Member of Group Check Else REJECT
Hi, I'm trying to check if a user coming from a particular NAS, then check in that user is also a member of a GROUP associated to that NAS, else REJECT access. Authorise section.. if(NAS-Identifier == 'OpenVPN' SQL-GROUP == 'openvpn') { update reply { Reply-Message := OpenVPN AuthCheck OK } reject } Wed Feb 1 00:37:59 2012 : Info: ++? if (NAS-Identifier == 'OpenVPN' SQL-GROUP == 'openvpn') Wed Feb 1 00:37:59 2012 : Info: ? Evaluating (NAS-Identifier == 'OpenVPN' ) - TRUE Wed Feb 1 00:37:59 2012 : Info: sql_groupcmp Wed Feb 1 00:37:59 2012 : Info: expand: %{User-Name} - nev Wed Feb 1 00:37:59 2012 : Info: sql_set_user escaped user -- 'nev' Wed Feb 1 00:37:59 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 1 Wed Feb 1 00:37:59 2012 : Info: expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'nev' ORDER BY priority Wed Feb 1 00:37:59 2012 : Debug: rlm_sql (sql): Released sql socket id: 1 Wed Feb 1 00:37:59 2012 : Info: sql_groupcmp finished: User is NOT a member of group openvpn As user 'nev' is not part of group 'openvpn' but is trying to access NAS 'OpenVPN' it should Reject the login and not go any further, but it does not. I know I'm missing something, so any help would be greatly appreciated. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter SQL Calculation
Can anyone please help on this as I've googled as cannot find a solution to the issue I've outlined below. Thx Nev Hi Everyone, Here is some Debug if anyone can help explain or correct the [monthlytraffic] Counter calculation. Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{User-Name}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) - SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) Sat Oct 30 22:39:39 2010 : Debug: sqlcounter_expand: '%{sql:SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())}' Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{User-Name} - FTU-GzwgcD Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_set_user escaped user -- 'FTU-GzwgcD' Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) - SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat finished Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Released sql socket id: 4 Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{sql:SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 991187 Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Check item is greater than query result Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Authorized user FTU-GzwgcD, check_item=26210, counter=991187 Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user FTU-GzwgcD, Type=Session-Octets-Limit, value=262191221 Sat Oct 30 22:39:39 2010 : Info: ++[monthlytraffic] returns ok The Important bit is that the counter returns 991187, but then the Reply-Item Session-Octets-Limit is set to 262191221, which is actually an INCREASE of 91221, how is this calculation CORRECT? Thx Nev Hi everyone, I have a small problem where the counter is not working how I would like it two work. sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } The problem with this, is that it the SELECT statement returns a value Less than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set to equal Max-Monthly-Traffic. What I need it to do is to populate Session-Octets-Limit with the VALUE of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement. E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit should be set to 26210 - 523 being 25687 Can anyone point in the right direction on this please. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter SQL Calculation
Hi Everyone, Here is some Debug if anyone can help explain or correct the [monthlytraffic] Counter calculation. Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{User-Name}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) - SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) Sat Oct 30 22:39:39 2010 : Debug: sqlcounter_expand: '%{sql:SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())}' Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{User-Name} - FTU-GzwgcD Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_set_user escaped user -- 'FTU-GzwgcD' Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) - SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] sql_xlat finished Sat Oct 30 22:39:39 2010 : Debug: rlm_sql (sql): Released sql socket id: 4 Sat Oct 30 22:39:39 2010 : Info: [monthlytraffic] expand: %{sql:SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='FTU-GzwgcD' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 991187 Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Check item is greater than query result Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Authorized user FTU-GzwgcD, check_item=26210, counter=991187 Sat Oct 30 22:39:39 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user FTU-GzwgcD, Type=Session-Octets-Limit, value=262191221 Sat Oct 30 22:39:39 2010 : Info: ++[monthlytraffic] returns ok The Important bit is that the counter returns 991187, but then the Reply-Item Session-Octets-Limit is set to 262191221, which is actually an INCREASE of 91221, how is this calculation CORRECT? Thx Nev Hi everyone, I have a small problem where the counter is not working how I would like it two work. sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } The problem with this, is that it the SELECT statement returns a value Less than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set to equal Max-Monthly-Traffic. What I need it to do is to populate Session-Octets-Limit with the VALUE of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement. E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit should be set to 26210 - 523 being 25687 Can anyone point in the right direction on this please. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter SQL Calculation
Anyone got any pointers at all on this one? Thx Nev - Original Message - From: Neville n...@itsnev.co.uk To: freeradius-users@lists.freeradius.org Sent: Wednesday, October 20, 2010 5:14 PM Subject: Counter SQL Calculation Hi everyone, I have a small problem where the counter is not working how I would like it two work. sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } The problem with this, is that it the SELECT statement returns a value Less than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set to equal Max-Monthly-Traffic. What I need it to do is to populate Session-Octets-Limit with the VALUE of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement. E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit should be set to 26210 - 523 being 25687 Can anyone point in the right direction on this please. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counter SQL Calculation
Hi everyone, I have a small problem where the counter is not working how I would like it two work. sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } The problem with this, is that it the SELECT statement returns a value Less than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set to equal Max-Monthly-Traffic. What I need it to do is to populate Session-Octets-Limit with the VALUE of Max-Monthly-Traffic, then subtract the VALUE of the Select Statement. E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit should be set to 26210 - 523 being 25687 Can anyone point in the right direction on this please. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ulang AND / OR Condition
Hi, I'm having problems with huntgroups working correctly, so I would like to continue to use if,elseif condition. Instead of having a line for each NAS-IP-Address e.g. elsif(NAS-IP-Address == 1.1.1.10 SQL-GROUP == GROUP1){ ok } elsif(NAS-IP-Address == 1.1.1.20 SQL-GROUP == GROUP1){ ok } elsif(NAS-IP-Address == 1.1.1.30 SQL-GROUP == GROUP1){ ok } else { reject } Can I do something like if(NAS-IP-Address == 1.1.1.10 OR 1.1.1.20 OR 1.1.1.30 AND SQL-GROUP == GROUP1){ ok } else { reject } Or is there a better way of doing this? Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Monthly-Traffic
