
reflect what I'm trying to do.
if(SQL-GROUP == USUK) {
ok
}
elsif(NAS-IP-Address == AAA.BBB.CCC.DDD SQL-GROUP == WUK) {
ok
}
else {
reject
}
Thx in advance
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
String Validation
Hi,
If a connection that comes in with a GROUP NAME from SQL of USUK-XX or
WUK-XX and I want to strip of the -XX, how would I do this with ulang so I
only validate the following?
if(SQL-GROUP == USUK) {
ok
}
elsif(NAS-IP-Address == AAA.BBB.CCC.DDD SQL-GROUP == WUK) {
ok
}
else {
reject
}
Thx in advance
Nev-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access provide to TWO Servers dependant on Group?
Let me explain my setup. I have TWO Servers, with one running PoPtop+Radius plugin / freeradius 2.1.6 / SQL DaloRadius Setup Connection is INTERNETPPPFREERADIUSLAN User X connects to Server A and authenticates against freedradius running on Server A and is provided with Access use mschap v2 authentication and this works fine.. What I would like to do is setup Server B to authenticate against freeradius on Server A, but ONLY allow access to Server B if the connecting user belongs to a specific Group. If group is the correct approach? I'm looking at setting up TWO Groups. Default Group to allow access to Server A only, but if you belong to GROUPX, you will be allowed access to both Server A and Server B. How do I setup this access in SQL against a user and what Check / Reply attributes, if any do I need to use? Many Thanks for your Support Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Dear Ivan, Appreciate your comment Can anyone else point me in the correct direction.. Thx Nev Message: 1 Date: Wed, 10 Jun 2009 00:07:22 +0100 (BST) From: Ivan Kalik t...@kalik.net Subject: Re: PPTPD Bandwidth Shaping To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 50989.87.194.16.13.1244588842.squir...@webmail.kalik.net Content-Type: text/plain;charset=utf-8 Ok, I've got WISPr-Bandwidth-Max-Down in /var/run/radattr.ppp0 but the value is all wrong. I set WISPr-Bandwidth-Max-Down = 512000 (as a reply) and in /var/run/radattr.ppp0 its show as - WISPr-Bandwidth-Max-Down -1062731706 I just basically copied the dictionary.wispr to /usr/share/radiusclient-ng as in order to get it loaded in radattr.ppp0 :- [r...@xxx radiusclient-ng]# more dictionary.wispr ATTRIBUTE WISPr-Location-ID 1 string ATTRIBUTE WISPr-Location-Name 2 string ATTRIBUTE WISPr-Logoff-URL3 string ATTRIBUTE WISPr-Redirection-URL 4 string ATTRIBUTE WISPr-Bandwidth-Min-Up 5 integer ATTRIBUTE WISPr-Bandwidth-Min-Down6 integer ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer ATTRIBUTE WISPr-Bandwidth-Max-Down8 integer #ATTRIBUTE WISPr-Session-Terminate-Time9 string #ATTRIBUTE WISPr-Session-Terminate-End-Of-Day 10 string ATTRIBUTE WISPr-Billing-Class-Of-Service 11 string Any ideas please. Try writing to the correct list. Your problem is not with freeradius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Hi Chuan,
Thx for reply amongst this heated discussion on DHCP
I've currently got install freeRadius 2.1.6 and Poptop 2.4.4 and I see no
dictionary file in /etc/ppp/radius/dictionary. In fact I have no radius
directory in /etc/ppp
All freeradius dictionary's are located in /usr/share/freeradius
The question is, how can I pass WISPr-Bandwidth-Max-Down to ip-up.local as I
was hoping it would be in in /var/run/radattr.pppX, but all thats in there is:-
Framed-IP-Address 192.168.0.70
Session-Timeout 1646690
MS-CHAP2-Success 7S=A8CF4948283C1C4BE11682787ADBD0EA9852E691
MS-MPPE-Recv-Key \220\265J\372\250\336\342nD\226o\272\007\030I\372'\313\...@j\36
1\370\266\212?_\377\262\324\215X\274\357
MS-MPPE-Send-Key \235\342\367\325\243\210\020\217|H\314WkU0\201\352\374\364\023\
220\220\315z\364\277\254\361\356[Ce\002
MS-MPPE-Encryption-Policy
MS-MPPE-Encryption-Types
However we can see WISPr-Bandwidth-Max-Down being sucessfully passed to
FreeRadius?
