cisco: time-based reply attributes set
Hello, How to link reply attributes set with time of day (and possibly time of week) ? We need to leverage shaping at Cisco twice at night. Up to Cisco documentation, Cisco-Avpair += PPW00:00:00:127 Cisco-Service-Info += QU;128000;16000;32000;D;128000;16000;32000 Cisco-Avpair += PPW08:00:00:127 Cisco-Service-Info += QU;256000;32000;64000;D;256000;32000;64000 for example, is used to deal with this demand. As far as I understand, Cisco re-authorize at specified time without droppping user's session, so you can reapply some attributes, e.g. Cisco-Service-Info with different shaping. How to link reply attributes set with time of day (and possibly time of week) ? Is any module to deal with it, or it's core's due? Thank you, Ruslan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups
Hello ! Another possible solution: Make authorization via SQL, and external program. External program called in configuration from users file. External program will make auth&acct for prepaid cards, and if it determine that authorization or accounting packet is for contract client, then it will no append any attributes except Fall-Through = Yes. When external program does billing for cards itself, it will return all necessary attributes in addition to Fall-Through = No. Is this alrotithm correct and implementable in FreeRadius ? Thanks Ruslan A Dautkhanov wrote: Hello ! Short question: Please point me how to make startup changes in huntgroup to configure FR to use two different sql-modules for auth&acct, based on some criterias?... Examples are most welcome. Explanation: We have contract subscribers and want to use the same RADIUS- server for auth&acct of prepaid cards. Contact users enters their login+realm and password, but cards users enter card number and PIN-code. That is the difference, that make difference. We need use another SQL module instance for card users... How to configure huntgroups for this situation? Conditions can be (1) if no '@' char in the User-Name attribute, then use 'sql-cards' instance for auth&acct. Otherwise, use 'sql-contracts'. (2) if User-Name attribute have (determ. via regex) exact 14 digits, then use 'sql-cards' instance for auth&acct. Otherwise, use 'sql-contracts'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups
Hello ! Short question: Please point me how to make startup changes in huntgroup to configure FR to use two different sql-modules for auth&acct, based on some criterias?... Examples are most welcome. Explanation: We have contract subscribers and want to use the same RADIUS- server for auth&acct of prepaid cards. Contact users enters their login+realm and password, but cards users enter card number and PIN-code. That is the difference, that make difference. We need use another SQL module instance for card users... How to configure huntgroups for this situation? Conditions can be (1) if no '@' char in the User-Name attribute, then use 'sql-cards' instance for auth&acct. Otherwise, use 'sql-contracts'. (2) if User-Name attribute have (determ. via regex) exact 14 digits, then use 'sql-cards' instance for auth&acct. Otherwise, use 'sql-contracts'. P.S. Searching in list archives doesn't help me. Thanks a lot for any information... -- Ruslan A Dautkhanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response
Hello ! Short question -- My FR 1.0 doesn't send Accounting-Response when sql module fail. Is it correct? I think it must always send response packets as an indication that acct packet just recieved. My NAS send acct-request packets in infinity loop until response pkt recived. Explanation --- Is it normal behaviour of FreeRADIUS when it does not send Accounting-Response packet to Accounting-Request? My sql module fails to insert data to DB because server due to different reasons send duplicated accounting-stop packet, and I have unique index on sessions table. We use Nomadix HSG as an our central access server for wireless connections. Nomadix send acct-request packets in infinity loop until response pkt recived. Radius debug - Tue Nov 15 12:40:33 2005 : Error: rlm_sql_oracle: execute query failed in sql_query: ORA-1: unique constraint (WIFI.RADACCT_UNIQUEID) violated Tue Nov 15 12:40:33 2005 : Error: rlm_sql (sql): failed after re-connect Tue Nov 15 12:40:33 2005 : Error: rlm_sql (sql): Couldn't insert SQL accounting STOP record - ORA-1: unique constraint (WIFI.RADACCT_UNIQUEID) violated Tue Nov 15 12:40:33 2005 : Debug: rlm_sql (sql): Released sql socket id: 1 Tue Nov 15 12:40:33 2005 : Debug: modsingle[accounting]: returned from sql (rlm_sql) for request 17 Tue Nov 15 12:40:33 2005 : Debug: modcall[accounting]: module "sql" returns fail for request 17 Tue Nov 15 12:40:33 2005 : Debug: modcall: group accounting returns fail for request 17 Tue Nov 15 12:40:33 2005 : Debug: Finished request 17 Tue Nov 15 12:40:33 2005 : Debug: Going to the next request Tue Nov 15 12:40:33 2005 : Debug: --- Walking the entire request list --- Tue Nov 15 12:40:33 2005 : Debug: Waking up in 2 seconds... Tue Nov 15 12:40:35 2005 : Debug: --- Walking the entire request list --- Tue Nov 15 12:40:35 2005 : Debug: Cleaning up request 14 ID 2 with timestamp 437974c7 Tue Nov 15 12:40:35 2005 : Debug: Waking up in 1 seconds... Tue Nov 15 12:40:36 2005 : Debug: --- Walking the entire request list --- Tue Nov 15 12:40:36 2005 : Debug: Cleaning up request 15 ID 6 with timestamp 437974c9 Tue Nov 15 12:40:36 2005 : Debug: Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 213.24.217.233:1025, id=8, length=162 Thanks a lot for your help -- Ruslan A Dautkhanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=* operator really work in 1.0.2 ?