Anyone please, as this is driving me mad... Thx Nev - Original Message - From: Neville To: freeradius-users@lists.freeradius.org Sent: Sunday, February 07, 2010 1:28 PM Subject: Max-Monthly-Traffic Sorry for troubling everyone on this, but I cannot work out why Session-Octets-Limit is not calculating the differences between the counter and the check_item and setting an higher limited than the check_item? Log below Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Check item is greater than query result Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Authorized user FT-memjxa, check_item=26210, counter=151223038 Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user FT-memjxa, Type=Session-Octets-Limit, value=263954010 Sun Feb 7 12:59:50 2010 : Info: ++[monthlytraffic] returns ok sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } Any pointers would help. Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max-Monthly-Traffic
Sorry for troubling everyone on this, but I cannot work out why Session-Octets-Limit is not calculating the differences between the counter and the check_item and setting an higher limited than the check_item? Log below Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Check item is greater than query result Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Authorized user FT-memjxa, check_item=26210, counter=151223038 Sun Feb 7 12:59:50 2010 : Debug: rlm_sqlcounter: Sent Reply-Item for user FT-memjxa, Type=Session-Octets-Limit, value=263954010 Sun Feb 7 12:59:50 2010 : Info: ++[monthlytraffic] returns ok sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic reply-name = Session-Octets-Limit sqlmod-inst = sql key = User-Name reset = monthly query = SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW()) } Any pointers would help. Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Thanks, this works a treat and its just what I needed. Is there anyway to strip the \r\n at the start and end of the Reply-Message before writing the TABLE, as it ends up in the tables as:- =0D=0AYou are already logged in - access denied=0D=0A=0A Thx Nev hi, configure postauth_query in dialup.conf, postauth_query=UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE USERNAME='%{SQL-User-Name}' than , you can query the message from DB SERVER. BTW: if reject user, then ... # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Post-Auth-Type REJECT { %{sql:UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE USERNAME='%{SQL-User-Name}' } } Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message
Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject Calling-Station-Id
First, please let me wish everyone a Happy New Year in the list. I've learned a lot in the past 12 months and have a fairly stable installation of 2.1.6 on CentOS 5.4. The question, I would like to ask is how can I improve on this and use a DB List/Table to Blacklist certain IP addresses. if(Calling-Station-Id == 218.18.XX.XX){ reject } if(Calling-Station-Id == 113.237.XX.XX){ reject } The reason I'm having to do this is that we offer a 1hr Free Trial of our services and use the Email Address and IP address at the point of registration to ensure that the same person does not keep requesting more and more free trials. Obviously this not perfect and manages to address most of our requirements. However, there are a view people out there, that registered with a spoof IP Address and another free hotmail account etc, thus getting another Free Trial over and over again. The way I'm stop this currently, is manually check the record we had at the point of request for the Free Trial, and the IP address used to access the Service, if these are different then I block the IP address using the unlang above. There is only a few currently, but should this increase and I would like a more fool proof way to manage this and register the fact that someone has abused our free trial service and BLOCK there IP from accessing our service, even if they have been given a Username/Password via the Free Trial Page. Thanks in advance, Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject Calling-Station-Id
From: Arran Cudbard-Bell arran.cudbard-b...@hp.com Subject: Re: Reject Calling-Station-Id if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { update reply { Reply-Message = Hello Hello Hello } reject } Read Uncle Alan has replied this. To save the followup exchange: update reply { Reply-Message := Hello Hello Hello } Uncle Alan?... -Arran Spot on Arran, thanks so much. Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenVPNAS Accounting Issues
Neville wrote: I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. It's a string. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Because the NAS isn't sending the same information in stop as it sent in start. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? No. As always, run the server in debugging mode to see what's happening. Alan DeKok. Thanks Alan, acctsessionid field was limited to vchar(32), increased to vchar(64) and all is working correctly. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenVPNAS Accounting Issues
Neville wrote: I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. It's a string. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Because the NAS isn't sending the same information in stop as it sent in start. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? No. As always, run the server in debugging mode to see what's happening. Alan DeKok. Thanks Alan, acctsessionid field was limited to vchar(32), increased to vchar(64) and all is working correctly. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenVPNAS Accounting Issues
Hi all, I would just like to clarify the accepted format of Acct-Session-Id, when using mySQL to track the clients usage through accounting. I'm currently testing OpenVPNAS and it seems to create a long string such as 'NASIPADDRESS.as0t0.1261084262.6899.1', however when the 'Acct-Status-Type': 'Stop' is sent, the SQL does not update the current row, but instead creates a NEW row, which seems identical, therefore leaving the session open in sql. Is the problem with the STRING being used by OpenVPNAS the reason why the original ROW created by 'Acct-Status-Type': 'Start' is not being updated? Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Check_item still wraps at 4gb
Hi Marcel, Are you able to share your work around, because I have the same problem. Either on-list or direct email? Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied edit the munin/plugins/freeradius* files and put the correct user into the RADMIN= part. you really should NEVER be using the root user - simply use the user that you run radiusd as (once again, should never be root) - check the radiusd.sock to see who/what owns it (ls -l /usr/local/var/run/radiusd/radiusd.sock) Thx Alan, the problem is that the radiusd is owned by root, so not quite sure how to ensure at system startup that /etc/init.d/radiusd is actual run by the radiusd user in /etc/passwd. I've done a chown -R radiusd:radiusd on the programme and /usr/local/etc/raddb, but this the radiusd.sock file is owned by root. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Munin Graphs
Hi, I've installed the freeradius_auth plugin added to plugins.conf [freeradius*] user root But still I get the following error when the plugin is run... radmin: Failed connecting to /usr/local/var/run/radiusd/radiusd.sock: Permission denied Any ideas Running direct from root works fine, just [r...@vpn1 munin]# radmin -f /usr/local/var/run/radiusd/radiusd.sock -e stats client auth requests273 responses 273 accepts 206 rejects 67 challenges 0 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Munin Plugins
Hi everyone, This is not directly FreeRadius related, but I would really appreciate if anyone share any munin plugins that would monitoring number of users connected during the day or anything else worth monitoring. I've googled and can only find ones for login attempts by parsing the radius.log. I'm currently using MYSQL to store the current open connections and get retrieve the current connections by doing... SELECT COUNT(*) FROM radacct WHERE (radacct.AcctStopTime IS NULL OR radacct.AcctStopTime = '-00-00 00:00:00'); Apologies if anyone feels offend by me posting to the list for such a basic request. Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
noresetcounter + NULL radacct records (First Connection)
