Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

[Russell Mike]

Thanks Alan D

understood. I will use unlang in accounting.
Thanks

On Wednesday, October 9, 2013, Alan DeKok wrote:

> Russell Mike wrote:
> >> So if you want to do something when the users traffic is over the quota,
> >> you have to do it in the accounting section.
> >
> > Could you please kindly indicate what should i do there ? i tried to
> > perform the check again when user is online by adding counter entry in
> > *session* section. but did not work either.
>
>   Uh... you do know that "session" is not the same as "accounting", right?
>
>   Why are you doing something wrong?
>
> > I am not very clear how to update mysql db & perform the check on
> > frequent basis. base on the output from the counter module
> > (ok,noop,etc..), i understand how to update the reply from un-lang to
> > log off user.
>
>   Do you understand what the server does when it receives an accounting
> packet?
>
>   Have you tried running the server in debugging mode, and seeing what
> happens when it receives an accounting packet?
>
>   Do that before asking more questions.  Watch the server go update SQL.
>
>   Now... how do you query SQL (independent of RADIUS) to see if the
> users session is over quota?
>
>   Then... put that query into the "accounting" section, via "unlang".
> Check if the user is over quota.  If so, send a disconnect message.
>
>   See raddb/sites-available/originate-coa for examples of originating a
> disconnect message.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

[Russell Mike]

Thanks Alan. D

So if you want to do something when the users traffic is over the quota,
you have to do it in the accounting section.

Could you please kindly indicate what should i do there ? i tried to
perform the check again when user is online by adding counter entry in *
session* section. but did not work either.

session {
sql
gigawordcounter
}

You have to update the SQL database, and then check if the user is over
quota. If so, send a Disconnect-Message, or exec a program to kick the user
offline.

I am not very clear how to update mysql db & perform the check on frequent
basis. base on the output from the counter module (ok,noop,etc..), i
understand how to update the reply from un-lang to log off user.

Thanks / Regards
RM--

On Wed, Oct 9, 2013 at 1:12 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > All-In-MB counter works. Please note, when a user has downloaded his
> > quota, counter do not force log off .
>
>   The counter modules DOES NOT DO THAT.
>
>   To see why, ask yourself what does FreeRADIUS see when the user has
> downloaded his quota?
>
>   The answer is "nothing".  The users traffic doesn't go through
> FreeRADIUS, because FreeRADIUS isn't a router.
>
>   What FreeRADIUS *may* see is an Accounting-Request for the user.
> Which contains the total traffic for the user.
>
>   So if you want to do something when the users traffic is over the
> quota, you have to do it in the accounting section.  You have to update
> the SQL database, and then check if the user is over quota.
>
>   If so, send a Disconnect-Message, or exec a program to kick the user
> offline.
>
> > Which basically means that initially authorization is done by SQL then
> > "max_all_mb", checks are only done once when the user makes the logon
> > attempt and checks are never done again.
>
>   Yes.  That's what you've configured.  If you want more, you need to
> tell the server to do more
>
> > This is where i have failed.
> > Since you are more in to this, is there a way to perform this check
> > on frequent basis and send reply to NAS to logoff user? then it should
> > work.
>
>   Read the debug output.  You'll see the server receiving
> Accounting-Request packets, with the users traffic over quota.  THAT is
> when FreeRADIUS can do something.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

[Russell Mike]

Dear Aran C. Bell

Thanks for everything, Here is update.

1.)

All-In-MB counter works. Please note, when a user has downloaded his
quota, counter
do not force log off . Saying other way, if the user is online, he would
remain online until he log off him self or stop browsing. But point to be
noted that counter prevents from login him again. user cannot login again
if he has already hit quota threshold. Please look the example of reject. This
user is allowed for 7GB, please mind that *check_item which shows
7168*is specified in
MB.

*[gigawordcounter]   expand: %{sql:SELECT SUM(AcctInputOctets) /
(1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE
UserName='quotauser'} -> 7389.1705*

*rlm_sqlcounter: (Check item - counter) is less than zero*

*rlm_sqlcounter: Rejected user quotauser, check_item=7168, counter=7389*

*++[gigawordcounter] returns reject*
Which basically means that initially authorization is done by SQL then
"max_all_mb", checks are only done once when the user makes the logon
attempt and checks are never done again. This is where i have failed. Since
you are more in to this, is there a way to perform this check
on frequent basis and send reply to NAS to logoff user? then it should
work.