Hello ! I use "=*" operator in User-Password attribute for special account, that accept any passwords. User-Password =*anypassword In pre-1.0.0 CVS it works fine. After upgrading to 1.0.2 it is really don't work. Is it bug or some configuration changes must be applied? Is any known work-arounds exists? Thanks a lot. -- Ruslan A Dautkhanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HuntGroups
Hello !
1. How to implement using different SQL modules for different huntgroups?
Something like this(?):
authorize {
Huntgroup card {
sql_module_card #first instance
}
Huntgoup contract {
sql_module_contract #second instance
}
}
We're going to use CiscoAS53 as access server for contract clients
(they use billing based on PostgreSQL)
and for prepaid card clients (they use remote Oracle DB server), so we
need absolutely different techniques
for auth&acct for this groups of clients.
2. How to specify huntgoups, if the groups will have a same NAS-IP-Address?
They even possibly will have the same Called-Station-Id...
Can I use regular expression to make difference between this two groups?
The cards group will have exact
14 digits in the User-Password attribute, so it's not hard to identify
such users... Or I even can reserve some
User-Name for the users in 'card' group, so different users will only
vary on User-Password (they'll enter
their pin-code here).
Thanks a lot for any comments. If it's not possible to split this groups
of users into different groups, we have to
configure up another access number in CiscoAS, and confugure two
radius-servers, and say to end-users to
use phone number1 if they have contract with login/password or phone
number2, if they use prepaid card... :/
--
Ruslan A Dautkhanov
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius connections pool to oracle
Hello ! Is it really needed, if Oracle can work as shared server ? Why we reserve dedicated connections, if RADIUS server can use connections to shared server? And it's only need to configure this mode at oracle server side, no programming at radius-server side required. In the nature of requests from RADIUS-server it is ideal for shared server, not for dedicated: - many number of requests/second - each request is OLTP request - it's not heavy and it's make a number of relatively simple requests, which executes fast. Can rlm_sql module establish connection to DB only when radius-server need it ? If I'll administratively link radius connections to shared Oracle server, it will hold only dispatcher processes permanently? Thanks a lot. Ruslan A Dautkhanov [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: !!!
Здравствуйте!
fnasirov wrote:
Hello !
Huawei A8010 Expert Access Server
[ http://www.futurewei.com/itemsdetail.asp?catid=6&dt=products&id=68 ]
patch for checkrad
located at ftp://rd.ranetka.ru/pub/checkrad/checkrad.patch .
That SNMP oids test for dial-up clients, but no reasons why it
can't be used with other types of subscribers...
May you commit to current CVS ? This patch tested for about 1,5 years
in our environment :)
Вы могли бы помочь с
файлом. Нужен позарез.
С уважением,
Миша
--- checkrad Sat May 29 19:27:56 2004
+++ checkrad-patched Sat May 29 19:53:36 2004
@@ -25,6 +25,7 @@
# cyclades_snmp 1.0 Author: [EMAIL PROTECTED]
# usrhiper_snmp 1.0 Author: [EMAIL PROTECTED]
# multitech_snmp 1.0 Author: [EMAIL PROTECTED]
+# huawei_snmp 1.0 Author: Ruslan A Dautkhanov
<[EMAIL PROTECTED]>
# netserver_telnet 1.0 Author: [EMAIL PROTECTED]
# versanet_snmp 1.0 Author: [EMAIL PROTECTED]
# bay_finger 1.0 Author: [EMAIL PROTECTED]
@@ -426,6 +427,20 @@
}
#
+# Check a Huawei A8010 Expert Access Server
+#
+# Author: Ruslan A Dautkhanov <[EMAIL PROTECTED]>
+#
+$hwsm = '.iso.org.dod.internet.private.enterprises.2011';
+sub huawei_snmp {
+ $login = snmpget($ARGV[1], "$cmmty_string",
"$hwsm.2.3.4.3.2.2.1.5.0.$ARGV[2]");
+ my $cbhack = $login =~ s/^\d+:// ? 'yes':'no';
+ print LOG " user at port N $ARGV[2]: $login
callback-hack=$cbhack\n" if $debug;
+
+ ($login eq $ARGV[3]) ? 1 : 0;