Hi, On occasions sqlcounter does not seem to work correctly, especially for NEW User that have no radacct details. After doing some digging, I've identified the issue only to happen on the first ever connect of the user in a new account. As you will see from the sql below, if no integer is returned (NULL), then Max-All-Sessions and the correct setting of is ignored and Session-Timeout is skipped. How can I address the NULL response for newly created accounts? rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'' [noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS'}' [noresetcounter] sql_xlat [noresetcounter]expand: %{User-Name} - 6cmy75HS [noresetcounter] sql_set_user escaped user -- '6cmy75HS' [noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS' rlm_sql (sql): Reserving sql socket id: 3 [noresetcounter] row[0] returned NULL rlm_sql (sql): Released sql socket id: 3 [noresetcounter]expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS'} - rlm_sqlcounter: No integer found in string The ABOVE line is the problem, due to the SELECT returning a NULL ++[noresetcounter] returns noop Sending Access-Accept of id 177 to XX.XX.XX.XX port 54355 Idle-Timeout := 1800 Framed-MTU = 1488 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300 Session-Timeout = 603484 MS-CHAP2-Success = 0xd2533d313841413133343635363245363732354243394137463446324541363944434634394938 MS-MPPE-Recv-Key = 0xaab9e0a9c6918c64dfa042b3d84e808e MS-MPPE-Send-Key = 0xd2411e9ea8653fd25e550e5cbdbfa3e3 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Framed-IP-Address = 192.168.0.27 Framed-IP-Netmask = 255.255.255.0 After connecting and disconnecting in order to create some entrys for this user in radacct table, success as session-timeout is set correctly. rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}'' [noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS'}' [noresetcounter] sql_xlat [noresetcounter]expand: %{User-Name} - 6cmy75HS [noresetcounter] sql_set_user escaped user -- '6cmy75HS' [noresetcounter]expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS' - SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS' rlm_sql (sql): Reserving sql socket id: 2 [noresetcounter] sql_xlat finished rlm_sql (sql): Released sql socket id: 2 [noresetcounter]expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='6cmy75HS'} - 23 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user 6cmy75HS, check_item=3600, counter=23 rlm_sqlcounter: Sent Reply-Item for user 6cmy75HS, Type=Session-Timeout, value=3577 ++[noresetcounter] returns ok Sending Access-Accept of id 180 to XX.XX.XX.XX port 60642 Idle-Timeout := 1800 Framed-MTU = 1488 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300 Session-Timeout = 3577 MS-CHAP2-Success = 0x21533d37374337313930393839303834464630413633303846464535443634343243314435313930373942 MS-MPPE-Recv-Key = 0xd1fff368e638b09b9960d9dba58f08cc MS-MPPE-Send-Key = 0x2df743dda88067b995ffc736a5345f71 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Framed-IP-Address = 192.168.0.137 Framed-IP-Netmask = 255.255.255.0 Finished request 10. Best Regards Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool - Duplicate IP
Neville wrote: I've facing a problem since rebuild, where every user is being allocated the same IP from the sqlippool, and I'm not sure why this is happening. ... pppd does not pass back Client-IP-Address or Client-Station-Id Calling-Station-Id. table structure for radipool is Yes... we have access to the source code, too. rad_recv: Access-Request packet from host NASIPHERE port 53621, id=117, length=147 Service-Type = Framed-User Framed-Protocol = PPP User-Name = TESTUSER MS-CHAP-Challenge = 0xe325bfbeb22fbbb7a33a21326e5ce18a MS-CHAP2-Response = 0x51009da7f84750dd0f01bed231e11bab1f9a2b9f4dad6844332eaec4aabcc1d8f03911ff654b6a7a8e96 NAS-Identifier = NASIPHERE NAS-Port = 0 OK. So how is the IP pool module supposed assign a unique IP for each user? There's no MAC address in the request (i.e. Calling-Station-Id). The SQL queries (if you read them) use Calling-Station-Id. How are they supposed to work if there's no Calling-Station-Id? Fix your PPPd so that it sends *useful* information. Dear Alan, It's not as simple as your making it. Also, I am using %{NAS-Port} and not %{Calling-Station-Id} due to the Lack of Calling-Station-Id. pool-key = %{NAS-Port} # pool-key = %{Calling-Station-Id} $INCLUDE sql/mysql/ippool.conf #$INCLUDE sql/postgresql/ippool.conf if I use ippool module, it works fine so something wrong with the SQL. Please can you confirm in want sections I have to add sqlippool module in order that I can test this again, but given the flakiness of sqlippool I might just stick with ippool module. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool - Duplicate IP
Neville wrote: It's not as simple as your making it. Also, I am using %{NAS-Port} and not %{Calling-Station-Id} due to the Lack of Calling-Station-Id. Why didn't you say that in the first message? Giving out *part* of the information is annoying. I Understand, but I was trying to make the message SHORT. pool-key = %{NAS-Port} # pool-key = %{Calling-Station-Id} $INCLUDE sql/mysql/ippool.conf #$INCLUDE sql/postgresql/ippool.conf if I use ippool module, it works fine so something wrong with the SQL. Well, it's not using the allocate-find query, so something is wrong with the configuration. Are you able to provide some pointers please, e.g. where sqlippool should be placed or what other files should I look into or order to track the error down. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool - Duplicate IP
Hi, I've facing a problem since rebuild, where every user is being allocated the same IP from the sqlippool, and I'm not sure why this is happening. I have a DaloRadius / FreeRadius2.1.6 / Poptop (pptpd) 1.3.4 / ppp 2.4.4.-2 / mysql 5.0.45 pppd does not pass back Client-IP-Address or Client-Station-Id table structure for radipool is ( `id` int(11) unsigned NOT NULL auto_increment, `pool_name` varchar(30) NOT NULL, `framedipaddress` varchar(15) NOT NULL default '', `nasipaddress` varchar(15) NOT NULL default '', `calledstationid` varchar(30) NOT NULL, `callingstationid` varchar(30) NOT NULL, `expiry_time` datetime default NULL, `username` varchar(64) NOT NULL default '', `pool_key` varchar(30) NOT NULL, PRIMARY KEY (`id`) ) 1st Login Ready to process requests. rad_recv: Access-Request packet from host NASIPHERE port 53621, id=117, length=147 Service-Type = Framed-User Framed-Protocol = PPP User-Name = TESTUSER MS-CHAP-Challenge = 0xe325bfbeb22fbbb7a33a21326e5ce18a MS-CHAP2-Response = 0x51009da7f84750dd0f01bed231e11bab1f9a2b9f4dad6844332eaec4aabcc1d8f03911ff654b6a7a8e96 NAS-Identifier = NASIPHERE NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/NASIPHERE/auth-detail-20090831 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/NASIPHERE/auth-detail-20090831 [auth_log] expand: %t - Mon Aug 31 22:47:05 2009 ++[auth_log] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [sql] expand: %{User-Name} - TESTUSER [sql] sql_set_user escaped user -- 'TESTUSER' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'TESTUSER' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'TESTUSER' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'TESTUSER' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'USUKTV' ORDER BY id [sql] User found in group USUKTV [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'USUKTV' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for TESTUSER with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok +- entering group session {...} ++[sql] returns noop Login OK: [TESTUSER/via Auth-Type = mschap] (from client VPN1-UK port 0) +- entering group post-auth {...} rlm_sql (sql): Reserving sql socket id: 2 [sqlippool] expand: %{User-Name} - TESTUSER [sqlippool] sql_set_user escaped user -- 'TESTUSER' [sqlippool] expand: START TRANSACTION - START TRANSACTION [sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time = NOW() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}' - UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time = NOW() - INTERVAL 1 SECOND AND nasipaddress = 'NASIPHERE' [sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time NOW() OR expiry_time IS NULL) ORDER BY (username '%{User-Name}'), (callingstationid '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE - SELECT framedipaddress FROM radippool WHERE pool_name = 'tvpool' AND (expiry_time NOW() OR expiry_time IS NULL) ORDER BY (username 'TESTUSER'), (callingstationid ''), expiry_time LIMIT 1 FOR UPDATE [sqlippool] expand: UPDATE radippool SET nasipaddress =
MAX-Monthly-Traffic V2 Post.
