logging authentication and accounting response times.

2010-02-02 Thread Padam J Singh 

Hi,

Running the 2.1.1 version, is it possible to log the amount of time 
taken (in ms) to process an accounting packet?


I figured that I can enable authentication and reply log for 
authentication and write a script to calculate the time between request 
coming and response going out, but for accounting, I need help getting 
this value.


Thanks,
Padam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius packet ID

2010-01-23 Thread Padam J Singh 
Hi,

The RADIUS packet has a 8 bit ID field.

This ID field is used to track the requests both in the NAS and the
RADIUS server.

The question is, does the ID need to be unique between the NAS and
RADIUS Server for all packet types? So it is OK to have an ID of 102 in
an accounting packet and an ID of 102 for an authentication packet at
the same time?

Thanks,
Padam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorize_check_query - authorize_reply_query - synchronous or asynchronous?

2009-11-23 Thread Padam J Singh 
Hi Mike,

I use a similar setup (PG Functions for auth/acct) and I never had an
issue with the query ordering.

Padam

freerad...@duxtel.com wrote:
> Hi Alan,
>
> Thanks heaps for your reply! :-)
>
>   
>>> So my basic question is:  Does "authorize_check_query" complete fully
>>>   
>> before
>> 
>>> starting the call to "authorize_reply_query"?
>>>   
>>   To re-phrase your question:
>>
>> Q: What work does the database perform after it's returned an answer
>> from a SELECT?
>>
>> A: Nothing.
>> 
>
> That is true for a select statement, but my authorize_check_query is /not/ a
> simple select.
>
> It is this:
>
> authorize_check_query = "select id, username, attribute, value, op
> from\
>  auth('%{SQL-User-Name}',
> '%{NAS-IP-Address}')\
>  as (id integer, username varchar, attribute
> varchar, value varchar, op varchar)"
>
> the 'auth()' function is a plpgsql function that does a variety of lookups
> and other checks, and then depending on the results returned from that
> query, it *might* update database records, or it might insert additional
> data.
>
> Therefore, it is important to know whether authorize_check_query and
> authorize_reply_query execute synchronously or not.
>
>   
>>> If they happen at the same time, then I expect that
>>>   
>> 'authorize_reply_query'
>> 
>>> may execute before I get a chance to create the relevant records for the
>>> 'guest' user...
>>>
>>> I know I can just go ahead and find out my answer by 'empirical method',
>>>   
>> but
>> 
>>> I figure that just because it seems to work every time, there is no
>>>   
>> definite
>> 
>>> guarantee that it will work *every* time unless I can be certain that
>>>   
>> these
>> 
>>> functions execute in sequence :-}
>>>   
>>   Databases ensure transactional consistency.  This is the job of a
>> database.
>> 
>
> Yes, very true - so it is conveivably possible that authorize_reply_query is
> completed before my authorize_check_query has updated or inserted records.
>
> I'm sure that there is a definitive answer to this question "Does freeradius
> wait for the result of auth-check before running auth-reply?" and I am aware
> that it may not be the answer that I'd hope to hear ;-)  but I'd still like
> to know it, noneteheless :-D
>
> Thanks - I really do appreciate any comments!
>
> Regards,  Mike.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Crash due to fr_packet_cmp

2009-11-18 Thread Padam J Singh 
Alan,

Could this be some sort of a compiler optimization that may be causing
this? May be some memory barrier is required?

Padam

Alan DeKok wrote:
> fabiana marvani wrote:
>   
>> Why is not there a protection for "null pointer" to avoid this kind of
>> problem?
>> 
>
>   Because the design of the server means that this crash *should* be
> impossible.
>
>   The request packet has been placed in a hash table.  The crash comes
> because the request data structure is still in the hash, but the request
> packet has been freed.  This should *not* happen.
>
>   And reading src/main/event.c, there are only 3-4 locations in the code
>  that reads/writes "request->packet".  i.e. it FIRST removes the request
> from the hash, and THEN frees the packet.  It's always in this order,
> and always done in the main thread.
>
>   So I have no idea why this is happening...
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bandwidth & Hardware Requirement Question

2009-08-21 Thread Padam J Singh 
Depends a lot on NASs implementation of accounting. Some NAS send
accounting packets  every X minutes. Some do it based on accounting
timers per session... so bandwidth utilization is quite different.