++[exec] returns noop
Sending Access-Accept of id 198 to 127.0.0.1 port 53025
Framed-IP-Address := 192.168.0.70
WISPr-Bandwidth-Max-Down := 512000
Session-Timeout = 1646690
MS-CHAP2-Success =
0x37533d41384346343934383238334331433442453131363832373837414442443045413938353245363931
MS-MPPE-Recv-Key = 0x0b660d35b65015368d107e57d97e2b55
MS-MPPE-Send-Key = 0xc78164fb4478212fbd0d198389ee2d52
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 198 with timestamp +244
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 38836, id=199,
length=98
Acct-Session-Id = 4A2EE3A302FB00
User-Name = test99
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.70
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
I would love to use WISPr as suggested, but cannot find out how to get this to
work.
Currently I've just defaulted EVERYONE to the same bandwidth restrictions by
using the follow script in /etc/ppp/ip-up.local
ip-up.local
DOWNSPEED=256
UPSPEED=768
/sbin/tc qdisc del dev $1 root /dev/null
/sbin/tc qdisc del dev $1 ingress /dev/null
# speed server-client
if [ $UPSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1
/sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${UPSPEED}kbit
burst 4k
/sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${UPSPEED}kbit
burst 4k prio 1
/sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${UPSPEED}kbit
burst 4k prio 2
/sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum 1500
/sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum 1500
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip tos
0x10 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u160x 0xffc0 at 2 match u8
0x10
0xff at 33 flowid 1:10
fi
# speed client-server
if [ $DOWNSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 handle : ingress
/sbin/tc filter add dev $1 parent : protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate ${DOWNSPEED}kbit burst 12k drop flowid :1
fi
/sbin/ifconfig $1 mtu 1400
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Hi all again,
Ok, I've got WISPr-Bandwidth-Max-Down in /var/run/radattr.ppp0 but the value is
all wrong.
I set WISPr-Bandwidth-Max-Down = 512000 (as a reply)
and in /var/run/radattr.ppp0 its show as - WISPr-Bandwidth-Max-Down -1062731706
I just basically copied the dictionary.wispr to /usr/share/radiusclient-ng as
in order to get it loaded in radattr.ppp0 :-
[r...@xxx radiusclient-ng]# more dictionary.wispr
ATTRIBUTE WISPr-Location-ID 1 string
ATTRIBUTE WISPr-Location-Name 2 string
ATTRIBUTE WISPr-Logoff-URL3 string
ATTRIBUTE WISPr-Redirection-URL 4 string
ATTRIBUTE WISPr-Bandwidth-Min-Up 5 integer
ATTRIBUTE WISPr-Bandwidth-Min-Down6 integer
ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer
ATTRIBUTE WISPr-Bandwidth-Max-Down8 integer
#ATTRIBUTE WISPr-Session-Terminate-Time9 string
#ATTRIBUTE WISPr-Session-Terminate-End-Of-Day 10 string
ATTRIBUTE WISPr-Billing-Class-Of-Service 11 string
Any ideas please.