Hi everyone, I've decided to submit this question again as it was not quite worded correctly, and to send as PLAIN TEXT. I'm trying to setup a new counter maxmonthlytraffic, which uses the same method to disconnect a user by sending the Session-Timout Reply Atrribute as with MAX-ALL-Sessions. This is what I've done so far... I've added to ./raddb/sql/mysql/counter.conf sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic sqlmod-inst = sql key = User-Name reset = monthly query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) \ FROM radacct WHERE username='%{%k}' AND \ Month(acctstoptime) =(Month(NOW())) AND \ Year(acctstoptime) = Year(NOW()) } authorize { . monthlytraffic . } instantiate { . monthlytraffic . } created a dictionary entry in daloradius database of:- id 9433 Type integer Attribute Max-Monthly-Traffic Value NULL Format NULL Vendor dictionary.freeradius.internal RecommendedOP := RecommendedTable check RecommendedHelper RecommendedTooltip Check Monthly Traffic Allowance User created as testmaxm, with the following attributes set:- Check Simultaneous-Use := 1 Pool-Name := tvpool Cleartext-Password := testmaxm Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the Check, the user connects fine, so everything else is working) Reply Framed-MTU = 1400 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300(Every 5 mins for testing) = Although this seems to be working on the initial Connection, it does not send the Session Time Out Reply during the Interim Acct Updates if the Usage has execeed. From the Debug below, the usages is shown as 37940156 during a Acct Update e.g. 906612 + 3733544 and is more than the initial check value of Max-Monthly-Traffic := 1049, so I would have expected a Session-Timout Reply to be sent. However this is working ok on disconnect and reconnect, as I get... rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user testmaxm, check_item=1049, counter=89021682 ++[monthlytraffic] returns reject Invalid user (rlm_sqlcounter: Maximum monthly usage time reached): [testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1) rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user testmaxm, check_item=1049, counter=89021682 ++[monthlytraffic] returns reject Invalid user (rlm_sqlcounter: Maximum monthly usage time reached): [testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1) Any Ideas why I did not get disconnect during the original session as this is what I'm after. FreeRadius2 Debug . . rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411 rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout, value=11601138 ++[monthlytraffic] returns ok . . rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637, id=47, length=140 Acct-Session-Id = 4A8B6FA0721900 User-Name = testmaxm Acct-Status-Type = Interim-Update Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS Acct-Session-Time = 600 Acct-Output-Octets = 37033544 Acct-Input-Octets = 906612 Acct-Output-Packets = 27837 Acct-Input-Packets = 15791 NAS-Port-Type = Async Framed-IP-Address = 192.168.0.29 NAS-Identifier = aaa.bbb.ccc.ddd NAS-Port = 1 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id = 4A8B6FA0721900,User-Name = testmaxm' [acct_unique] Acct-Unique-Session-ID = 049e959019a363e4. ++[acct_unique] returns ok [suffix] No '@' in User-Name = testmaxm, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail]expand: %t - Wed Aug 19 03:31:04 2009 ++[detail] returns ok rlm_sql (sql): Reserving sql socket id: 1 [sqlippool] expand: %{User-Name} - testmaxm [sqlippool] sql_set_user escaped user -- 'testmaxm' [sqlippool] expand: START TRANSACTION - START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}'
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
Message: 2 Date: Tue, 14 Jul 2009 08:32:18 +0430 From: Eric bbah...@gmail.com Subject: Re: How to control users traffic ? To: freeradius-users@lists.freeradius.org Message-ID: 38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 freeradius-1.1.3-1.4 !! Is it the reason of problem ? I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? That shouldn't happen. What freeradius version? Post the debug from server startup and request processiong. Ivan Kalik Kalik Informatika ISP Hi Ivan, I have this working, other that I cannot set a Session-Octets-Limit higher that 4Gb. Is there anyway to get around this as I'm allocating 5GB of Usage Per Month? Max-Traffic-Monthly := 429497 (4Gb) [monthlytraffic]expand: %{sql:SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct WHERE username='test1000' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user test1000, check_item=4294967295, counter=0 rlm_sqlcounter: Sent Reply-Item for user test1000, Type=Session-Octets-Limit, value=1029889 ++[monthlytraffic] returns ok Sending Access-Accept of id 144 to 193.33.186.190 port 46294 Idle-Timeout := 1800 Framed-MTU = 1488 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300 Session-Timeout = 3600 Session-Octets-Limit = 1029889 Session-Octets-Limited is set to 1Mb instead of 4Gb Framed-IP-Address = 192.168.0.22 Max-Traffic-Monthly := 42 (3.9Gb) [monthlytraffic]expand: %{sql:SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct WHERE username='test1000' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user test1000, check_item=42, counter=0 rlm_sqlcounter: Sent Reply-Item for user test1000, Type=Session-Octets-Limit, value=4201030340 ++[monthlytraffic] returns ok Sending Access-Accept of id 98 to 193.33.186.190 port 34040 Idle-Timeout := 1800 Framed-MTU = 1488 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300 Session-Timeout = 3600 Session-Octets-Limit = 4201030340 Framed-IP-Address = 192.168.0.23 Thx Nev Message: 2 Date: Tue, 14 Jul 2009 08:32:18 +0430 From: Eric bbah...@gmail.com Subject: Re: How to control users traffic ? To: freeradius-users@lists.freeradius.org Message-ID: 38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 freeradius-1.1.3-1.4 !! Is it the reason of problem ? I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? That shouldn't happen. What freeradius version? Post the debug from server startup and request processiong. Ivan Kalik Kalik Informatika ISP -- next part -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max Monthly Traffic