Counter:

sqlcounter gigawordcounter {
counter-name = Max-All-MB
check-name = Max-All-MB
reply-name = Max-All-MB
reply-message = "You have reached your bandwidth limit"
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctInputOctets) / (1024*1024) +
SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='%{%k}'"
}


*2.) Solution offered by You. *

I tried your recommendations also, i tried to maintain following in local
FR dictionary *"/etc/freeradius/dictionary"* and Chilli dictionary

ATTRIBUTE   Acct-Input-Octets64 3005integer64

ATTRIBUTE   Acct-Output-Octets643006integer64

Results: failed to start FR

reason for failing: : un recognized value specified in *
"/etc/freeradius/dictionary"*

reason for failing: : un recognized value specified in *
"/usr/share/freeradius/dictionary.chillihotspot"*

Thanks / Regards

RM --

On Tue, Oct 8, 2013 at 3:38 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 8 Oct 2013, at 15:40, Russell Mike  wrote:
>
> > Dear Arran C. Bell,
> >
> > Thank you very much, i am extremely grateful for your advise and
> guidelines for troubleshoot also. i am currently experimenting a different
> rlm_sqlcounter using CoovaChilli dictionary "All-In-MB". In result, i can
> store short number in db. This counter would reset at 2TB with same 32bit
> number. i have actually tested up to 6GB. it just works!!!. Next test is in
> progress to logout user when 7GB downloaded. i really appreciated your
> input and TIME.
> >
> > i will try your proposed solution as well after "All-In-MB" has tested.
> After the successful practical of both solutions. i would like to document
> this topic on one page for archives, so that it can help others. i may need
> your support incase i came across some challenges during the test of your
> solution.
>
> wiki.freeradius.org is the place to do that :)
>
> >
> > Thanks once again !!!
>
> No problem, glad I could help.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing Data Volume Control More Than 4GB FR & CoovaChilli

[Russell Mike]

Dear Arran C. Bell,

Thank you very much, i am extremely grateful for your advise and guidelines
for troubleshoot also. i am currently experimenting a different
rlm_sqlcounter using CoovaChilli dictionary "All-In-MB". In result, i can
store short number in db. This counter would reset at 2TB with same 32bit
number. i have actually tested up to 6GB. it just works!!!. Next test is in
progress to logout user when 7GB downloaded. i really appreciated your
input and TIME.

i will try your proposed solution as well after "All-In-MB" has tested. After
the successful practical of both solutions. i would like to document this
topic on one page for archives, so that it can help others. i may need your
support incase i came across some challenges during the test of your
solution.

Thanks once again !!!

Regards --RM




On Tue, Oct 8, 2013 at 12:16 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

> >
> >
> > It might actually be an idea to add those to the internal dictionary to
> make it a bit easier.
>
> Just to clarify there are two reasons why your current config isn't
> working:
> 1. rlm_sql stores the value as a proper 64bit integer, not in the two
> 32bit chunks represented by Acct-Input-Gigawords and Acct-Input-Octets.
> When this value is pulled out into rlm_sqlcounter the value is truncated
> because internally it only deals with 32bit unsigned ints. I've now fixed
> this.
>
> 2. You're comparing gigawords to bytes, with no conversion, so even with
> the updated module you'll find the user is rejected way way too early.
>
> You also invented "counter-type" and "check-unit" config pairs. The server
> isn't magic, just because it doesn't error out, doesn't mean it knows about
> those config pairs or will use values assigned to them.
>
> Arran Cudbard-Bell 
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Managing Data Volume Control More Than 4GB FR & CoovaChilli

[Russell Mike]

Hi List Members

i have been reading archives and tying to understand for some days now, but
unsuccessful. i am currently working to extend data volume control up to
10GB, which is requirement for the organization. Is anyone able to manage
more then 4GB using CoovaChilli & Freeradius? Since there is no one piece
of information available on the net. Until now, i am unclear about the
components needs to be fine tune. i understand that FR has 32 bit integers but
it is not the limitation to manage more than 4GB, if NAS supports the
"Gigaword" attributes. It seems that my "sql_counter" or MySQL it self is
the problem.

*NOTE: It is working setup up to 4GB, if i assigne 6GB to a user, counter
rolls up on 4GB*

1.) I came across a post where guys are tell that sqlcounter module uses
32-bit integers in it's source code. Should it be change to 64-bit integers?
2.) CoovaChilli has built in support for "gigaword" attributes, which is
enable.
3.) is it possible by rlm_sql or rlm_perl must be used
4.) Counter rolls up on 4GB.

sqlcounter gigawordcounter {
counter-name = Total-Max-Octets
check-name = Acct-Input-Gigawords
reply-name = Acct-Input-Gigawords
sqlmod-inst = sql
key = User-Name
reset = never
counter-type = data
check-unit = KibiOctets
query = "SELECT SUM(acctinputoctets) + SUM(acctoutputoctets)
FROM radacct WHERE username='%{%k}'"
}


Thanks / Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql_counter module doesn't count

[Russell Mike]

Hi,

I am willing to help, What kind of NAS do you use? Does your NAS support
accounting ?
Thanks
RM --


On Mon, Aug 12, 2013 at 9:50 PM, lucia  wrote:

>  Thanks for quick reply,
>
> well I guess not. Can you give me a hint how I can figure it out how I can
> configure this ?
>
> I'm I right that I have to configure the accounting in the RADIUS
> conf-files or is it part of the NAS it self.
> Well OK I had a look into Wikipedia RADIUS and it looks like it is part of
> the NAS.
> But I do not find any comments via google about Synology and accounting
>
> I'm a bit confused now ...
>
> Regards,
> Lu
>
>
>
>
>
> On 12.08.2013 23:34, Alan Buxey wrote:
>
> Hi
>
>  That's just an authentication request accounting packets is what you
> need.  Is your kit configured to send accounting to this RADIUS server?
>
>  alan
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Vouchers Top Up

[Russell Mike]

Hi List

is anyone able to implement top up for hotspot vouchers ? Top up means, if
a hotspot user is browsing and his 3600 seconds are getting finish. he wish
to top up another 1800 seconds to avoid disconnection.