>From a live server having 2000 users online, with NASs sending
accounting updates every 5 minutes (from start of session), the
bandwidth utilization for accounting alone is less than 20kbps (@
average accounting packet size is 120 bytes) so in this case 2Mbit
can do 200,000 sessions... you will have bigger issues than bandwidth
once you hit those numbers!

For authentication take the percentage of total subscriber base that is
generally online at any given time, and percentage of users logging in
at peak hours. The average authentication packet size is less than 200
bytes... do the math and you will get how much b/w required for
authentications.



Padam





Deepak wrote:
> On Fri, Aug 21, 2009 at 2:27 PM, Igor Smitran wrote:
>> Bandwidth is needed on your router. Between your router and your radius
>> server you will only have authentication and accounting packets which
>> are small and do not consume much of a bandwidth.
>> Radius server will not do any rate limiting, radius server will only
>> send rate limit data to router, during authentication, if you tell him to.
>> You can use desktop computer (P4 for example) for radius server. You can
>> have sql server on separate lan/computer. or not, it's up to you.
>> You can authenticate thousands of users on one pentium 4, with basic setup.
>>
> 
> Thanks for info I needed. I got the hardware part. Regarding the
> bandwidth in router, how much bandwidth is needed (rough estimate)
> given that thousands of users are online and radius is continuously
> getting accounting packets from various APs?
> 
> Supposing if I have 2.0 Mbps line dedicated just for this, how many
> user's accounting packets I can handle normally? Rough estimate will
> do. I just want to have general idea before committing.
> 
> Thanks again
> 
> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Request for opinion - central admin user server LDAP+FreeRADIUS

2009-08-09 Thread Padam J Singh 
Look at TACACS/TACACS+. Most devices support this. You will need a
TACACS server which authenticates off a RADIUS server.

For others is upto the software to implement a TACACS or direct RADIUS.



Andres Kaaber wrote:
> Hello all
> I'm assigned with a project to make a central admin user database for all 
> kind 
> of servers / devices you can imagine (routers, switches, firewalls, linux 
> servers, windows servers, databases, etc.). The point is that when a news 
> employee arrives you just make him a user in this database, maybe check which 
> type of devices he can and all the devices are configured to authenticate 
> users 
> against this db. We have over 200 switches alone in our company so making 
> user 
> accounts in every single one of them and when this dude leaves to disable all 
> of them is huge (or impossible) work.
> So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, 
> easy and good solution, or not? There is no problem with servers Linux and 
> Windows servers can authenticate against radius. Most popular DB -s can do 
> this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches and 
> roters but as far I found in google there should be no problems the same goes 
> for juniper devices.
> So what do you think? Or maybe you know a free software solution for this 
> kind 
> of problem already? Sun identity management is one that i checked out but it 
> seems too bloated and complicated. So what are your thoughts?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: configure

2009-07-29 Thread Padam J Singh 
Maybe posting on solaris lists would be better?

shiva shankar wrote:
> thax for u r reply
>  
> again i have to install gcc
>  
> could u plz let me know i am new for this installation. i think this
> problem with os.
>  
> 
> 
>  
> 2009/7/29 Padam J Singh 
> 
> Do you even read the errors you post? Did you read config.log?
> 
> Most probably the compiler on your machine is broken!
> 
> 
> 
> shivashankar wrote:
> >
> > hi
> >
> > i am facing following problem.plz help me
> >
> > freeradisu 2.1.6 on solaris10
> >
> > bash-3.00# ./configure
> > checking for gcc... gcc
> > checking for C compiler default output file name...
> > configure: error: C compiler cannot create executables
> > See `config.log' for more details.
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> -- 
> 
> regard's
> shiva shankar
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: configure

2009-07-29 Thread Padam J Singh 
Maybe positing on solaris lists would be better?

shiva shankar wrote:
> thax for u r reply
>  
> again i have to install gcc
>  
> could u plz let me know i am new for this installation. i think this
> problem with os.
>  
> 
> 
>  
> 2009/7/29 Padam J Singh 
> 
> Do you even read the errors you post? Did you read config.log?
> 
> Most probably the compiler on your machine is broken!
> 
> 
> 
> shivashankar wrote:
> >
> > hi
> >
> > i am facing following problem.plz help me
> >
> > freeradisu 2.1.6 on solaris10
> >
> > bash-3.00# ./configure
> > checking for gcc... gcc
> > checking for C compiler default output file name...
> > configure: error: C compiler cannot create executables
> > See `config.log' for more details.
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> -- 
> 
> regard's
> shiva shankar
> 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: configure

2009-07-29 Thread Padam J Singh 
Do you even read the errors you post? Did you read config.log?