Hi everyone, I'm trying to setup a new counter maxmonthlytraffic, but as soon as I connected, sql_counter sends reply to do a session timout and I get disconnected. This is what I've done so far... I've added to ./raddb/sql/mysql/counter.conf sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic sqlmod-inst = sql key = User-Name reset = monthly query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) \ FROM radacct WHERE username='%{%k}' AND \ Month(acctstoptime) =(Month(NOW())) AND \ Year(acctstoptime) = Year(NOW()) } authorize { .. monthlytraffic } instantiate { monthlytraffic } created a dictionary entry in daloradius as.. id 9433 Type integer Attribute Max-Monthly-Traffic Value NULL Format NULL Vendor dictionary.freeradius.internal RecommendedOP := RecommendedTable check RecommendedHelper RecommendedTooltip Check Monthly Traffic Allowance User created as testmaxm, with the following attributes set:- Check Simultaneous-Use := 1 Pool-Name := tvpool Cleartext-Password := testmaxm Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the Check, the user connects fine, so everything else is working) Reply Framed-MTU = 1400 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300(Every 5 mins for testing) Some Debug... rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411 rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout, value=11601138 ++[monthlytraffic] returns ok rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637, id=47, length=140 Acct-Session-Id = 4A8B6FA0721900 User-Name = testmaxm Acct-Status-Type = Interim-Update Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS Acct-Session-Time = 600 Acct-Output-Octets = 37033544 Acct-Input-Octets = 906612 Acct-Output-Packets = 27837 Acct-Input-Packets = 15791 NAS-Port-Type = Async Framed-IP-Address = 192.168.0.29 NAS-Identifier = aaa.bbb.ccc.ddd NAS-Port = 1 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id = 4A8B6FA0721900,User-Name = testmaxm' [acct_unique] Acct-Unique-Session-ID = 049e959019a363e4. ++[acct_unique] returns ok [suffix] No '@' in User-Name = testmaxm, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail]expand: %t - Wed Aug 19 03:31:04 2009 ++[detail] returns ok rlm_sql (sql): Reserving sql socket id: 1 [sqlippool] expand: %{User-Name} - testmaxm [sqlippool] sql_set_user escaped user -- 'testmaxm' [sqlippool] expand: START TRANSACTION - START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' - UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' [sqlippool] expand: COMMIT - COMMIT rlm_sql_mysql: query: COMMIT rlm_sql (sql): Released sql socket id: 1 ++[sqlippool] returns ok [sql] expand: %{User-Name} - testmaxm [sql] sql_set_user escaped user -- 'testmaxm' [sql] expand: %{Acct-Input-Gigawords} - [sql] expand: %{Acct-Input-Octets} - 906612 [sql] expand: %{Acct-Output-Gigawords} - [sql] expand: %{Acct-Output-Octets} - 37033544 [sql] expand:UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}',
Re: String Validation
If a connection that comes in with a GROUP NAME from SQL of USUK-XX or WUK-XX and I want to strip of the -XX, how would I do this with ulang so I only validate the following? Using the regexp feature, you can match part of an attribute then reference it later, like so: if (SQL-GROUP =~ /(.*)-XX/) { update request { SQL-GROUP := %{1} } } --Mike Thx Mike, Sorry, I don't think my example help as XX could be ANYTHING. E.g. USUK-5GB ; USUK-1GB ; USUK-10GB, so looking to STRIP everying after the - and including the - to the end of the string. The reason for doing this as I only want to validate against the first part of the String, otherwise the Nested IF Statment will be Huge. If your able, would appreciate if you can update the IF statement below to reflect what I'm trying to do. if(SQL-GROUP == USUK) { ok } elsif(NAS-IP-Address == AAA.BBB.CCC.DDD SQL-GROUP == WUK) { ok } else { reject } Thx in advance Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
String Validation
Hi, If a connection that comes in with a GROUP NAME from SQL of USUK-XX or WUK-XX and I want to strip of the -XX, how would I do this with ulang so I only validate the following? if(SQL-GROUP == USUK) { ok } elsif(NAS-IP-Address == AAA.BBB.CCC.DDD SQL-GROUP == WUK) { ok } else { reject } Thx in advance Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access provide to TWO Servers dependant on Group?
Let me explain my setup. I have TWO Servers, with one running PoPtop+Radius plugin / freeradius 2.1.6 / SQL DaloRadius Setup Connection is INTERNETPPPFREERADIUSLAN User X connects to Server A and authenticates against freedradius running on Server A and is provided with Access use mschap v2 authentication and this works fine.. What I would like to do is setup Server B to authenticate against freeradius on Server A, but ONLY allow access to Server B if the connecting user belongs to a specific Group. If group is the correct approach? I'm looking at setting up TWO Groups. Default Group to allow access to Server A only, but if you belong to GROUPX, you will be allowed access to both Server A and Server B. How do I setup this access in SQL against a user and what Check / Reply attributes, if any do I need to use? Many Thanks for your Support Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Dear Ivan, Appreciate your comment Can anyone else point me in the correct direction.. Thx Nev Message: 1 Date: Wed, 10 Jun 2009 00:07:22 +0100 (BST) From: Ivan Kalik t...@kalik.net Subject: Re: PPTPD Bandwidth Shaping To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 50989.87.194.16.13.1244588842.squir...@webmail.kalik.net Content-Type: text/plain;charset=utf-8 Ok, I've got WISPr-Bandwidth-Max-Down in /var/run/radattr.ppp0 but the value is all wrong. I set WISPr-Bandwidth-Max-Down = 512000 (as a reply) and in /var/run/radattr.ppp0 its show as - WISPr-Bandwidth-Max-Down -1062731706 I just basically copied the dictionary.wispr to /usr/share/radiusclient-ng as in order to get it loaded in radattr.ppp0 :- [r...@xxx radiusclient-ng]# more dictionary.wispr ATTRIBUTE WISPr-Location-ID 1 string ATTRIBUTE WISPr-Location-Name 2 string ATTRIBUTE WISPr-Logoff-URL3 string ATTRIBUTE WISPr-Redirection-URL 4 string ATTRIBUTE WISPr-Bandwidth-Min-Up 5 integer ATTRIBUTE WISPr-Bandwidth-Min-Down6 integer ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer ATTRIBUTE WISPr-Bandwidth-Max-Down8 integer #ATTRIBUTE WISPr-Session-Terminate-Time9 string #ATTRIBUTE WISPr-Session-Terminate-End-Of-Day 10 string ATTRIBUTE WISPr-Billing-Class-Of-Service 11 string Any ideas please. Try writing to the correct list. Your problem is not with freeradius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Hi Chuan, Thx for reply amongst this heated discussion on DHCP I've currently got install freeRadius 2.1.6 and Poptop 2.4.4 and I see no dictionary file in /etc/ppp/radius/dictionary. In fact I have no radius directory in /etc/ppp All freeradius dictionary's are located in /usr/share/freeradius The question is, how can I pass WISPr-Bandwidth-Max-Down to ip-up.local as I was hoping it would be in in /var/run/radattr.pppX, but all thats in there is:- Framed-IP-Address 192.168.0.70 Session-Timeout 1646690 MS-CHAP2-Success 7S=A8CF4948283C1C4BE11682787ADBD0EA9852E691 MS-MPPE-Recv-Key \220\265J\372\250\336\342nD\226o\272\007\030I\372'\313\...