Thanks / Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang and update section

[Russell Mike]

Yes, i have come across this error once. there is little mistake in your
unlang code. understand form following working code.


## Authorization Area Starts Here
# If user not present allow them free access
# Between 10:00 and 12:59PM ('Any1000-1259')
# Whole Day ('Any-2359')

# File Module Retuns "noop" & sql Module Returns "notfound"

server accept_everyone {

   authorize {

sql

 if(ok) {

 update control {

  Login-Time := 'Any-1259'

  Auth-Type := "Accept"

}

}

update reply {

WISPr-Redirection-URL := "http://www.yale.edu";

}

else {


update control {

Auth-Type := "Reject"

}

update reply {

WISPr-Redirection-URL := "http://41.139.28.1";

   }

}

}

pap

files

logintime

expiration

preprocess

dailycounter

forevertimecounter

# Fix ForThe  WARNING That Says: Unknown Value Specified For
Post-Auth-Type. Cannot Perform Requested Action #

# Do Not Remove The "Post-Auth" Configuration From Authorization Section
(Here): #

post-auth {

Post-Auth-Type REJECT {

noop

notfound

}

 }


 }


authenticate {

Auth-Type PAP {

pap

}

Auth-Type CHAP {

chap

}

Auth-Type MS-CHAP {

mschap

}


digest

unix

eap

}

# END

Thanks

--RM



On Thu, Jun 13, 2013 at 3:07 PM, Bill Schoolfield  wrote:

> Can update sections contain if conditions? I get the following error:
>
> /etc/raddb/sites-enabled/**default[573]: "update" sections cannot have
> subsections
> /etc/raddb/sites-enabled/**default[465]: Errors parsing post-auth section.
>
> The documentation says "The only contents permitted in an "update" section
> are attributes
> and values which I assume is the issue. Please confirm.
>
> Bill  -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WARNING: Unknown value specified for Post-Auth-Type

[Russell Mike]

Hi, It is not default virtual server). Following error occurs, when user
attempt to login with invalid password, otherwise not. is it normal? or
should be troubleshooted.

Info:   WARNING: Unknown value specified for Post-Auth-Type.  Cannot
perform requested action


My postauth section

post-auth {
sql
exec
Post-Auth-Type REJECT {
   attr_filter.access_reject
   noop
   notfound
}
}

Thanks / Regards
--RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

Greetings Everyone, My goal is to use only ONE "A" (Authorization Only) as
starting of FR implementation. i do have different system to authenticate
users. Plan is to replace that with FR but one step at a time.

i tried with the following virtual server to accept everyone. With that
done, Everyone is accepted, regardless of user exists in MySQL_DB or not.
And replay message is sent correctly as well.

*Check Items in unlang code:*
1.) Login time is verified correctly - if users attempts to access outside
of time slot, then rejected, else accepted. (First Attribute Works)
2.) Everyone is accepted (Second Attribute also Works)
3.) Users are not disconnected after 10 minutes (Third Attribute do not
work)

*Reply Items **in unlang code**: *

1.) Users are successfully redirected to the URL specified for "
WISPr-Redirection-URL" (First Reply Item Works)
2.) Users are not disconnected after 10 minutes (Second Attribute do not
work)

server accept_everyone {
   authorize {

# If user not present in MySQL Database still allow them access
# Only Between 10:00 and 12:59PM
# File Module Retunes "noop" & sql Module Returns "notfound"

#files
  #if(noop) {

sql

if(notfound) {
   update control {
   Login-Time := 'Any1000-1259'
   Auth-Type := "Accept"
   Max-All-Session := "600"
}
  }
# Redirect Everyone To Yale Website
   update reply {
   WISPr-Redirection-URL := "http://www.yale.edu";
   Max-All-Session := "600"
   }

}
   authenticate {
   Auth-Type PAP {
pap

}
  }
}
pap
logintime
forevertimecounter

## Authorization Area ENDs Here


Can someone give little hint ? Only hint would be enough, i will study the
rest. is it even posible to control that (Max-All-Session) using "unlang"
code ?

Thanks / Regards
--RM


On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Hi John & Alan, Kindly clarify
>
>   This isn't a private list.  Messages should NOT be addressed to
> individual people.
>
>   Just reply to a message.  It's simpler, and more polite.
>
> > Does this means, it is posible to use only authorize function of FR and
> > process all authentication requests with following virtual server?
>
>   Did you try it?  What does it do?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Hi John & Alan, Kindly clarify
>
>   This isn't a private list.  Messages should NOT be addressed to
> individual people.
>

Apologies Everyone. Well noted for future

>
>   Just reply to a message.  It's simpler, and more polite.
>

Thanks for correction Alan D.

