Scripts before 'authenticate', re-writing Attributes items ...
Hi, How can I run scripts in 'authorize' phase, and modify a Attribute item? Something like this : (after 'authorize') Auth-Type = Crypt-Local (after script, BEFORE 'authenticate') Auth-Type = MS-CHAP Thanks. Roberto Gonzalez Azevedo [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
Show us your sqlcounter.conf ...
You should define 'check-item' in sqlcounter.conf ...
-----
Roberto Gonzalez Azevedo
Carlos Martínez-Troncoso Cera wrote:
Hello.
I have freradius-1.0.2 with autorizathion and authentication in LDAP and
accounting in MySQL. I configured to use rlm_sqlcounter to control time
connections, testing with NTRadping work well but testing with my Cisco NAS it
doesn´t work
With my cisco NAS this is the message:
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "noresetcounter" returns noop for request 3
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "monthlycounter" returns noop for request 3
With NTRadPing the message is:
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user cmartinez, check_item=108000, counter=106750
rlm_sqlcounter: Sent Reply-Item for user cmartinez, Type=Session-Timeout,
value=1250
modcall[authorize]: module "monthlycounter" returns ok for request 8
My relevant conf files:
clients.conf
#PC with NTRadping
client 172.16.31.43/32 {
secret = x
shortname = Carlos
type= other
}
#Cisco NAS
client 200.106.138.14/32 {
secret= xx
shortname= cisco
type= cisco
}
radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/local/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sqlcounter.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "200.xx.xx.xx"
port = "390"
identity = "cn=Directory Manager"
password = xx
basedn = "o=yy,o=yy"
password_attribute = "userPassword"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
checkval {
item-name = Max-Monthly-Session
check-name = Max-Monthly-Session
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
always fail {
rcode = fail
}
always reject {
Re: Auth: Login incorrect: [user/]
In 'users' :
user Auth-Type := Local, Password = "somepass", Simultaneous-Use
= 2, Huntgroup-Name = "adsl-dialup"
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
NAS-Port-Type = Async,
Service-Type = Framed-User,
---------
Roberto Gonzalez Azevedo
Adil Azmi Bikarbass wrote:
Well i've tried the Auth-Type := Local and my radiusd.conf allows chap
with the following syntax :
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
}
But with no success
Adil
On Fri, 17 Jun 2005, Jandre Olivier wrote:
You are using chap authentication, what i recommend u can try is,
"Auth-Type := Local and also make sure your radiusd.conf allows chap
authentication
Hope it helps
Adil Azmi Bikarbass wrote:
Dear FreeRadius list members,
I'm really stuck with an authentication problem here:
I'm getting the following error meesage anytime a user try to connect
through my Freeradius server :
Auth: Login incorrect: [user/] (from client MT2_ADSL
port 1476461184)
Auth: rlm_unix: Attribute "User-Password" is required for
authentication. Cannot use "CHAP-Password".
Here is the radius entry for that user:
user Password = "somepass", Simultaneous-Use = 2,
Huntgroup-Name = "adsl-dialup"
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
NAS-Port-Type = Async,
Service-Type = Framed-User,
The Huntgroup-name : adsl-dialup is to specify the IP addresses of
all the remote access servers we use
Once i add the following line at the bottom of my users file the user
get connected with no problem:
DEFAULT Auth-Type := Accept
Please advise what could be the problem
Thanks in advance
Adil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
sqlcounter noresetcounter {
## Look here
driver = "rlm_sqlcounter"
counter-name = Max-All-Session-Time
check-name = Max-All-Session
## Look here
check-item = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
sqlcounter dailycounter {
driver = "rlm_sqlcounter"
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
## Look here
check-item = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
## Look here
driver = "rlm_sqlcounter"
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
## Look here
check-item = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
thanks ...
-
Roberto Gonzalez Azevedo
Carlos Martínez-Troncoso Cera wrote:
ok Roberto:
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
sqlcounter dailycounter {
driver = "rlm_sqlcounter"
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367
Roberto Gonzalez Azevedo wrote:
Show us your sqlcounter.conf ...
You should define 'check-item' in sqlcounter.conf ...
-
Roberto Gonzalez Azevedo
Carlos Martínez-Troncoso Cera wrote:
Hello.
I have freradius-1.0.2 with autorizathion and authentication in LDAP
and accounting in MySQL. I configured to use rlm_sqlcounter to
control time connections, testing with NTRadping work well but
testing with my Cisco NAS it doesn´t work
With my cisco NAS this is the message:
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "noresetcounter" returns noop for request 3
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "monthlycounter" returns noop for request 3
With NTRadPing the message is:
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user cmartinez, check_item=108000,
counter=106750
rlm_sqlcounter: Sent Reply-Item for user cmartinez,
Type=Session-Timeout, value=1250
modcall[authorize]: module "monthlycounter" returns ok for request 8
My relevant conf files:
clients.conf
#PC with NTRadping
client 172.16.31.43/32 {
secret = x
shortname = Carlos
type= other
}
#Cisco NAS
client 200.106.138.14/32 {
secret= xx
shortname= cisco
type= cisco
}
radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir =
Re: Which Operating System is best for freeRADIUS
SLACKWARE Linux. Roberto Gonzalez Azevedo Gunther wrote: Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two or more ippool
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm having some trouble with ippool.