@j\36 1\370\266\212?_\377\262\324\215X\274\357 MS-MPPE-Send-Key \235\342\367\325\243\210\020\217|H\314WkU0\201\352\374\364\023\ 220\220\315z\364\277\254\361\356[Ce\002 MS-MPPE-Encryption-Policy MS-MPPE-Encryption-Types However we can see WISPr-Bandwidth-Max-Down being sucessfully passed to FreeRadius? ++[exec] returns noop Sending Access-Accept of id 198 to 127.0.0.1 port 53025 Framed-IP-Address := 192.168.0.70 WISPr-Bandwidth-Max-Down := 512000 Session-Timeout = 1646690 MS-CHAP2-Success = 0x37533d41384346343934383238334331433442453131363832373837414442443045413938353245363931 MS-MPPE-Recv-Key = 0x0b660d35b65015368d107e57d97e2b55 MS-MPPE-Send-Key = 0xc78164fb4478212fbd0d198389ee2d52 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 198 with timestamp +244 Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1 port 38836, id=199, length=98 Acct-Session-Id = 4A2EE3A302FB00 User-Name = test99 Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.0.70 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok I would love to use WISPr as suggested, but cannot find out how to get this to work. Currently I've just defaulted EVERYONE to the same bandwidth restrictions by using the follow script in /etc/ppp/ip-up.local ip-up.local DOWNSPEED=256 UPSPEED=768 /sbin/tc qdisc del dev $1 root /dev/null /sbin/tc qdisc del dev $1 ingress /dev/null # speed server-client if [ $UPSPEED != 0 ] ; then /sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1 /sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${UPSPEED}kbit burst 4k /sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${UPSPEED}kbit burst 4k prio 1 /sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${UPSPEED}kbit burst 4k prio 2 /sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum 1500 /sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum 1500 /sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 /sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10 /sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u160x 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10 fi # speed client-server if [ $DOWNSPEED != 0 ] ; then /sbin/tc qdisc add dev $1 handle : ingress /sbin/tc filter add dev $1 parent : protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNSPEED}kbit burst 12k drop flowid :1 fi /sbin/ifconfig $1 mtu 1400 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTPD Bandwidth Shaping
Hi all again, Ok, I've got WISPr-Bandwidth-Max-Down in /var/run/radattr.ppp0 but the value is all wrong. I set WISPr-Bandwidth-Max-Down = 512000 (as a reply) and in /var/run/radattr.ppp0 its show as - WISPr-Bandwidth-Max-Down -1062731706 I just basically copied the dictionary.wispr to /usr/share/radiusclient-ng as in order to get it loaded in radattr.ppp0 :- [r...@xxx radiusclient-ng]# more dictionary.wispr ATTRIBUTE WISPr-Location-ID 1 string ATTRIBUTE WISPr-Location-Name 2 string ATTRIBUTE WISPr-Logoff-URL3 string ATTRIBUTE WISPr-Redirection-URL 4 string ATTRIBUTE WISPr-Bandwidth-Min-Up 5 integer ATTRIBUTE WISPr-Bandwidth-Min-Down6 integer ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer ATTRIBUTE WISPr-Bandwidth-Max-Down8 integer #ATTRIBUTE WISPr-Session-Terminate-Time9 string #ATTRIBUTE WISPr-Session-Terminate-End-Of-Day 10 string ATTRIBUTE WISPr-Billing-Class-Of-Service 11 string Any ideas please. Thx Nev - Original Message - From: Neville To: freeradius-users@lists.freeradius.org Sent: Tuesday, June 09, 2009 10:45 PM Subject: Re: PPTPD Bandwidth Shaping Hi Chuan, Thx for reply amongst this heated discussion on DHCP I've currently got install freeRadius 2.1.6 and Poptop 2.4.4 and I see no dictionary file in /etc/ppp/radius/dictionary. In fact I have no radius directory in /etc/ppp All freeradius dictionary's are located in /usr/share/freeradius The question is, how can I pass WISPr-Bandwidth-Max-Down to ip-up.local as I was hoping it would be in in /var/run/radattr.pppX, but all thats in there is:- Framed-IP-Address 192.168.0.70 Session-Timeout 1646690 MS-CHAP2-Success 7S=A8CF4948283C1C4BE11682787ADBD0EA9852E691 MS-MPPE-Recv-Key \220\265J\372\250\336\342nD\226o\272\007\030I\372'\313\...@j\36 1\370\266\212?_\377\262\324\215X\274\357 MS-MPPE-Send-Key \235\342\367\325\243\210\020\217|H\314WkU0\201\352\374\364\023\ 220\220\315z\364\277\254\361\356[Ce\002 MS-MPPE-Encryption-Policy MS-MPPE-Encryption-Types However we can see WISPr-Bandwidth-Max-Down being sucessfully passed to FreeRadius? ++[exec] returns noop Sending Access-Accept of id 198 to 127.0.0.1 port 53025 Framed-IP-Address := 192.168.0.70 WISPr-Bandwidth-Max-Down := 512000 Session-Timeout = 1646690 MS-CHAP2-Success = 0x37533d41384346343934383238334331433442453131363832373837414442443045413938353245363931 MS-MPPE-Recv-Key = 0x0b660d35b65015368d107e57d97e2b55 MS-MPPE-Send-Key = 0xc78164fb4478212fbd0d198389ee2d52 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 198 with timestamp +244 Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1 port 38836, id=199, length=98 Acct-Session-Id = 4A2EE3A302FB00 User-Name = test99 Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.0.70 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok I would love to use WISPr as suggested, but cannot find out how to get this to work. Currently I've just defaulted EVERYONE to the same bandwidth restrictions by using the follow script in /etc/ppp/ip-up.local ip-up.local DOWNSPEED=256 UPSPEED=768 /sbin/tc qdisc del dev $1 root /dev/null /sbin/tc qdisc del dev $1 ingress /dev/null # speed server-client if [ $UPSPEED != 0 ] ; then /sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1 /sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${UPSPEED}kbit burst 4k /sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${UPSPEED}kbit burst 4k prio 1 /sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${UPSPEED}kbit burst 4k prio 2 /sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum 1500 /sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum 1500 /sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 /sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10 /sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u160x 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10 fi
PPTPD Bandwidth Shaping