>
> > Does this means, it is posible to use only authorize function of FR and
> > process all authentication requests with following virtual server?
>
>   Did you try it?  What does it do?
>

Not really, i wanted to know, if it make sense form experts point of view.
should i try ?

Regards
-- RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

Hi John & Alan, Kindly clarify

Does this means, it is posible to use only authorize function of FR and
process all authentication requests with following virtual server?


   1.

   server accept_all_requests {
  authorize {

  update control {
  Auth-Type := "Accept"

   }

  }

}

Thanks / Regards
--RM


On Wed, Jun 5, 2013 at 1:34 PM, Alan DeKok wrote:

> John Dennis wrote:
> > You're both right, now shake hands and make up :-) The problem with the
> > term authorization in radius is used in a non-standard way that leads to
> > confusion. The normal use of the term authorization (authz) indicates
> > what a principal is permitted to do and a principal must be validated
> > via authentication (authn) first. In radius authorization means
> > collecting information necessary to perform the authentication
> > operation. It's an unfortunate semantic difference that leads to a fair
> > amount of confusion (myself included), but after a while you get used to
> > it.
>
>   It was a historical mistake in FreeRADIUS which has been kept for too
> long.
>
>   After 3.0 is released, we'll transition to a naming scheme that's a
> little more complex, but much clearer.  The idea is that every packet
> has 3 stages:
>
> recv = receive the packet
> process = process the packet
> send = send the reply
>
>   We can map the existing authorize / authenticate / etc. to these
> processing stages.  That change will be initially confusing, but will be
>  simpler.  It will also enable the server to do more protocols that are
> in the works. :)
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

Dear Alan DeKok & John Dennis

Thanks for your input, words and clarification. Explanation was very good.
Moreover, good to have people like you on the list.
Regards
Prabhpal Singh


On Wed, Jun 5, 2013 at 1:34 PM, Alan DeKok wrote:

> John Dennis wrote:
> > You're both right, now shake hands and make up :-) The problem with the
> > term authorization in radius is used in a non-standard way that leads to
> > confusion. The normal use of the term authorization (authz) indicates
> > what a principal is permitted to do and a principal must be validated
> > via authentication (authn) first. In radius authorization means
> > collecting information necessary to perform the authentication
> > operation. It's an unfortunate semantic difference that leads to a fair
> > amount of confusion (myself included), but after a while you get used to
> > it.
>
>   It was a historical mistake in FreeRADIUS which has been kept for too
> long.
>
>   After 3.0 is released, we'll transition to a naming scheme that's a
> little more complex, but much clearer.  The idea is that every packet
> has 3 stages:
>
> recv = receive the packet
> process = process the packet
> send = send the reply
>
>   We can map the existing authorize / authenticate / etc. to these
> processing stages.  That change will be initially confusing, but will be
>  simpler.  It will also enable the server to do more protocols that are
> in the works. :)
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accouting time duratin calculation

[Russell Mike]

Hi,




On Wed, Jun 5, 2013 at 7:43 AM, Miha  wrote:

> Hi,
>
> how does freeradius calculate duration time?


MySQL query grabs the information from "radacct"

i.e.

sqlcounter forevertimecounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
count-attribute = "Acct-Session-Time"
reply-name = "Session-Timeout"
sqlmod-inst = "sql"
key = "User-Name"
reset = "never"
cache-size = "5000"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{%k}'"
}




> My NAS sends start and stop packet. In mysql table I can see accstarttime
> and accstoptime. Is the duration time automaticly created from start time
> and stop time or should NAS also send duration time?
>

No. Value is stored in "radacct"; rlm_sqlcounter sum the total time.

hope this helps !


> In other words is it possbile that freeradius automaticly calculate
> duration from start and stop packet:)?
>
> tnx!
>
> miha
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

Hi List

After googling for few days still not so much clear. Therefore, i have
decided to implement three *"A"* in three different steps. For now, i only
want to use Authorize function of FR. i do not want authentication &
Accounting BUT authorization.

Using MySQL as a backend, Trying to make something like this:

A remote user would hit Cisco NAS gateway router (in ISP NOC Data Center)
---> Cisco NAS is going to ask FreeRadius, if IP is authorize to pass
through. i need little idea how this can be achieved. something like this
or equivalent idea.

| 66 | *41.157.61.88* |   | := | *Accept *  |

| 67 | *41.157.61.30* |   | := | *Reject*|


Thanks Everyone

Regards
--RM


On Tue, May 28, 2013 at 4:12 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Dear Mulindawa / Marinal & Alan Dekok
> >
> > Thanks you very much for your advice, very much valuable for ME. Saw
> > some light end of the tunnel. i really need help, One more question
> > please. Such as as MAC authentication, is it possible to authenticate a
> > device using IP address FR? then i can further attach the attributes
> > with group of IP address.
>
>   No.  RADIUS authentication occurs *before* network access.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

Dear Mulindawa / Marinal & Alan Dekok

Thanks you very much for your advice, very much valuable for ME. Saw some
light end of the tunnel. i really need help, One more question please. Such
as as MAC authentication, is it possible to authenticate a device using IP
address FR? then i can further attach the attributes with group of IP
address.

i want this because the devices those would send auth requests, would come
from the behind of layer3 device (Router). Thanks for everything sir(s).