Most probably the compiler on your machine is broken!



shivashankar wrote:
> 
> hi 
> 
> i am facing following problem.plz help me
> 
> freeradisu 2.1.6 on solaris10
> 
> bash-3.00# ./configure
> checking for gcc... gcc
> checking for C compiler default output file name... 
> configure: error: C compiler cannot create executables
> See `config.log' for more details.
> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CPU selection for highest performance

2009-07-23 Thread Padam J Singh 




Hello Ivan,

For the LDAP I am using four servers which are configured in a
master-master replication amongst them and load balanced search access
via FR.

I take your point - spending 3x the money is not going to result in 3x
the performance in this case, so what I can do is increase the spend on
LDAP servers.

Thanks,
Padam



Ivan Kalik wrote:

  
I have the choice of selecting between two servers for deploying 802.1x
authentication off a LDAP server. The max rate of authentication
is around a couple
of thousand authentications per second.

  
  
You can put freeradius on PentiumIII machine and it will cope with this. I
would have serious doubts that your ldap server will.

  
  
The first choice is a 2 CPU, Quad Core Nehalem 2.53Ghz based server
with 8MB cache 12Gb DDR3 memory @ 1333Mhz.
The second choice is a 4 CPU Quad Core Xeon 7440 2.4Ghz with 16Mb cache
16Gb DDR2 @ 677 Mhz

So on one hand I have a faster memory access and higher CPU speed, the
other offers higher CPU cache and double the number of cores.

Which sort of server be more suitable for FR ?

  
  
In your setup freeradius is irrelevant. Both servers will do just fine.
Rate of authentication will be determined by the ability of the ldap
server to cope with the load.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CPU selection for highest performance

2009-07-22 Thread Padam J Singh 




Hi,

I have the choice of selecting between two servers for deploying 802.1x
authentication off a LDAP server. The max rate of authentication is around a couple
of thousand authentications per second. 

The first choice is a 2 CPU, Quad Core Nehalem 2.53Ghz based server
with 8MB cache 12Gb DDR3 memory @ 1333Mhz.
The second choice is a 4 CPU Quad Core Xeon 7440 2.4Ghz with 16Mb cache
16Gb DDR2 @ 677 Mhz

So on one hand I have a faster memory access and higher CPU speed, the
other offers higher CPU cache and double the number of cores.

Which sort of server be more suitable for FR ?

TIA,
Padam



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+MySQL auth for PPTP (MSCHAP V2) failing

2009-07-03 Thread Padam J Singh 




Hello Ajitabh,

Does PAP work? If it does, then your overall configuration is correct.
Whenever doing a new setup, always begin with PAP Password from PPTP
and Clear-text password in Mysql, and if it works then go ahead and
change the setting on either side to suit your needs.

I think the issue is that you are storing the password encrypted - the
radius server either expects a Cleartext-Password or Chap-Password for
MSCHAPv2, and you have Crypt - something the radius server cannot
really derive anything for comparison on basis of any conversion
between them.

IMO you have these options :

1. MSCHAPv2 + Clear-Text Password
2. MSCHAPv2 + NT-LM hashes
3. PAP + Crypt Password
4. PAP + Clear-Text Password

Padam


Ajitabh Pandey wrote:

  Hello,

I am trying to setup the poptop authentication through freeradius with
mysql backend. Freeradius server as of now will only authenticate
users and do accounting. IP delegation will be done by poptop.

The radtest for a test user is successful.