+}
+
+#
# Check a Computone Powerrack via finger
#
# Old Author: Shiloh Costa of MDI Internet Inc.
<[EMAIL PROTECTED]>
@@ -928,7 +943,8 @@
$login = snmpget($ARGV[1], $password,
"$usrm.4.10.1.1.18.$oidext");
if ($login =~ /\"/) {
- $login =~ /^.*\"([^"]+)\"/;
+ $login =~ /^.*\"([^"]+)\"/;
+#" - this comment for proper syntax highlighting in Midnight Commander
(MC)
$login = $1;
}
@@ -1382,6 +1398,8 @@
$ret = &cvx_snmp;
} elsif ($ARGV[0] eq 'multitech') {
$ret = &multitech_snmp;
+} elsif ($ARGV[0] eq 'huawei') {
+ $ret = &huawei_snmp;
} elsif ($ARGV[0] eq 'computone') {
$ret = &computone_finger;
} elsif ($ARGV[0] eq 'max40xx') {
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Dynamic IP Allocation for multiple Radius Servers
http://www.onlinebilling.ru/freeradius/rlm_sqlippool.tar.gz Ken Doyle <[EMAIL PROTECTED]> wrote: > Thanks for the help Alan, however rd.ranetka.ru does not seem to > resolve, and the one other link to this module that I could find > (ftp://lopez.globe.net.nz/Linux/freeradius/rlm_sqlippool.tar.gz) does > not resolve either. Given that I missed turning up this module in my > initial searching, I'm hoping there is another link to this module > somewhere. I'll keep looking, but this project needs to go into > production soon, and any help would be appreciated, even if it's just > a local copy you have lying around. > http://www.striker.ottawa.on.ca/~aland/rlm_sqlippool.tar.gz > > It may not be there for long, though. > > Alan DeKok. That module creates pool of sql connections for each (!) ippool configured. Thats very bad. I wrote about that ... see http://lists.cistron.nl/pipermail/freeradius-devel/2004-April/007074.html Alan, I think that module can be merged to current CVS tree? It used in productional enviroment for 2+ yrs in our company. It's also tested with post-1.0 CVS versions... I had changed my workstation, so rd.ranetka.ru link doesn't work. Please use http://www.onlinebilling.ru/freeradius/rlm_sqlippool.tgz - it's of clean&robust version of that module, that works fine. The source code based on another guys work, so I can find out there unpatched and pacthed versions of original code. Enjoy. HTH Ruslan smime.p7s Description: S/MIME Cryptographic Signature
FreeRadius + Oracle + FreeBSD
Hello ! We are using FreeRADIUS 1.0.0, Oracle server 9.2.0.4 and all of this working on FreeBSD 5.2.1. I can't make FreeRADIUS work with Oracle server. After I enable auth or acct via SQL (oracle) module, FreeRADIUS died after starting up. Last lines in the debug output : ... Mon Jan 31 15:53:18 2005 : Debug: sql: postauth_table = "radpostauth" Mon Jan 31 15:53:18 2005 : Debug: sql: postauth_query = "" Mon Jan 31 15:53:18 2005 : Debug: sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" Bus error And the ktrace.dump last lines are: 40697 radiusd RET munmap 0 40697 radiusd CALL mmap(0,0x360,0x3,0x1000,0x,0,0,0) 40697 radiusd RET mmap -1998000128/0x88e8f000 40697 radiusd CALL munmap(0x88e8f000,0x360) 40697 radiusd RET munmap 0 40697 radiusd CALL sigprocmask(0x3,0x88080110,0) 40697 radiusd RET sigprocmask 0 40697 radiusd PSIG SIGBUS SIG_DFL Commenting out all enters of "sql" module calls produce working radius-server. What I doing wrong? My friends also can't FreeRadius + Oracle + FreeBSD bundle work :-( Thanks a lot, Ruslan A Dautkhanov [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy: resend access-request bug
Hello ! I have strange behaviour of my FR server when I tries to congigure realm 'atlant-test' to proxy mode: Sending Access-Request of id 0 to 80.xxx.xxx.xxx:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "12345" NAS-IP-Address = 80.xxx.xxx.xxx NAS-Port = 98 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "553355" Calling-Station-Id = "83912590340" NAS-Identifier = "A8010" NAS-Port-Type = Async Proxy-State = 0x313232 First packet pretty correct, I think. Re-sending Access-Request of id 0 to 80.xxx.xxx.xxx:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "\022wimy\224\331I\016b\203|%=\255N" NAS-IP-Address = 80.xxx.xxx.xxx NAS-Port = 98 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "553355" Calling-Station-Id = "83912590340" NAS-Identifier = "A8010" NAS-Port-Type = Async User-Name-Orig = "[EMAIL PROTECTED]" Client-IP-Address = 80.xxx.xxx.xxx Realm = "atlant-test" Realm = "atlant-test" Proxy-State = 0x313232 The second one have at least three bugs: 1. User-Password attribute have nothing similar with the first one attribute's value. 2. 'Realm' attribute doubled. 3. Number of attributes sent in 1st packet was 11 in 2nd packet was 15. Whats going wrong ? -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Can I configure a delay in the Radius server response?