Thanks / Regards
--RM



On Tue, May 28, 2013 at 1:51 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Currently, We do manually connection / disconnection. If a customer did
> > not pay until 31st, somebody manually disconnect the link. And manually
> > connect when customer comes to pay.
>
>   That's what Session-Timeout is for.  Set it to 1 day (86400 seconds).
>  That way they have to re-authenticate every day.  On the 31st, you just
> refuse to re-authenticate them.
>
>   Or, use Disconnect-Request.  But the NAS has to support it.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Service Provisioning Using AAA (FreeRadius)

[Russell Mike]

Dear FreeRadius Gurus Greetings,

I work with an ISP, i have been asked to research about "service
provisioning using AAA". I am NOT very new to FreeRadius. Have implemented
and managing central CoovaChilli hotspot solution where we run more than 35
hotspots across the city using CoovaChilli + Freeradius.

Currently, We do manually connection / disconnection. If a customer did not
pay until 31st, somebody manually disconnect the link. And manually connect
when customer comes to pay.

i am somehow not clear with the idea, how that would work and where to
start from. I am looking for advice from those have already setup such
system. Any kind of help would be highly appreciated. i am further willing
to study, if i know which direction to move on. Someone please help

Thanks / Regards
 --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupcheck attributes and test client

[Russell Mike]

On Sun, May 5, 2013 at 6:51 PM,  wrote:

>
> Von: Russell Mike 
>
> > You said same setup is working with Coovachilli, same groups / profiles?
> > Else cross chech your reply & check items, if in place. If FR groups are
> > same check NAS side.
> > Thanks
>
> I'll check reply and check items when I'm in office again, but I'm quite
> sure they are the same.
>
> How can I check NAS side?


Documentation will tell


> One is Coovachilli, the other is a radius test client (NTRadPing and
> Radius Test Rig Utily)
>

you need to create NAS entry in MySQL or File for the ip address of the
machine. The machine from where you would run NTRadping.

>
> Thank you!
>
> Chris
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupcheck attributes and test client

[Russell Mike]

You said same setup is working with Coovachilli, same groups / profiles?
Else cross chech your reply & check items, if in place. If FR groups are
same check NAS side.
Thanks

On Friday, May 3, 2013, wrote:

> Hi,
>
> Von: Russell Mike >
>
> > FR should be able to know if the allowed time used / consumed before it
> can
> > deny request. have you setup rlm_sqlcounter ?
>
> Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess
> it is a client issue.
>
> Chris
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radgroupcheck attributes and test client

[Russell Mike]

FR should be able to know if the allowed time used / consumed before it can
deny request. have you setup rlm_sqlcounter ?

Thanks RM --


On Fri, May 3, 2013 at 7:49 AM,  wrote:

> All,
>
> I'm a newbie in radius.
>
> I've setup freeradius with mySQL and max-daily-session. When I set
> max-daily-session := 10 in radgroupcheck table, a user of this group can
> login (accept packet after authentication), even if he already has been
> logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig
> Utily as a client. I've sent accounting packages. Radacct table got
> populated (beginning and end of session, no octets).
>
> Is it a client issue? Must NTRadPing send any additional parameters?
>
> Any help is appreciated.
>
> Chris
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Volume Control

[Russell Mike]

Dear Arrran,

Thanks you very(32) much. Thats what i wanted to know if it is not FR
limitation.

Regards / RM --


On Wed, Apr 17, 2013 at 2:13 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 17 Apr 2013, at 05:27, Russell Mike  wrote:
>
> > Hi Aran, thanks for clarification through your response
> > If I understand your answer is that you are saying is that currently as
> is freeRadius is using 64bits data types in some areas and not in others,
> am I Right?. Also is it possible to allow free radius to validate traffic
> above 4GB?
>
> If the NAS provides the Gigawords attributes, yes.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: captive portal auth with freeradius

[Russell Mike]

Hi,

Can you please revise your question and put it in better way, i am not
clear, do some more typing. if captive portal (NAS) is CoovaChilli, this
works for me.

