Scripts before 'authenticate', re-writing Attributes items ...
Hi, How can I run scripts in 'authorize' phase, and modify a Attribute item? Something like this : (after 'authorize') Auth-Type = Crypt-Local (after script, BEFORE 'authenticate') Auth-Type = MS-CHAP Thanks. Roberto Gonzalez Azevedo [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
Show us your sqlcounter.conf ... You should define 'check-item' in sqlcounter.conf ... ----- Roberto Gonzalez Azevedo Carlos Martínez-Troncoso Cera wrote: Hello. I have freradius-1.0.2 with autorizathion and authentication in LDAP and accounting in MySQL. I configured to use rlm_sqlcounter to control time connections, testing with NTRadping work well but testing with my Cisco NAS it doesn´t work With my cisco NAS this is the message: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 3 With NTRadPing the message is: rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user cmartinez, check_item=108000, counter=106750 rlm_sqlcounter: Sent Reply-Item for user cmartinez, Type=Session-Timeout, value=1250 modcall[authorize]: module "monthlycounter" returns ok for request 8 My relevant conf files: clients.conf #PC with NTRadping client 172.16.31.43/32 { secret = x shortname = Carlos type= other } #Cisco NAS client 200.106.138.14/32 { secret= xx shortname= cisco type= cisco } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 1812 hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log_stripped_names = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sqlcounter.conf mschap { authtype = MS-CHAP } ldap { server = "200.xx.xx.xx" port = "390" identity = "cn=Directory Manager" password = xx basedn = "o=yy,o=yy" password_attribute = "userPassword" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } checkval { item-name = Max-Monthly-Session check-name = Max-Monthly-Session data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } always fail { rcode = fail } always reject {
Re: Auth: Login incorrect: [user/]
In 'users' : user Auth-Type := Local, Password = "somepass", Simultaneous-Use = 2, Huntgroup-Name = "adsl-dialup" Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, NAS-Port-Type = Async, Service-Type = Framed-User, --------- Roberto Gonzalez Azevedo Adil Azmi Bikarbass wrote: Well i've tried the Auth-Type := Local and my radiusd.conf allows chap with the following syntax : authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix } But with no success Adil On Fri, 17 Jun 2005, Jandre Olivier wrote: You are using chap authentication, what i recommend u can try is, "Auth-Type := Local and also make sure your radiusd.conf allows chap authentication Hope it helps Adil Azmi Bikarbass wrote: Dear FreeRadius list members, I'm really stuck with an authentication problem here: I'm getting the following error meesage anytime a user try to connect through my Freeradius server : Auth: Login incorrect: [user/] (from client MT2_ADSL port 1476461184) Auth: rlm_unix: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Here is the radius entry for that user: user Password = "somepass", Simultaneous-Use = 2, Huntgroup-Name = "adsl-dialup" Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, NAS-Port-Type = Async, Service-Type = Framed-User, The Huntgroup-name : adsl-dialup is to specify the IP addresses of all the remote access servers we use Once i add the following line at the bottom of my users file the user get connected with no problem: DEFAULT Auth-Type := Accept Please advise what could be the problem Thanks in advance Adil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
sqlcounter noresetcounter { ## Look here driver = "rlm_sqlcounter" counter-name = Max-All-Session-Time check-name = Max-All-Session ## Look here check-item = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session ## Look here check-item = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { ## Look here driver = "rlm_sqlcounter" counter-name = Monthly-Session-Time check-name = Max-Monthly-Session ## Look here check-item = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } thanks ... - Roberto Gonzalez Azevedo Carlos Martínez-Troncoso Cera wrote: ok Roberto: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Roberto Gonzalez Azevedo wrote: Show us your sqlcounter.conf ... You should define 'check-item' in sqlcounter.conf ... - Roberto Gonzalez Azevedo Carlos Martínez-Troncoso Cera wrote: Hello. I have freradius-1.0.2 with autorizathion and authentication in LDAP and accounting in MySQL. I configured to use rlm_sqlcounter to control time connections, testing with NTRadping work well but testing with my Cisco NAS it doesn´t work With my cisco NAS this is the message: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 3 With NTRadPing the message is: rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user cmartinez, check_item=108000, counter=106750 rlm_sqlcounter: Sent Reply-Item for user cmartinez, Type=Session-Timeout, value=1250 modcall[authorize]: module "monthlycounter" returns ok for request 8 My relevant conf files: clients.conf #PC with NTRadping client 172.16.31.43/32 { secret = x shortname = Carlos type= other } #Cisco NAS client 200.106.138.14/32 { secret= xx shortname= cisco type= cisco } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir =
Re: Which Operating System is best for freeRADIUS
SLACKWARE Linux. Roberto Gonzalez Azevedo Gunther wrote: Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two or more ippool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm having some trouble with ippool. I have some ip pools who need to be distributed for my clients. There is a example, my radiusd.conf: ... ippool p0 { range-start = xx.xx.xx.1 range-stop = xx.xx.xx.20 netmask = 255.255.255.0 cache-size = 32 session-db = ${raddbdir}/ippool/db.ippool.p0 ip-index = ${raddbdir}/ippool/db.ipindex.p0 override = yes maximum-timeout = 0 } ippool p1 { range-start = xx.xx.xx.21 range-stop = xx.xx.xx.40 netmask = 255.255.255.0 cache-size = 32 session-db = ${raddbdir}/ippool/db.ippool.p1 ip-index = ${raddbdir}/ippool/db.ipindex.p1 override = yes maximum-timeout = 0 } ... In accounting: accounting { ... group mypools { p0 p1 } ... } In post-auth: post-auth { ... group mypools { p0 p1 } ... } In (mysql) radgroupcheck : +-+---+--++-+--+ | id | GroupName | Attribute| op | Value | prio | +-+---+--++-+--+ | 30 | mygroup | Pool-Name| := | p0 |1 | | 31 | mygroup | Pool-Name| := | p1 |1 | ... It's working, but my clients only catch IP from the first pool (p0). They never catch from others pools (p1, p2 ...). Somebody already had a problem like this? Thanks !!! - -- - -------- Roberto Gonzalez Azevedo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/ NFDvR7t4usmdljxm/xB26XQ= =xMzx -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for reply. I can't subdivide in two groups ... I need 1 group, with several pools ... Thanks - Roberto Gonzalez Azevedo Jan Mulders wrote: > You're using the wrong syntax for including the pools in each section. > > Here's an example from my own config... > > modules { >ippool 512k_high { > ># range-start,range-stop: The start and end ip ># addresses for the ip pool >range-start =x.x.x.6 >range-stop =x.x.x.66 > ># netmask: The network mask used for the ip's >netmask = 255.255.255.0 > ># cache-size: The gdbm cache size for the db ># files. Should be equal to the number of ip's ># available in the ip pool >cache-size = 60 > ># session-db: The main db file used to allocate ip's to > clients >session-db = ${raddbdir}/ippool.512k_high > ># ip-index: Helper db index file used in multilink >ip-index = ${raddbdir}/ipindex.512k_high > ># override: Will this ippool override a > Framed-IP-Address already set >override = no > ># maximum-timeout: If not zero specifies the maximum > time in seconds an ># entry may be active. Default: 0 >maximum-timeout = 0 >} > ippool 512k_low { > ... > > > instantiate { > } > > authorize { >preprocess >sql > } > > authenticate { >pap > } > > preacct { >preprocess > } > > accounting {l >radutmp >512k_high >512k_low >10m_high >10m_low >sql > } > > > session { >radutmp >sql > > } > post-auth { >sql >512k_high >512k_low >10m_high >10m_low > } > > > Also, I notice that 'mygroup' has IP assignments from 2 pools. This > can't work, because RADIUS will just select the first one it gets from > MySQL. May I suggest either subdividing your users into two groups, or > merging the two groups? > > Hope this helps, > > Jan > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJsW3F+EMwkXLsEwRAvBWAJ9gCqSst7b9rwLCHhb3f/PO91jFSgCfcKRv V5wK1k3//j5PcVBqOte5FAc= =xw2T -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool + MySQL
dius_xlat: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress = 'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name = 'sqlippool'' ... " This 'update' will never match !!! Here is the radippool's current line: " mysql> select * from radippool; ++---+-+--+-+--+-+--+--+ | id | pool_name | FramedIPAddress | NASIPAddress | CalledStationId | CallingStationId | expiry_time | UserName | pool_key | ++---+-+--+-+--+-+--+--+ | 1 | mypool| 192.168.0.1 | | | | -00-00 00:00:00 | | | ++---+-+--+-+--+-+--+--+ 1 row in set (0.00 sec) " In radgroupcheck: " In (mysql) radgroupcheck : +-+---+--++-+--+ | id | GroupName | Attribute| op | Value | prio | +-+---+--++-+--+ | 39 | mygroup | Pool-Name| := | mypool |1 | ... " Thanks. - -- - Roberto Gonzalez Azevedo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFM/aEF+EMwkXLsEwRAsmvAKC5gV8xZN8g4gxZwrdpVQi7eTCzHgCdEfNn 1O0G6WtRGvyLBter1vtzQSk= =z+5W -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html