> > Is there something I can configure to add a delay in the response being > > sent. > > In the users file: > > #--- > DEFAULT > Exec-Program-Wait = "sleep 1", > Fall-Through = yes > #--- > > That will work, unless you're already using Exec-Program-Wait for > something else. Can you use Exec-Program-Wait += "sleep 1" in the users file? So FR will execute two commands ? -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED]
Re: clarent and nuera
From: "yudhi kukuh" <[EMAIL PROTECTED]> To: "Freeradius Mailinglist" <[EMAIL PROTECTED]> Subject: clarent and nuera dear all, i'm using freeradius for voip billing. is there any dictionary for clarent AFAIK, CLARENT do not support RADIUS...!? What is your CCC version number ? -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
problems with attr_rewrite
Hello !
For unconditional change Nas-IP-Address to Client-IP-Address
I have
modules {
attr_rewrite set_real_nas_ip {
attribute = NAS-IP-Address
searchin = packet
searchfor = "^.*$"
replacewith = "%{Client-IP-Address}"
ignore_case = no
new_attribute = no
max_matches = 1
append = no
}
authorize {
set_real_nas_ip
accounting {
set_real_nas_ip
in my radiusd.conf.
This works good in accounting :
Sat May 29 22:42:35 2004 : Debug: radius_xlat: '^.*$'
Sat May 29 22:42:35 2004 : Debug: radius_xlat: '80.255.xxx.xxx'
Sat May 29 22:42:35 2004 : Debug: rlm_attr_rewrite: Changed value for
attribute NAS-IP-Address
from '10.10.0.254' to '80.255.xxx.xxx'
But in authorize it's fail:
Sat May 29 22:42:50 2004 : Debug: modsingle[authorize]: calling
set_real_nas_ip (rlm_attr_re
write) for request 2
Sat May 29 22:42:50 2004 : Debug: radius_xlat: '^.*$'
Sat May 29 22:42:50 2004 : Debug: radius_xlat: ''
Sat May 29 22:42:50 2004 : Debug: rlm_attr_rewrite: xlat on replace
string failed.
Sat May 29 22:42:50 2004 : Debug: modsingle[authorize]: returned from
set_real_nas_ip (rlm_a
ttr_rewrite) for request 2
Sat May 29 22:42:50 2004 : Debug: modcall[authorize]: module
"set_real_nas_ip" returns noop
for request 2
Why this module works good in accounting, but fail in authorize section?
Thanks a lot for any type of information.
--
best regards,
Ruslan A Dautkhanov [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
NAS-IP-Address
Hello ! Some my NASes can send defferent NAS-IP-Address attribute (any of his NIC's IP-addresses). It's why I can't build simple acls (auth logic etc) based on this attribute - much easier using Client-IP-Address... Is exists any method in FreeRADIUS server to substitute attribute with another one (NAS-IP-ADDRESS := CLIENT_IP-ADDRESS)? Thanks a lot. -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: HELP!!!! Translate h323-setup/connect/disconnect to ...
Hello ! Message: 10 From: "Daniil I. Pimonenko" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: HELP Translate h323-setup/connect/disconnect to ... Date: Thu, 19 Feb 2004 15:19:12 +0300 Reply-To: [EMAIL PROTECTED] Hello ALL! Help me pls. How can I translate Translate h323-setup/connect/disconnect to normal sql like date? Now my VoIP proxy(Mera XPGK) send me Cisco VSA( 25): h323-setup-time=17:42:00.000 MSK Fri Feb 13 2004 How I can translate it to SQL Like fromat - 13.02.2004 17:42:00.000 ? It depends... what RDBMS you are using? For example, is PostgreSQL you don't need anything to invent, just use type cast explicitly: isbs=# select '17:42:00.000 MSK Fri Feb 13 2004'::timestamp(0); timestamp -- Fri 13 Feb 17:42:00 2004 or isbs=# select '17:42:00.000 MSK Fri Feb 13 2004'::timestamp(3) with time zone; timestamptz --- Fri 13 Feb 21:42:00 2004 KRAT etc... -- best regards, Ruslan A Dautkhanov [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