HS_RAD_PROTO=pap


Thanks / Regards


On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava <
chitrang.srivast...@gmail.com> wrote:

> I am facing a issue that captive portial server is sending a auth request
> which is not a EAP message and hence freeradius server is rejecting ,  it
> goes to users file and found the last line Auth-Type: Reject
>
> Anyone can point how to fix this ? I guess if captive portal send a eap
> message , it will be looked into eap.conf and then a valid authenticate
> section can be chosen ?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Volume Control

[Russell Mike]

 Hi Aran, thanks for clarification through your response

If I understand your answer is that you are saying is that currently as is
freeRadius is using 64bits data types in some areas and not in others, am I
Right?. Also is it possible to allow free radius to validate traffic above
4GB?
Thanks / Regards


On Tue, Apr 16, 2013 at 5:42 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Dear Alan D.
>
>   I may create a new rule.  People who address mail to me personally get
> unsubscribed.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Volume Control

[Russell Mike]

Dear Alan D.

What Freeraidus is using currently as to keep track. Is it 64bit or 32bit.

Thanks  / Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session section is not working

[Russell Mike]

Do you mean simultaneous session? If you using MySQL, Please check if
enabled under session section. Thanks
RM --

On Friday, April 5, 2013, Mehdi Ravanbakhsh wrote:

> Hi All
>
> my Session Section in site enable in not woking ! i do not have any log
> about that section in my radius.log file .
>
>
> Do you have any Ideas why?
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius "Expire-After" How To .. ?

[Russell Mike]

Thanks Muhammed,

Expiration module (Attribute) works for me already, if i want to expie a
account on the calendar date. it does the job just fine. i need to expire
the account after 90 days but count must start after first login.
Your help is appreciated / Thanks


On Tue, Apr 2, 2013 at 9:58 AM, Muhammad Nuzaihan bin Kamal Luddin <
muham...@taqisystems.com> wrote:

> Hi,
>
> Have you tried "expiration" module?
>
> sqlcounter expiration {
>count-attribute = "Acct-Session-Time"
>counter-name = "Max-Allowed-Session"
>check-name = "Expiration"
>sqlmod-inst = "sql"
>key = "User-Name"
>reset = "never"
>query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \
>  MIN(AcctStartTime))),0) FROM radacct WHERE \
>  UserName='${key}' ORDER BY AcctStartTime LIMIT 1;"
> }
>
> of course you have to put "expiration" (without quotes) in:
>
> instantiate portion of radiusd.conf
> accounting section of sql.conf (or sites-available/default file in
> debian)
>
> You may have to add "Expiration" in the check attributes as well.
>
>
> From what i have looked within daloradius code, you will need to set the
> time settings in "Plan".
>
> Regards,
> Muhammad Nuzaihan Bin Kamal Luddin
>
> On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote:
> > Hi List,
> >
> >
> > i need to expire the prepaid card after three months of first login.
> > after reading mail achieves, i was able to figured out that i need to
> > use "Expire-After"  FR attribute and value in seconds. i was bit of
> > unclear how to bring the module in to the action because i am unable
> > to locate "Expire-After" attribute to users (Through Daloradius).
> > Someone please help ...
> >
> >
> > # Default Module Came With FR v2.2
> >
> >
> > sqlcounter expire_on_login {
> > counter-name = Expire-After-Initial-Login
> > check-name = Expire-After
> > sqlmod-inst = sql
> > key = User-Name
> > reset = never
> > query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
> >  FROM radacct \
> >  WHERE UserName='%{${key}}' \
> >  ORDER BY acctstarttime \
> >  LIMIT 1;"
> > }
> >
> >
> >
> >
> > Thanks / Regards
> >
> >
> > RM --
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius "Expire-After" How To .. ?

[Russell Mike]

Hi List,

i need to expire the prepaid card after three months of first login. after
reading mail achieves, i was able to figured out that i need to use "
Expire-After"  FR attribute and value in seconds. i was bit of unclear how
to bring the module in to the action because i am unable to locate
"Expire-After"
attribute to users (Through Daloradius). Someone please help ...

# Default Module Came With FR v2.2

sqlcounter expire_on_login {
counter-name = Expire-After-Initial-Login
check-name = Expire-After
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
 FROM radacct \
 WHERE UserName='%{${key}}' \
 ORDER BY acctstarttime \
 LIMIT 1;"
}


Thanks / Regards

RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: noresetcounter

[Russell Mike]

Because you have disable the valid check item & Query using "#"

sqlcounter forevertimecounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
count-attribute = "Acct-Session-Time"
reply-name = "Session-Timeout"
sqlmod-inst = "sql"
key = "User-Name"
reset = "never"
cache-size = "5000"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{%k}'"

*Check Items:*
Max-All-Session 3600
Session-Timeout 3600

*Reply Items: *
Session-Timeout 3600
Idle-Timeout 60

Thanks RM --


On Mon, Apr 1, 2013 at 1:35 PM, Muhammad Nuzaihan Kamal Luddin <
muham...@taqisystems.com> wrote:

> Hi,
>
> My objective to configure freeradius is that the user automatically gets
> logged out during the accounting process by noresetcounter statement.
>
> But currently, the user that is logged in keeps being connected even
> when the time is up.
>
> Here's my counter.conf:
>
> ---
>
> sqlcounter noresetcounter {
> counter-name = Session-Timeout
> #check-name = Max-All-Session
> check-name = Session-Timeout
> reply-name = Session-Timeout
> sqlmod-inst = sql
> key = User-Name
> reset = never
> #query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
> UserName='%{%k}'"
>  query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
> UserName='%{%k}'"
> }
>
>