Thx
Nev
- Original Message -
From: Neville
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, June 09, 2009 10:45 PM
Subject: Re: PPTPD Bandwidth Shaping
Hi Chuan,
Thx for reply amongst this heated discussion on DHCP
I've currently got install freeRadius 2.1.6 and Poptop 2.4.4 and I see no
dictionary file in /etc/ppp/radius/dictionary. In fact I have no radius
directory in /etc/ppp
All freeradius dictionary's are located in /usr/share/freeradius
The question is, how can I pass WISPr-Bandwidth-Max-Down to ip-up.local as I
was hoping it would be in in /var/run/radattr.pppX, but all thats in there is:-
Framed-IP-Address 192.168.0.70
Session-Timeout 1646690
MS-CHAP2-Success 7S=A8CF4948283C1C4BE11682787ADBD0EA9852E691
MS-MPPE-Recv-Key
\220\265J\372\250\336\342nD\226o\272\007\030I\372'\313\...@j\36
1\370\266\212?_\377\262\324\215X\274\357
MS-MPPE-Send-Key
\235\342\367\325\243\210\020\217|H\314WkU0\201\352\374\364\023\
220\220\315z\364\277\254\361\356[Ce\002
MS-MPPE-Encryption-Policy
MS-MPPE-Encryption-Types
However we can see WISPr-Bandwidth-Max-Down being sucessfully passed to
FreeRadius?
++[exec] returns noop
Sending Access-Accept of id 198 to 127.0.0.1 port 53025
Framed-IP-Address := 192.168.0.70
WISPr-Bandwidth-Max-Down := 512000
Session-Timeout = 1646690
MS-CHAP2-Success =
0x37533d41384346343934383238334331433442453131363832373837414442443045413938353245363931
MS-MPPE-Recv-Key = 0x0b660d35b65015368d107e57d97e2b55
MS-MPPE-Send-Key = 0xc78164fb4478212fbd0d198389ee2d52
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 198 with timestamp +244
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 38836, id=199,
length=98
Acct-Session-Id = 4A2EE3A302FB00
User-Name = test99
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.70
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
I would love to use WISPr as suggested, but cannot find out how to get this
to work.
Currently I've just defaulted EVERYONE to the same bandwidth restrictions by
using the follow script in /etc/ppp/ip-up.local
ip-up.local
DOWNSPEED=256
UPSPEED=768
/sbin/tc qdisc del dev $1 root /dev/null
/sbin/tc qdisc del dev $1 ingress /dev/null
# speed server-client
if [ $UPSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1
/sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${UPSPEED}kbit
burst 4k
/sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${UPSPEED}kbit
burst 4k prio 1
/sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${UPSPEED}kbit
burst 4k prio 2
/sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum
1500
/sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum
1500
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip
tos 0x10 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
/sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u160x 0xffc0 at 2 match u8
0x10
0xff at 33 flowid 1:10
fi
PPTPD Bandwidth Shaping
Hi everyone,
I was hoping for a few pointers on this...
My setup is internetfreeradiuspppwork
This is working fine with the exception of Bandwidth Shaping.
Basically, I want to create my own ATTRIBUTES for setting Max-UP / Max-Down and
use ip-up.local to AWK these attributes from
if [ -f /var/run/radattr.$1 ]
then
DOWNSPEED=`/bin/awk '/Max-Down-Limit/ {print $2}' /var/run/radattr.$1`
UPSPEED=`/bin/awk '/Max-Up-Limit/ {print $2}' /var/run/radattr.$1`
#echo $DOWNSPEED
#echo $UPSPEED
#echo $FILTERS
/sbin/tc qdisc del dev $1 root /dev/null
/sbin/tc qdisc del dev $1 ingress /dev/null
# speed client-server
if [ $DOWNSPEED != 0 ] ;
then
/sbin/tc qdisc add dev $1 handle : ingress
/sbin/tc filter add dev $1 parent : protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate ${DOWNSPEED
}kbit burst 12k drop flowid :1
fi
fi
I've tried to use the following attributes from chillispot as a reply
attribute, ChilliSpot-Bandwidth-Max-Down := 500, but I get the following error
:-
rlm_sql: Failed to create the pair: Invalid octet string 500 for attribute
name ChilliSpot-Bandwidth-Max-Down
rlm_sql (sql): Error getting data from database
[sql] SQL query error; rejecting user
I've also copied dictionary.chillspot to /usr/share/radiusclient-ng as:-