# radtest myuser testpassword localhost 1812 'testing123'
Sending Access-Request of id 13 to 127.0.0.1 port 1812
	User-Name = "myuser"
	User-Password = "mypassword"
	NAS-IP-Address = A.B.C.D
	NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=20

Here are three insert I made in the mysql tables, may be they are of use:

insert into radcheck (username,attribute,op,value) values
('myuser','Crypt-Password',':=',encrypt('mypassword'));
insert into radgroupcheck (groupname,attribute,op,value) values
('dynamic','Auth-Type',':=','Crypt-Local');
insert into radgroupreply (groupname,attribute,op,value) values
('dynamic','Acct-Interim-Interval','=',60);

Here is the freeradius -X output snippet for authentication:

rad_recv: Access-Request packet from host 127.0.0.1 port 40483, id=65,
length=153
	Service-Type = Framed-User
	Framed-Protocol = PPP
	User-Name = "myuser"
	MS-CHAP-Challenge = 0x47359b9f4e6e11824858fd4b2a4a67c8
	MS-CHAP2-Response =
0x7700234d5c8cd2388b66dd01a736d817a807629ab9bb7a480528165b51e15fb04b5293cc5b2ed0d5d272
	Calling-Station-Id = "A.B.C.D"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 0
+- entering group authorize
	expand: %{User-Name} -> myuser
rlm_sql (sql): sql_set_user escaped user --> 'myuser'
rlm_sql (sql): Reserving sql socket id: 4
	expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = 'myuser'   ORDER BY id
rlm_sql (sql): User found in radcheck table
	expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = 'myuser'   ORDER BY id
	expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username =
'myuser'   ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [myuser/] (from client
localhost port 0 cli A.B.C.D)
  Found Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 1.0 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 65 to 127.0.0.1 port 40483

The radiusd.conf file is more or less the default except I have added
the sql lines to it.

It will be great if someone can provide any help regarding this.
Please let me know if you need further information from my side.

Regards.
  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help no of users and capacity load

2009-07-02 Thread Padam J Singh 




Hello Ramesh,

Capacity depends a lot on how the RADIUS server is accessing
authentication stores. Are you storing these users in a LDAP or a DB?
It is these resources that generally become the bottle-neck first
rather than the RADIUS Server.

Also, are you doing authentication and accounting (RAS) or just
authentication (EAP)?

Padam

ramesh p wrote:
We are going to have up to 3 million users in our radius
setup in the next month. At present we are using freeradius1.1.6 in
linux platform and over 1 million users. we are planning to upgrade to
latest version. How the performance matter with 3 million users. Please
suggest interms of load balancing and capacity per server.? How many
radius servers will be ideal to keep.
  
Thanks,
Rams.
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Acct Input and Output gigaword

2009-06-27 Thread Padam J Singh 




Eric,

NASs send Input/Output octets as an incremental value. So if you lose a
few update packets, you do not lose usage values.

Since the number will wrap at the unsigned long boundary of 4GB, the
NAS is supposed to keep a tab on how many times has the wrap around
occurred since the session started. 

As you can see, this is clearly the job of the NAS, and not of the
RADIUS server.

Padam




Eric wrote:
But NAS sends account input and output octets updates and
Freeradius has the traffic volume in its database also.  Can't
freeradius calculate the volume and invent the gigaword itself?
  
  On Wed, Jun 24, 2009 at 10:58 AM, Eric 
wrote:
  
I mean :Is it needed NAS support gigawords If I want to use gigaword for
checking the amount of online user's traffic in new versions of freeradius?

Or new versions of freeradius can calculate traffic amount without receiving 

any gigaword information from NAS?

> RFC2869 says that Input and Output gigaword shoud be sent from NAS to
> radius
> server.
> Now new versions of freeradius support gigaword. Should NAS supports


> gigaword?

Some do, some don't. Most don't have it enabled by default. You will have
to look into NAS documentation to find out.

Ivan Kalik
Kalik Informatika ISP



  
  
  
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP ntPassword and lmPassword help

2009-03-19 Thread Padam J Singh 
Hello,

I have a LDAP server which contains ntPassword and lmPassword attributes
like following:


dn: uid=subs, ou=accounts, dc=test, dc=com
uid: subs
userPassword:: e01ENX03MmIwMTViNDhlOTU5ZTlkYWQ3MTAxNjNiYjJhZDkyMQ==
mac: ""
lmPassword: {ENC}9846B736BDDA9E7CAAD3B435B51404EE
ntPassword: {ENC}22D6ADD4E9AD37B87B8EDB2C91E1EE67
objectClass: objDevices
objectClass: top


FR 2.1.1 is configured for doing 802.1x authentication. While doing the
authentication, I obviously get Invalid NT-Password and Invalid
LM-Password error. The error stems from the fact that the length is
incorrect because of the additional {ENC} prefix.

Is there some configuration where I can set something so it ignores the
initial {ENC} while doing the password comparison?