> And the logs:
>
> rad_recv: Access-Request packet from host 192.168.233.9 port 2052, id=0,
> length=200
> User-Name = "34"
> User-Password = "EEawKbR3"
> NAS-IP-Address = 0.0.0.0
> Service-Type = Login-User
> Framed-IP-Address = 192.168.182.2
> Calling-Station-Id = "00-26-82-15-4E-3D"
> Called-Station-Id = "00-0F-66-59-DD-33"
> NAS-Identifier = "taqihotspot1"
> Acct-Session-Id = "515a0884"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 0
> Message-Authenticator = 0x48faf6d6c674bceef3469467121e5eae
> WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
> Mon Apr  1 21:22:51 2013 : Info: # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> Mon Apr  1 21:22:51 2013 : Info: +- entering group authorize {...}
> Mon Apr  1 21:22:51 2013 : Info: ++[preprocess] returns ok
> Mon Apr  1 21:22:51 2013 : Info: ++[chap] returns noop
> Mon Apr  1 21:22:51 2013 : Info: ++[mschap] returns noop
> Mon Apr  1 21:22:51 2013 : Info: ++[digest] returns noop
> Mon Apr  1 21:22:51 2013 : Info: [suffix] No '@' in User-Name = "34",
> looking up realm NULL
> Mon Apr  1 21:22:51 2013 : Info: [suffix] No such realm "NULL"
> Mon Apr  1 21:22:51 2013 : Info: ++[suffix] returns noop
> Mon Apr  1 21:22:51 2013 : Info: [eap] No EAP-Message, not doing EAP
> Mon Apr  1 21:22:51 2013 : Info: ++[eap] returns noop
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: %{User-Name} -> 34
> Mon Apr  1 21:22:51 2013 : Info: [sql] sql_set_user escaped user --> '34'
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 4
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT id, username,
> attribute, value, op   FROM radcheck   WHERE username =
> '%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, attribute,
> value, op   FROM radcheck   WHERE username = '34'
> ORDER BY id
> Mon Apr  1 21:22:51 2013 : Info: [sql] User found in radcheck table
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT id, username,
> attribute, value, op   FROM radreply   WHERE username =
> '%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, attribute,
> value, op   FROM radreply   WHERE username = '34'
> ORDER BY id
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT groupname
> FROM radusergroup   WHERE username = '%{SQL-User-Name}'
> ORDER BY priority -> SELECT groupname   FROM radusergroup
> WHERE username = '34'   ORDER BY priority
> Mon Apr  1 21:22:51 2013 : Info: [sql]  expand: SELECT id, groupname,
> attribute,   Value, op   FROM radgroupcheck   WHERE
> groupname = '%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
> attribute,   Value, op   FROM radgroupcheck   WHERE
> groupname = '3mins'   ORDER BY id
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sql (sql): Released sql socket id: 4
> Mon Apr  1 21:22:51 2013 : Info: ++[sql] returns ok
> Mon Apr  1 21:22:51 2013 : Info: ++[logintime] returns noop
> Mon Apr  1 21:22:51 2013 : Info: ++[pap] returns updated
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sqlcounter: Entering module
> authorize code
> Mon Apr  1 21:22:51 2013 : Debug: rlm_sqlcounter: Could not find Check
> item value pair
> Mon Apr  1 21:22:51 2013 : Info: ++[noresetcounter] re

Re: how i can check if password is not correct ?

[Russell Mike]

Debian, Ubuntu: freeradius -XXX

Redhat CentOS: radiusd -XXX

Thank / RM --


On Sat, Mar 30, 2013 at 9:12 AM, Mehdi Ravanbakhsh wrote:

> Hi All
>
> if password in request is not correct wich module handele this and reject
> the client?
>
> where i can check if password is not correct ? and what the module return
> when password is not match ?
>
> Best regards.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

[Russell Mike]

Hi Dan,
What Reject ? And MAC address listed where? Are you working around MAC
authentication? FR MAC auth is working for me, I use CoovaChilli as NAS.