VENDOR ChilliSpot 14559
BEGIN-VENDORChilliSpot
ATTRIBUTE ChilliSpot-Max-Input-Octets 1 integer
ChilliSpot
ATTRIBUTE ChilliSpot-Max-Output-Octets2 integer
ChilliSpot
ATTRIBUTE ChilliSpot-Max-Total-Octets 3 integer
ChilliSpot
ATTRIBUTE ChilliSpot-Bandwidth-Max-Up 4 integer
ChilliSpot
ATTRIBUTE ChilliSpot-Bandwidth-Max-Down 5 integer
ChilliSpot
ATTRIBUTE ChilliSpot-Config 6 string
ChilliSpot
ATTRIBUTE ChilliSpot-Lang 7 string
ChilliSpot
ATTRIBUTE ChilliSpot-Version 8 string
ChilliSpot
ATTRIBUTE ChilliSpot-OriginalURL 9 string
ChilliSpot
# Configuration management parameters (ChilliSpot Only)
ATTRIBUTE ChilliSpot-UAM-Allowed 100 string
ChilliSpot
ATTRIBUTE ChilliSpot-MAC-Allowed 101 string
ChilliSpot
ATTRIBUTE ChilliSpot-Interval 102 integer
ChilliSpot
Not sure what else I'm missing as a majority of the internet search point to
editing /etc/raddb/dictionary, but this is not there with freeradius 2.1.6
Any advise work be greatly recieved.
Thx
Nev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
Message: 1 Date: Tue, 26 May 2009 18:56:42 +0100 (BST) From: Ivan Kalik t...@kalik.net Subject: Re: Assigning IP address from RADIUS to Cisco PPTP users To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 52973.87.194.16.13.1243360602.squir...@webmail.kalik.net Content-Type: text/plain;charset=utf-8 I've used Livingston and Cistron radiusd's in the past with dialup ppp users and Cisco/Lucent NASes and have been able to do this with no problems. Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. Here is my Cisco config:: aaa new-model aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default if-authenticated aaa session-id common vpdn-group 1 accept-dialin protocol pptp virtual-template 1 interface Loopback0 ip address 99.99.99.99 255.255.255.255 ip nat inside ip virtual-reassembly interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 - Here is the raddb/users file entry: - testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP -- The DEFAULT entry allows users in /etc/passwd to authenticate fine, but testuser still gets an IP from the NAS pool instead of the one above.. Any pointers appreciated! http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Post the debug of the authentication attempt. Ivan Kalik Kalik Informatika ISP -- Message: 2 Date: Tue, 26 May 2009 14:15:44 -0500 From: jon jon free9...@gmail.com Subject: Re: next To: tim.sylves...@networkradius.com, FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: c1efadb10905261215n4c0a4cdbw143227509a69c...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 ok so after reading the admin.sql it looks like it is telling me what to type into my mysql, to create a default admin for radius,and so freeradius can read any table in sql, does it matter what I change localhost to or can it be anyname I want. guess I am seeing what I have to do but not fully understanding it. I am using a mysql book also but think that might be getting me more confused. jon On Tue, May 26, 2009 at 12:02 PM, Tim Sylvester tim.sylves...@networkradius.com wrote: Read the SQL HOWTO at: http://wiki.freeradius.org/SQL_HOWTO. Also, look at the sql.conf file in the raddb directory and the mysql files in raddb/sql/mysql. You will want to read the information in admin.sql and schema.sql. Tim *From:* freeradius-users-bounces+tim.sylvester=networkradius.com@ lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvesterfreeradius-users-bounces%2Btim.sylvester =networkradius@lists.freeradius.org] *On Behalf Of *jon jon *Sent:* Tuesday, May 26, 2009 9:51 AM *To:* FreeRadius users mailing list *Subject:* next I have my freeradius working, I running slackware 12.1 with freeradius version 2.1.5. I used NTRAping utility to send packets to my freeradius server. I also used radtest and that was successful. So now I want to set freeradius with backend mysql database. I am looking for the script db_mysql.sql and cannot find this file. I installed mysql as a package, when I installed slackware. So, does that file even exist anymore? I have the radius book and the directory it shows doesn't contain any file with that name. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/15e2a75c/attachment.html -- Message: 3 Date: Tue, 26 May 2009 20:45:03 +0100 (BST) From: Ivan Kalik t...@kalik.net Subject: Re: next To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 53183.87.194.16.13.1243367103.squir...@webmail.kalik.net Content-Type: text/plain;charset=utf-8 ok so after reading the admin.sql it looks like it is telling me what to type into my mysql, to create a default admin for radius,and so freeradius can read any table in