I cannot get rid of the {ENC} prefix.

Thanks,
Padam


-- 
PGP Id 9EED2E09

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handing out duplicate IP addresses

2009-01-15 Thread Padam J Singh 




Hello Ivan,

Would adding a mutex around the select-update code in the sqlippool
module solve this issue? 

Padam

t...@kalik.net wrote:

  
The requests all came in at the same time, to the second (among others),
its like FR took 3 requests and looked at the database at the exact same
time, saw it was an available IP and all those 3 requests assigned it.

  
  
That can't be avoided. SELECT (allocate-find) will always work much
faster than UPDATE (allocate-update).

  
  
My NAS rejects two of the 3 because the IP is assigned,

  
  
I think that you make a good point here. If the allocate-update query was
made to fail in the case that the IP address was already issued to
another thread between allocate-find and allocate-update (by expanding
it with AND expiry_time IS NULL in WHERE), point of failure will be in
sqlippool module and not on the NAS. Logic can then perhaps try to issue
a new IP address (best just once more in order not to create a loop).
That way issuing same IP address to multiple threads can be handled by
the sqlippool module.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-- 
PGP Id 9EED2E09


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: newbie new freeradius install fails to start...

2008-12-31 Thread Padam J Singh 




You
need to install the make utility...

yum install make

and try again.


Padam


John Williams wrote:

  Hello,

Maybe someone can guide me out of this maze.

I have a new Fedora 10 install running on Dell intel platform.  I installed freeradius.i386 0:2.1.3-1.fc10 package using yum installer.  All I did before starting in debug mode was edit clients.conf and users file.

I get this error at the end of the config file parse each time I attempt to start "radiusd -X"


/etc/raddb/certs/bootstrap: line 15: make: command not found
Exec-Program output: 
Exec-Program: returned: 127
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap".
/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. 
 }
}
Errors initializing modules


If someone could help I'd be really happy.

Thanks,
jw


  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-- 
PGP Id 9EED2E09


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help Regarding SQL Counter

2008-12-19 Thread Padam J Singh 






pushpraj nimbalkar wrote:

  Thanks for reply,

  I am using linksys WRT54GL router with DD-WRT and Chillispot.
SQLCounter works only when radacct tables contains accounting
information of logging user.

  

Please also post the reply sent back to the NAS - run the radius server
in debug mode and check if correct Session-Timeout values are getting
passed or not. 

  

On Fri, Dec 19, 2008 at 5:08 PM, Padam J Singh  wrote:
  
  
The NAS has to implement session disconnection after the requisite time/byte limit.

What NAS are you using?

Padam

pushpraj nimbalkar wrote:

Hello All;
  I just installed freeradius on fedora 10. freeradius version is "freeradius-2.1.1-2.fc10.i386" i also installed radius mysql packages. After basic set up I configured radius with mysql. All thing are working fine but i am not able to resolve sqlcounter issue.  I have defined counters in counter.conf file and included those counters in /etc/raddb/sites-enabled/default file. When i create user with 30 minutes session time(Max-All-Session). Then user should be able to login only for 30 minutes. But what is happening is when user connects he can be online as much time as he can. That 30 mintutes counter dosent wotks. But when same user first logins for 5 minutes and logs off and again logins then counter works perfectly means user can be online only for remaining time i.e. for 25 minutes. So i think sqlcounter works only when there is accounting records for loging user inside radacct table but when user first time logins then there will not be any records inside  radacct tab!

  
   le. Same thing happening with octate account.
  
  
Please Help.

Thanks,
Pushpraj N.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
PGP Id 9EED2E09

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-- 
PGP Id 9EED2E09


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help Regarding SQL Counter

2008-12-19 Thread Padam J Singh 




The NAS has
to implement session disconnection after the requisite time/byte limit.

What NAS are you using?

Padam

pushpraj nimbalkar wrote:
Hello All;
  I just installed freeradius on fedora 10. freeradius version is
"freeradius-2.1.1-2.fc10.i386" i also installed radius mysql packages.
After basic set up I configured radius with mysql. All thing are
working fine but i am not able to resolve sqlcounter issue.  I have
defined counters in counter.conf file and included those counters in
/etc/raddb/sites-enabled/default file. When i create user with 30
minutes session time(Max-All-Session). Then user should be able to
login only for 30 minutes. But what is happening is when user connects
he can be online as much time as he can. That 30 mintutes counter
dosent wotks. But when same user first logins for 5 minutes and logs
off and again logins then counter works perfectly means user can be
online only for remaining time i.e. for 25 minutes. So i think
sqlcounter works only when there is accounting records for loging user
inside radacct table but when user first time logins then there will
not be any records inside  radacct table. Same thing happening with
octate account.
  