I have some ip pools who need to be distributed
for my clients.
There is a example, my radiusd.conf:
...
ippool p0 {
range-start = xx.xx.xx.1
range-stop = xx.xx.xx.20
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p0
ip-index = ${raddbdir}/ippool/db.ipindex.p0
override = yes
maximum-timeout = 0
}
ippool p1 {
range-start = xx.xx.xx.21
range-stop = xx.xx.xx.40
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p1
ip-index = ${raddbdir}/ippool/db.ipindex.p1
override = yes
maximum-timeout = 0
}
...
In accounting:
accounting {
...
group mypools {
p0
p1
}
...
}
In post-auth:
post-auth {
...
group mypools {
p0
p1
}
...
}
In (mysql) radgroupcheck :
+-+---+--++-+--+
| id | GroupName | Attribute| op | Value | prio |
+-+---+--++-+--+
| 30 | mygroup | Pool-Name| := | p0 |1 |
| 31 | mygroup | Pool-Name| := | p1 |1 |
...
It's working, but my clients only catch IP from the first pool (p0).
They never catch from others pools (p1, p2 ...).
Somebody already had a problem like this?
Thanks !!!
- --
- --------
Roberto Gonzalez Azevedo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/
NFDvR7t4usmdljxm/xB26XQ=
=xMzx
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thanks for reply.
I can't subdivide in two groups ...
I need 1 group, with several pools ...
Thanks
-
Roberto Gonzalez Azevedo
Jan Mulders wrote:
> You're using the wrong syntax for including the pools in each section.
>
> Here's an example from my own config...
>
> modules {
>ippool 512k_high {
>
># range-start,range-stop: The start and end ip
># addresses for the ip pool
>range-start =x.x.x.6
>range-stop =x.x.x.66
>
># netmask: The network mask used for the ip's
>netmask = 255.255.255.0
>
># cache-size: The gdbm cache size for the db
># files. Should be equal to the number of ip's
># available in the ip pool
>cache-size = 60
>
># session-db: The main db file used to allocate ip's to
> clients
>session-db = ${raddbdir}/ippool.512k_high
>
># ip-index: Helper db index file used in multilink
>ip-index = ${raddbdir}/ipindex.512k_high
>
># override: Will this ippool override a
> Framed-IP-Address already set
>override = no
>
># maximum-timeout: If not zero specifies the maximum
> time in seconds an
># entry may be active. Default: 0
>maximum-timeout = 0
>}
> ippool 512k_low {
> ...
>
>
> instantiate {
> }
>
> authorize {
>preprocess
>sql
> }
>
> authenticate {
>pap
> }
>
> preacct {
>preprocess
> }
>
> accounting {l
>radutmp
>512k_high
>512k_low
>10m_high
>10m_low
>sql
> }
>
>
> session {
>radutmp
>sql
>
> }
> post-auth {
>sql
>512k_high
>512k_low
>10m_high
>10m_low
> }
>
>
> Also, I notice that 'mygroup' has IP assignments from 2 pools. This
> can't work, because RADIUS will just select the first one it gets from
> MySQL. May I suggest either subdividing your users into two groups, or
> merging the two groups?
>
> Hope this helps,
>
> Jan
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJsW3F+EMwkXLsEwRAvBWAJ9gCqSst7b9rwLCHhb3f/PO91jFSgCfcKRv
V5wK1k3//j5PcVBqOte5FAc=
=xw2T
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool + MySQL
dius_xlat: 'UPDATE radippool SET
expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress =
'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name = 'sqlippool''
...
"
This 'update' will never match !!! Here is the radippool's current line:
"
mysql> select * from radippool;
++---+-+--+-+--+-+--+--+
| id | pool_name | FramedIPAddress | NASIPAddress | CalledStationId |
CallingStationId | expiry_time | UserName | pool_key |
++---+-+--+-+--+-+--+--+
| 1 | mypool| 192.168.0.1 | | |
| -00-00 00:00:00 | | |
++---+-+--+-+--+-+--+--+
1 row in set (0.00 sec)
"
In radgroupcheck:
"
In (mysql) radgroupcheck :
+-+---+--++-+--+
| id | GroupName | Attribute| op | Value | prio |
+-+---+--++-+--+
| 39 | mygroup | Pool-Name| := | mypool |1 |
...
"
Thanks.
- --
-
Roberto Gonzalez Azevedo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFM/aEF+EMwkXLsEwRAsmvAKC5gV8xZN8g4gxZwrdpVQi7eTCzHgCdEfNn
1O0G6WtRGvyLBter1vtzQSk=
=z+5W
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