Re: Re: freeRADIUS + POPTOP
I've search the INTERNET for 5 days now and late into the evening, but
I'm
totally stumped in resolving my problem, so I would appreciate any
guidance from the experts. I've configured as per the many guides I've
found and have a basic understanding of how this all works, but there is
no information anywhere on how to setup the Users / Client details for
freeRADIUS.
Did you try reading comments in users file and clients.conf ie. files you
were about to change?
First THANKS for replying...
I did, but still cannot work out what I'm doing wrong on this as there is so
many guides and different ways of doing things, or thats how it seems.
Everything authenticates ok and the correct IP is allocated now, but I'm not
able to BROWSE any sites and cannot even ping the ip address given to the
PPP adatper. I can only access the VPN, but none of the traffice seems to
be routing correctly. Can you offer any further supports, please.
Windows IP Configuration
PPP adapter testvpn
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.168
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
C:\Users\Nevping 10.0.0.168
Pinging 10.0.0.168 with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.
Ping statistics for 10.0.0.168:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.1 P-t-P:10.0.0.168 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:3890 errors:0 dropped:0 overruns:0 frame:0
TX packets:1731 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:442107 (431.7 KiB) TX bytes:108501 (105.9 KiB)
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 anywhere
[root log]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
[root log]# cat /proc/sys/net/ipv4/ip_forward
1
RADIUS LOG..
+- entering group post-auth {...}
[test_pool] expand: %{NAS-IP-Address} %{NAS-Port} - 127.0.0.1 0
[test_pool] MD5 on 'key' directive maps to: ee0282d57992a30bce29ea43d092ac16
[test_pool] Searching for an entry for key:
'ee0282d57992a30bce29ea43d092ac16'
rlm_ippool: Allocating ip to key: 'ee0282d57992a30bce29ea43d092ac16'
[test_pool] num: 1
[test_pool] Allocated ip 10.0.0.168 to client key:
ee0282d57992a30bce29ea43d092ac16
++[test_pool] returns ok
++[exec] returns noop
Sending Access-Accept of id 95 to 127.0.0.1 port 51514
Service-Type = Framed-User
Session-Timeout = 65000
Framed-Protocol = PPP
Framed-MTU = 1400
MS-CHAP2-Success =
0xf2533d35303143344543324435364631324646424434313043314445303236314244324642323145323238
MS-MPPE-Recv-Key = 0x39c2ccda839a57b64583b1f3a55ed07e
MS-MPPE-Send-Key = 0xeaa3b2169241344554880f6e3a6f956b
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Framed-IP-Address = 10.0.0.168
Framed-IP-Netmask = 255.255.255.0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 40285, id=96,
length=97
Acct-Session-Id = 4A1897253C3400
User-Name = test1
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 10.0.0.168
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id =
4A1897253C3400,User-Name = test1'
[acct_unique] Acct-Unique-Session-ID = 2855668f1c6c9940.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = test1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/usr/local/var/log/radius/radacct/127.0.0.1/detail-20090524
[detail]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /usr/local/var/log/radius/radacct/127.0.0.1/detail-20090524
[detail]expand: %t - Sun May 24 00:39:01 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - test1
++[radutmp] returns ok
[test_pool] This is not an Accounting-Stop. Return NOOP.