Please Help.
  
Thanks,
Pushpraj N.
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
PGP Id 9EED2E09


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Accounting Response

2008-12-15 Thread Padam J Singh 
Alan DeKok wrote:
> Padam J Singh wrote:
>> The reason I would like to use this is because the NAS I am building is
>> a network controller which offers advance features like speed select in
>> the same session, add new IP filter policies applied live on an update.
>> I do not want to implement an out of band service (SNMP/SOAP) to achieve
>> the same for something what the RADIUS protocols says is allowed,
> 
>   The RFC's do NOT say this.  They say that VSA's are permitted, but
> they do not say what changes the NAS is permitted (or not permitted) to
> do when it receives those VSA's.
>
I agree on that completely - I am only looking for the ability to send
attributes and not derive any semantics about it between RADIUS and NAS.

>> and FR
>> claiming it adheres to that RFC.
> 
>   We are not just following the RFC's, we are actively leading the
> creation of new standards.  See RFC 5080, and the IETF RADEXT WG.
> (guidelines document, RADIUS over TCP document, Status-Server document,
> etc.)
Again, I agree and quote that FR is the best, kudos to the whole
community to make it the best.
> 
>> I have also checked up the diameter protocol - sending attributes in an
>> accounting answer is a *very* acceptable thing. 
> 
>   Yes.  Diameter is not RADIUS.
> 
>> I have even confirmed
>> with the RADIUS Server used by Oracle in their BRM applications used in
>> most telcos that sending VSAs in Accounting-Response is OK and supported.
> 
>   That doesn't mean it's a good idea.  Vendors implement all sorts of
> broken things that get forbidden by later documents.
> 
>> The only other option left is to use CoA. However, the radius client
>> libraries that would form part of the NAS do not implement CoA. 
> 
>   Adding CoA support to freeradius-client isn't hard.  It's likely not
> more than 40-50 lines of code to enable sending && receiving CoA packets.
> 
>> I have
>> read up the source code of all radius client libraries offered part of
>> FR and even made by others - none of them have a library which could be
>> used to listen for radius packets on a given port and accept and
>> acknowledge CoA/Packet of disconnect. So I would have to write this from
>> scratch, and would be most happy to contribute back to community.
> 
>   What you are really talking about is a Dynamic Authorization *Server*.
>  See Section 1.3 of RFC 5176.
> 
>   i.e. you do *not* want a RADIUS client.  You want a RADIUS server that
> receives CoA packets, and processes them through a policy.  This is a
> lot more complicated than just sending && receiving CoA packets.
>

It is vital that this is written in a way that this can either be part
of the RADIUS Server, or can be embedded onto a NAS. It is vital that
the consideration for the CoA component to be independent and also be
available as a library. This would enable for example a call switching
agent running on an embedded device to be able to directly receive CoA
messages by enabling callbacks or message queues.

>   I expect that FreeRADIUS will likely have complete support for CoA
> within 6-9 months.  If you're willing to wait, you can just use that.
> 

I couldn't find any open implementation of CoA for NASs, so will start
writing that.

>> Googling for the same suggests a whole lot more users are asking the
>> same question. In my opinion anyone implementing Voice billing and real
>> time rating would love to have this.
> 
>   That's what CoA is for.  Using Accounting-Response is wrong.
> 
>> The reason it is traditionally not required is because NASs are
>> generally dumb, and wouldn't require to even look for attributes in
>> updates. However, the new generation billing requirements are forcing
>> more intelligence onto these NASs.
> 
>   Then they need to implement CoA.  See the WiMAX standards, where they
> require CoA for next generation billing requirements.
> 
>> I guess the rational thing to do if the worlds best RADIUS server cannot
>> do this out of the box, then use Diameter or implement CoA.
> 
>   FreeRADIUS can do this.  See "man unlang" for how to add attributes to
> the Accounting-Response.  But it's *not* tied into the default behavior,
> because almost no one needs it.
> 
I would be able to send back attributes using unlang, or jradius.