Hi everyone, I was hoping for a few pointers on this... My setup is internetfreeradiuspppwork This is working fine with the exception of Bandwidth Shaping. Basically, I want to create my own ATTRIBUTES for setting Max-UP / Max-Down and use ip-up.local to AWK these attributes from if [ -f /var/run/radattr.$1 ] then DOWNSPEED=`/bin/awk '/Max-Down-Limit/ {print $2}' /var/run/radattr.$1` UPSPEED=`/bin/awk '/Max-Up-Limit/ {print $2}' /var/run/radattr.$1` #echo $DOWNSPEED #echo $UPSPEED #echo $FILTERS /sbin/tc qdisc del dev $1 root /dev/null /sbin/tc qdisc del dev $1 ingress /dev/null # speed client-server if [ $DOWNSPEED != 0 ] ; then /sbin/tc qdisc add dev $1 handle : ingress /sbin/tc filter add dev $1 parent : protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNSPEED }kbit burst 12k drop flowid :1 fi fi I've tried to use the following attributes from chillispot as a reply attribute, ChilliSpot-Bandwidth-Max-Down := 500, but I get the following error :- rlm_sql: Failed to create the pair: Invalid octet string 500 for attribute name ChilliSpot-Bandwidth-Max-Down rlm_sql (sql): Error getting data from database [sql] SQL query error; rejecting user I've also copied dictionary.chillspot to /usr/share/radiusclient-ng as:- VENDOR ChilliSpot 14559 BEGIN-VENDORChilliSpot ATTRIBUTE ChilliSpot-Max-Input-Octets 1 integer ChilliSpot ATTRIBUTE ChilliSpot-Max-Output-Octets2 integer ChilliSpot ATTRIBUTE ChilliSpot-Max-Total-Octets 3 integer ChilliSpot ATTRIBUTE ChilliSpot-Bandwidth-Max-Up 4 integer ChilliSpot ATTRIBUTE ChilliSpot-Bandwidth-Max-Down 5 integer ChilliSpot ATTRIBUTE ChilliSpot-Config 6 string ChilliSpot ATTRIBUTE ChilliSpot-Lang 7 string ChilliSpot ATTRIBUTE ChilliSpot-Version 8 string ChilliSpot ATTRIBUTE ChilliSpot-OriginalURL 9 string ChilliSpot # Configuration management parameters (ChilliSpot Only) ATTRIBUTE ChilliSpot-UAM-Allowed 100 string ChilliSpot ATTRIBUTE ChilliSpot-MAC-Allowed 101 string ChilliSpot ATTRIBUTE ChilliSpot-Interval 102 integer ChilliSpot Not sure what else I'm missing as a majority of the internet search point to editing /etc/raddb/dictionary, but this is not there with freeradius 2.1.6 Any advise work be greatly recieved. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assigning IP address from RADIUS to Cisco PPTP users
Message: 1 Date: Tue, 26 May 2009 18:56:42 +0100 (BST) From: Ivan Kalik t...@kalik.net Subject: Re: Assigning IP address from RADIUS to Cisco PPTP users To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 52973.87.194.16.13.1243360602.squir...@webmail.kalik.net Content-Type: text/plain;charset=utf-8 I've used Livingston and Cistron radiusd's in the past with dialup ppp users and Cisco/Lucent NASes and have been able to do this with no problems. Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. Here is my Cisco config:: aaa new-model aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default if-authenticated aaa session-id common vpdn-group 1 accept-dialin protocol pptp virtual-template 1 interface Loopback0 ip address 99.99.99.99 255.255.255.255 ip nat inside ip virtual-reassembly interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 - Here is the raddb/users file entry: - testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP -- The DEFAULT entry allows users in /etc/passwd to authenticate fine, but testuser still gets an IP from the NAS pool instead of the one above.. Any pointers appreciated! http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Post the debug of the authentication attempt. Ivan Kalik Kalik Informatika ISP -- Message: 2 Date: Tue, 26 May 2009 14:15:44 -0500 From: jon jon free9...@gmail.com Subject: Re: next To: tim.sylves...@networkradius.com, FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: c1efadb10905261215n4c0a4cdbw143227509a69c...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 ok so after reading the admin.sql it looks like it is telling me what to type into my mysql, to create a default admin for radius,and so freeradius can read any table in sql, does it matter what I change localhost to or can it be anyname I want. guess I am seeing what I have to do but not fully understanding it. I am using a mysql book also but think that might be getting me more confused. jon On Tue, May 26, 2009 at 12:02 PM, Tim Sylvester tim.sylves...@networkradius.com wrote: Read the SQL HOWTO at: http://wiki.freeradius.org/SQL_HOWTO. Also, look at the sql.conf file in the raddb directory and the mysql files in raddb/sql/mysql. You will want to read the information in admin.sql and schema.sql. Tim *From:* freeradius-users-bounces+tim.sylvester=networkradius.com@ lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvesterfreeradius-users-bounces%2Btim.sylvester =networkradius@lists.freeradius.org] *On Behalf Of *jon jon *Sent:* Tuesday, May 26, 2009 9:51 AM *To:* FreeRadius users mailing list *Subject:* next I have my freeradius working, I running slackware 12.1 with freeradius version 2.1.5. I used NTRAping utility to send packets to my freeradius server. I also used radtest and that was successful. So now I want to set freeradius with backend mysql database. I am looking for the script db_mysql.sql and cannot find this file. I installed mysql as a package, when I installed slackware. So, does that file even exist anymore? I have the radius book and the directory it shows doesn't contain any file with that name. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/15e2a75c/attachment.html -- Message: 3 Date: Tue, 26 May 2009 20:45:03 +0100 (BST) From: Ivan Kalik t...@kalik.net Subject: Re: next To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 53183.87.194.16.13.1243367103.squir...@webmail.kalik.net Content-Type: text/plain;charset=utf-8 ok so after reading the admin.sql it looks like it is telling me what to type into my mysql, to create a default admin for radius,and so freeradius can read any table in
Re: Re: freeRADIUS + POPTOP