++[test_pool] returns noop
[attr_filter.accounting_response]
freeRADIUS + POPTOP
Firstly, let me apologies now for asking what is most probably a simple
question to you long standing veterans of freeRADIUS.
I've search the INTERNET for 5 days now and late into the evening, but I'm
totally stumped in resolving my problem, so I would appreciate any guidance
from the experts. I've configured as per the many guides I've found and have a
basic understanding of how this all works, but there is no information anywhere
on how to setup the Users / Client details for freeRADIUS.
I've been using poptop (pptpd) server for several weeks, with great success,
but now I wish to introduce freeRADIUS.
The problem, I'm facing is the allocation of IP address / GW / DNS by
freeRADIUS for the VPN connections coming onto my server.
my service PrivateIP address is 19x.xxx.xxx.190
I've iptables setup to forward all NAT traffic through the PRIVATEIP, but
allocation of a GW of 10.0.0.1 and a Client IP of 10.0.0.200
However, when I connect and freeRADIUS authenticates me SUCCESSFULLY. I get
given a IP of 192.168.2.82 from the test_pool, but pool range-start =
10.0.0.100 range-stop = 10.0.0.199 which is totally different to the address
allocated by the pool. ANY IDEAS?
/var/log/messages
May 22 21:49:13 server pppd[765]: MPPE 128-bit stateless compression enabled
May 22 21:49:15 server pppd[765]: Cannot determine ethernet address for proxy
ARP
May 22 21:49:15 server pppd[765]: local IP address 10.0.0.1
May 22 21:49:15 server pppd[765]: remote IP address 192.168.2.82
radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 34510, id=245,
length=133
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = test1
MS-CHAP-Challenge = 0xd4fd1b2f3b03fa424ae2ccc6dcd11029
MS-CHAP2-Response =
0x87001d6e9a747c3545dd123d19c410c037be2b9c7e96783abd1954a72ae8f4bc4733b1470477ba725366
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090522
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090522
[auth_log] expand: %t - Fri May 22 22:46:15 2009
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = test1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 70
[files] users: Matched entry test1 at line 77
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for test1 with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
+- entering group post-auth {...}
[test_pool] expand: %{NAS-IP-Address} %{NAS-Port} - 127.0.0.1 0
[test_pool] MD5 on 'key' directive maps to: ee0282d57992a30bce29ea43d092ac16
[test_pool] Searching for an entry for key: 'ee0282d57992a30bce29ea43d092ac16'
rlm_ippool: Allocating ip to key: 'ee0282d57992a30bce29ea43d092ac16'
[test_pool] num: 1
[test_pool] Allocated ip 192.168.2.82 to client key:
ee0282d57992a30bce29ea43d092ac16
++[test_pool] returns ok
++[exec] returns noop
Sending Access-Accept of id 245 to 127.0.0.1 port 34510
Service-Type = Framed-User
Session-Timeout = 65000
Framed-Protocol = PPP
Framed-MTU = 1400
MS-CHAP2-Success =
0x87533d4631303737453344353532343034353446373738463639364534383642374434433244333842
MS-MPPE-Recv-Key = 0x5a21400d6e5601f9c7201a94d401eefb
MS-MPPE-Send-Key = 0x14eadb5ada027ccdd63a6cf372f0defd
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Framed-IP-Address = 192.168.2.82
Framed-IP-Netmask = 255.255.255.0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 43515, id=246,
length=97
Acct-Session-Id = 4A172B390A9300
User-Name = test1
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 192.168.2.82
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id =
4A172B390A9300,User-Name = test1'
[acct_unique] Acct-Unique-Session-ID = 29e101f9a598e8fe.
++[acct_unique] returns ok
[suffix] No '@' in