>   And the people who need it *should* implement CoA.
> 

I agree to it - but in absence of a good client library to receive CoA
messages, the simplest way out would be been account-response attributes.

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
PGP Id 9EED2E09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Accounting Response

2008-12-15 Thread Padam J Singh 

Alan DeKok wrote:
> Padam J Singh wrote:
>> The attributes I want to send are VSAs anyway, so I fail to see how this
>> violates the RFC.
> 
>   It doesn't.  Technically.  But it's a bad idea.
> 
>   Can you explain why you need to send the attributes, and what the NAS
> does with them?
The reason I would like to use this is because the NAS I am building is
a network controller which offers advance features like speed select in
the same session, add new IP filter policies applied live on an update.
I do not want to implement an out of band service (SNMP/SOAP) to achieve
the same for something what the RADIUS protocols says is allowed, and FR
claiming it adheres to that RFC.

I have also checked up the diameter protocol - sending attributes in an
accounting answer is a *very* acceptable thing. I have even confirmed
with the RADIUS Server used by Oracle in their BRM applications used in
most telcos that sending VSAs in Accounting-Response is OK and supported.

The only other option left is to use CoA. However, the radius client
libraries that would form part of the NAS do not implement CoA. I have
read up the source code of all radius client libraries offered part of
FR and even made by others - none of them have a library which could be
used to listen for radius packets on a given port and accept and
acknowledge CoA/Packet of disconnect. So I would have to write this from
scratch, and would be most happy to contribute back to community.

> 
>> The standard install of FR also includes the following in
>> attr.accounting_response:
> 
>   Yes... I know.
> 
>> The filter does allow any VSA - I wonder why the modules are not written
>> to facilitate sending the attributes to the NAS.
> 
>   Because only one out of ten thousand users need to send attributes in
> an Accounting-Response.  And they can't explain why they need to do it.
> 

Googling for the same suggests a whole lot more users are asking the
same question. In my opinion anyone implementing Voice billing and real
time rating would love to have this.

The reason it is traditionally not required is because NASs are
generally dumb, and wouldn't require to even look for attributes in
updates. However, the new generation billing requirements are forcing
more intelligence onto these NASs.


>   If the requested functionality isn't used for anything, it won't be
> added to the server.
> 

I guess the rational thing to do if the worlds best RADIUS server cannot
do this out of the box, then use Diameter or implement CoA.

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
PGP Id 9EED2E09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Accounting Response

2008-12-14 Thread Padam J Singh 


Alan DeKok wrote:
> Padam J Singh wrote:
>> >From the RFC 2866:
> 
>   Yes, I have read the RFC's.  They're even in the FreeRADIUS source
> tree.  They'are referenced from http://freeradius.org/rfc/, which was
> built by me.
> 
>> The RFC doesn't categorically say that an accounting response packet SHOULD 
>> NOT have attributes.
> 
>   Read the REST of the RFC.  Specifically, the Table of Attributes.
>

Citing the Table of Attributes:

No attributes should be found in
   Accounting-Response packets except Proxy-State and possibly Vendor-
   Specific.

The attributes I want to send are VSAs anyway, so I fail to see how this
violates the RFC.

>> The NAS is an application I have written - so I will be able to parse 
>> attributes in an accounting response.
> 
>   Your application is wrong.  If it needs to have attributes sent back
> in an Accounting-Response packet, then it's not doing RADIUS properly.
>

According to the RFC - VSAs are allowed, and it is up to the vendor to
implement handling such responses.

>> If the standard postgres module cannot be used to send back attributes in an 
>> accounting-response packet, 
>> can I do the same using any other module like JRadius? I have gone through 
>> the rlm_jradius source code, 
>> and it looks like it doesn't differentiate between accounting and 
>> authorization responses when reading value pairs.
> 
>   If you can get something to work, good luck.  But the server is NOT
> intended to send attributes back in the Accounting-Response.
> 

The standard install of FR also includes the following in
attr.accounting_response:

DEFAULT
Vendor-Specific =* ANY,
Message-Authenticator =* ANY,
Proxy-State =* ANY

The filter does allow any VSA - I wonder why the modules are not written
to facilitate sending the attributes to the NAS.