I've search the INTERNET for 5 days now and late into the evening, but I'm totally stumped in resolving my problem, so I would appreciate any guidance from the experts. I've configured as per the many guides I've found and have a basic understanding of how this all works, but there is no information anywhere on how to setup the Users / Client details for freeRADIUS. Did you try reading comments in users file and clients.conf ie. files you were about to change? First THANKS for replying... I did, but still cannot work out what I'm doing wrong on this as there is so many guides and different ways of doing things, or thats how it seems. Everything authenticates ok and the correct IP is allocated now, but I'm not able to BROWSE any sites and cannot even ping the ip address given to the PPP adatper. I can only access the VPN, but none of the traffice seems to be routing correctly. Can you offer any further supports, please. Windows IP Configuration PPP adapter testvpn Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.0.0.168 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 C:\Users\Nevping 10.0.0.168 Pinging 10.0.0.168 with 32 bytes of data: General failure. General failure. General failure. General failure. Ping statistics for 10.0.0.168: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), ppp0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 P-t-P:10.0.0.168 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1 RX packets:3890 errors:0 dropped:0 overruns:0 frame:0 TX packets:1731 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:442107 (431.7 KiB) TX bytes:108501 (105.9 KiB) Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 10.0.0.0/24 anywhere [root log]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 [root log]# cat /proc/sys/net/ipv4/ip_forward 1 RADIUS LOG.. +- entering group post-auth {...} [test_pool] expand: %{NAS-IP-Address} %{NAS-Port} - 127.0.0.1 0 [test_pool] MD5 on 'key' directive maps to: ee0282d57992a30bce29ea43d092ac16 [test_pool] Searching for an entry for key: 'ee0282d57992a30bce29ea43d092ac16' rlm_ippool: Allocating ip to key: 'ee0282d57992a30bce29ea43d092ac16' [test_pool] num: 1 [test_pool] Allocated ip 10.0.0.168 to client key: ee0282d57992a30bce29ea43d092ac16 ++[test_pool] returns ok ++[exec] returns noop Sending Access-Accept of id 95 to 127.0.0.1 port 51514 Service-Type = Framed-User Session-Timeout = 65000 Framed-Protocol = PPP Framed-MTU = 1400 MS-CHAP2-Success = 0xf2533d35303143344543324435364631324646424434313043314445303236314244324642323145323238 MS-MPPE-Recv-Key = 0x39c2ccda839a57b64583b1f3a55ed07e MS-MPPE-Send-Key = 0xeaa3b2169241344554880f6e3a6f956b MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Framed-IP-Address = 10.0.0.168 Framed-IP-Netmask = 255.255.255.0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 127.0.0.1 port 40285, id=96, length=97 Acct-Session-Id = 4A1897253C3400 User-Name = test1 Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 10.0.0.168 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = 4A1897253C3400,User-Name = test1' [acct_unique] Acct-Unique-Session-ID = 2855668f1c6c9940. ++[acct_unique] returns ok [suffix] No '@' in User-Name = test1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop +- entering group accounting {...} [detail]expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/detail-20090524 [detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/detail-20090524 [detail]expand: %t - Sun May 24 00:39:01 2009 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local/var/log/radius/radutmp - /usr/local/var/log/radius/radutmp [radutmp] expand: %{User-Name} - test1 ++[radutmp] returns ok [test_pool] This is not an Accounting-Stop. Return NOOP. ++[test_pool] returns noop [attr_filter.accounting_response]
freeRADIUS + POPTOP
Firstly, let me apologies now for asking what is most probably a simple question to you long standing veterans of freeRADIUS. I've search the INTERNET for 5 days now and late into the evening, but I'm totally stumped in resolving my problem, so I would appreciate any guidance from the experts. I've configured as per the many guides I've found and have a basic understanding of how this all works, but there is no information anywhere on how to setup the Users / Client details for freeRADIUS. I've been using poptop (pptpd) server for several weeks, with great success, but now I wish to introduce freeRADIUS. The problem, I'm facing is the allocation of IP address / GW / DNS by freeRADIUS for the VPN connections coming onto my server. my service PrivateIP address is 19x.xxx.xxx.190 I've iptables setup to forward all NAT traffic through the PRIVATEIP, but allocation of a GW of 10.0.0.1 and a Client IP of 10.0.0.200 However, when I connect and freeRADIUS authenticates me SUCCESSFULLY. I get given a IP of 192.168.2.82 from the test_pool, but pool range-start = 10.0.0.100 range-stop = 10.0.0.199 which is totally different to the address allocated by the pool. ANY IDEAS? /var/log/messages May 22 21:49:13 server pppd[765]: MPPE 128-bit stateless compression enabled May 22 21:49:15 server pppd[765]: Cannot determine ethernet address for proxy ARP May 22 21:49:15 server pppd[765]: local IP address 10.0.0.1 May 22 21:49:15 server pppd[765]: remote IP address 192.168.2.82 radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 34510, id=245, length=133 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test1 MS-CHAP-Challenge = 0xd4fd1b2f3b03fa424ae2ccc6dcd11029 MS-CHAP2-Response = 0x87001d6e9a747c3545dd123d19c410c037be2b9c7e96783abd1954a72ae8f4bc4733b1470477ba725366 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090522 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20090522 [auth_log] expand: %t - Fri May 22 22:46:15 2009 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = test1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 70 [files] users: Matched entry test1 at line 77 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for test1 with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok +- entering group post-auth {...} [test_pool] expand: %{NAS-IP-Address} %{NAS-Port} - 127.0.0.1 0 [test_pool] MD5 on 'key' directive maps to: ee0282d57992a30bce29ea43d092ac16 [test_pool] Searching for an entry for key: 'ee0282d57992a30bce29ea43d092ac16' rlm_ippool: Allocating ip to key: 'ee0282d57992a30bce29ea43d092ac16' [test_pool] num: 1 [test_pool] Allocated ip 192.168.2.82 to client key: ee0282d57992a30bce29ea43d092ac16 ++[test_pool] returns ok ++[exec] returns noop Sending Access-Accept of id 245 to 127.0.0.1 port 34510 Service-Type = Framed-User Session-Timeout = 65000 Framed-Protocol = PPP Framed-MTU = 1400 MS-CHAP2-Success = 0x87533d4631303737453344353532343034353446373738463639364534383642374434433244333842 MS-MPPE-Recv-Key = 0x5a21400d6e5601f9c7201a94d401eefb MS-MPPE-Send-Key = 0x14eadb5ada027ccdd63a6cf372f0defd MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Framed-IP-Address = 192.168.2.82 Framed-IP-Netmask = 255.255.255.0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 127.0.0.1 port 43515, id=246, length=97 Acct-Session-Id = 4A172B390A9300 User-Name = test1 Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 192.168.2.82 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = 4A172B390A9300,User-Name = test1' [acct_unique] Acct-Unique-Session-ID = 29e101f9a598e8fe. ++[acct_unique] returns ok [suffix] No '@' in