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
PGP Id 9EED2E09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Client library for using CoA

2008-12-14 Thread Padam J Singh 
t...@kalik.net wrote:
> http://wiki.freeradius.org/Radclient

The application being developed is a NAS - I am already using the radius
client libraries to send radius requests to a radius server.

I am looking for a C library that implements the CoA/Packet of
Disconnect message parsing on the NAS.

> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 14/12/2008, "Padam J Singh"  piše:
> 
>> Hello,
>>
>> Are you aware of any radius client library which also implements
>> CoA/Packet of Disconnect?
>>
>> I have checked radiusclient-ng and its earlier version - they do not
>> contain any such feature.
>>
>> I saw that CoA is on the roadmap for FR (2007 announcement), any work
>> done on it yet?
>>
>> Thanks,
>> Padam
>>
>>
>> --
>> PGP Id 9EED2E09
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
PGP Id 9EED2E09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Client library for using CoA

2008-12-13 Thread Padam J Singh 
Hello,

Are you aware of any radius client library which also implements
CoA/Packet of Disconnect?

I have checked radiusclient-ng and its earlier version - they do not
contain any such feature.

I saw that CoA is on the roadmap for FR (2007 announcement), any work
done on it yet?

Thanks,
Padam


-- 
PGP Id 9EED2E09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Accounting Response

2008-12-13 Thread Padam J Singh 
Hello Alan,

>From the RFC 2866:

4.2.  Accounting-Response

0   1   2   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Code  |  Identifier   |Length |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   |
   | Response Authenticator|
   |   |
   |   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Attributes ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-

The RFC doesn't categorically say that an accounting response packet SHOULD NOT 
have attributes.

The NAS is an application I have written - so I will be able to parse 
attributes in an accounting response.

If the standard postgres module cannot be used to send back attributes in an 
accounting-response packet, 
can I do the same using any other module like JRadius? I have gone through the 
rlm_jradius source code, 
and it looks like it doesn't differentiate between accounting and authorization 
responses when reading value pairs.

Thanks,
Padam









Alan DeKok wrote:
> Padam J Singh wrote:
>   
>> According to the RFC 2866, it is possible to send back attributes to an
>> accounting update packet sent from a NAS.
>> 
>
>   *Please* use the correct terminology.  It makes it easier for us to
> understand your question.
>
>   If I read what I *think* you mean, then no, RFC 2866 does not allow
> attributes in an Accounting-Response.
>
>   
>> What I have done is this: The authorization and authentication queries
>> are basically calls to a stored procedure in postgres that returns a set
>> of table type which contains the attribute, operator and value.
>> I can write a stored procedure to return a set of attributes to send
>> back in an accounting start/update/stop, but all the queries given as
>> examples in the default dialup.conf are update queries that do not
>> return any attribute.
>>
>> How do I configure the postgres module to return the attributes to the NAS?
>> 
>
>   You don't.
>
>   Please explain why you think this is necessary.  Also be aware that
> any attributes you send in an Accounting-Response will be ignored by
> *every* NAS that anyone has ever made.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

-- 
PGP Id 9EED2E09

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending Accounting Response

2008-12-13 Thread Padam J Singh 
Hello,

According to the RFC 2866, it is possible to send back attributes to an
accounting update packet sent from a NAS.

What I have done is this: The authorization and authentication queries
are basically calls to a stored procedure in postgres that returns a set
of table type which contains the attribute, operator and value (for
authorization), and encrypted password for authentication.

I can write a stored procedure to return a set of attributes to send
back in an accounting start/update/stop, but all the queries given as
examples in the default dialup.conf are update queries that do not
return any attribute.

How do I configure the postgres module to return the attributes to the
NAS? The NAS is an application I have written that parses all attributes
sent back after an auth-request and acct-start/update/stop.

Thanks,
Padam


-- 
PGP Id 9EED2E09

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending Accounting Response

2008-12-12 Thread Padam J Singh 




Hello,

According to the RFC 2866, it is possible to send back attributes to an
accounting update packet sent from a NAS.

What I have done is this: The authorization and authentication queries
are basically calls to a stored procedure in postgres that returns a
set of table type which contains the attribute, operator and value.
I can write a stored procedure to return a set of attributes to send
back in an accounting start/update/stop, but all the queries given as
examples in the default dialup.conf are update queries that do not
return any attribute.

How do I configure the postgres module to return the attributes to the
NAS?

Thanks,
Padam



-- 
PGP Id 9EED2E09


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html