0.) MAc address would exist as user in MySQL DB or file
1.) Configure NAS to send MAC-Addr as username to Freeradius
2.)  And do the following at Freeradius side.
username="";attribute="Auth-Type";op=":=";value="Accept"

Thanks / Regards
RM --


On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan <
danny.kurnia...@fairchildsemi.com> wrote:

> Hi Russel,
>
> Thanks for that. However it seems the check-name cant even populated. as
> you can see from my log file.
>
> +- entering group authorize {...}
> ++[preprocess] returns ok
> rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8
>
> rlm_checkval: *Could not find attribute named *
> *Calling-Station-Id in check pairs*
> ++[checkval] returns notfound
> [auth_log]  expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
> [auth_log]  expand: %t -> Wed Mar 13 17:47:09 2013
>
>
> I check the ldap.attrmap and its correctly mapped to the LDAP attribute.
>
> So how to make sure that Radius reject the request when the MAC address is
> not listed.. thats what i want to achieve
>
> Thanks
> Danny
>
>
> On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike wrote:
>
>> checkval can helpful when you need to apply NAS-identifier &
>> Calling-Station-Id - FR attributes.
>>
>> checkval calledstationid {
>>item-name = Called-Station-Id
>>check-name = Called-Station-Id
>>data-type = string
>>notfound-reject = no
>> }
>>
>>
>> checkval nasidentifier {
>> item-name = NAS-Identifier
>> check-name = NAS-Identifier
>> data-type = string
>> notfound-reject = no
>> }
>>
>>
>> Thanks / Regards
>> RM --
>>
>>
>>
>> On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan <
>> danny.kurnia...@fairchildsemi.com> wrote:
>>
>>> Hi All.
>>>
>>> I found this error when enabled checkval
>>>
>>> rlm_checkval: Could not find attribute named Calling-Station-Id in check
>>> pairs
>>> ++[checkval] returns notfound
>>> ++[expiration] returns noop
>>>
>>> What is the meaning of that error?
>>>
>>> Thanks in advance
>>>
>>> --
>>> Best Regards,
>>> Danny
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards,
> Danny
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

[Russell Mike]

checkval can helpful when you need to apply NAS-identifier &
Calling-Station-Id - FR attributes.

checkval calledstationid {
   item-name = Called-Station-Id
   check-name = Called-Station-Id
   data-type = string
   notfound-reject = no
}


checkval nasidentifier {
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject = no
}


Thanks / Regards
RM --



On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan <
danny.kurnia...@fairchildsemi.com> wrote:

> Hi All.
>
> I found this error when enabled checkval
>
> rlm_checkval: Could not find attribute named Calling-Station-Id in check
> pairs
> ++[checkval] returns notfound
> ++[expiration] returns noop
>
> What is the meaning of that error?
>
> Thanks in advance
>
> --
> Best Regards,
> Danny
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR Login-Time Vs Unix-Time-Based-Login

[Russell Mike]

Hi, Please mind my mistake
1.) "Unix-Time-Based-Login" using unlang rather than "Login-Time" FR
attribute.


On Tue, Mar 12, 2013 at 11:06 AM, Russell Mike  wrote:

> Hi Freeradius List,
>
> Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR
> attribute? Does it offer more flexibility or control over each other.
>
> Actually, we want to implement login based on time. i am reading mail
> archives since yesterday to understand basic functionality of the
> model. And have also come across where people are talking about both
> techniques. But unable to know what is better way to go with.
>
> Thanks for attending to this material
>
> Thanks / Regards
> RM --
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR Login-Time Vs Unix-Time-Based-Login

[Russell Mike]

Hi Freeradius List,

Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR
attribute? Does it offer more flexibility or control over each other.

Actually, we want to implement login based on time. i am reading mail
archives since yesterday to understand basic functionality of the
model. And have also come across where people are talking about both
techniques. But unable to know what is better way to go with.

Thanks for attending to this material

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cannot access radius server from remote host

[Russell Mike]

Hi, note for ever. FR will simply ignore the request if NAS (client) in not
configured. As Mohammed has explained by giving full example earlier. when
your NAS will change in future and may need additional NAS support. You
need to define second client entry in the same file or in MySQL DB, only if
using.

Thanks
RM --

On Sat, Mar 9, 2013 at 10:43 AM, Muhammad Nadeem wrote:

> For this you have to define the IP address and shared secret on the Radius
> server in client.config
> following is an entry that define that  you can send request from an
> computer having 192.168.0.102 IP address.
> client 192.168.0.102 {
> ipaddr = 192.168.0.102
> secret = testing123
> }
> Please read client.config for further details
>
>
> On Sat, Mar 9, 2013 at 3:35 PM, Iftakhul Anwar  wrote:
>
>> Hi All,
>>
>> I just try connect radius server remotely.
>> i've try to radtest with command :
>>
>> radtest user1 meruvian localhost 1812 testing123
>> Sending Access-Request of id 133 to 127.0.0.1 port 1812
>>  User-Name = "user1"
>> User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>>  NAS-Port = 1812
>> Message-Authenticator = 0x
>> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=133,
>> length=20
>>
>> ## i get accept response from radius server.
>>
>> But when i try with command bellow i got error message like a no respon
>> from radius server:
>>
>> radtest user1 meruvian 192.168.2.3 1812 testing123
>> Sending Access-Request of id 12 to 192.168.2.3 port 1812
>> User-Name = "user1"
>>  User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>>  Message-Authenticator = 0x
>> Sending Access-Request of id 12 to 192.168.2.3 port 1812
>> User-Name = "user1"
>>  User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>>  Message-Authenticator = 0x
>> Sending Access-Request of id 12 to 192.168.2.3 port 1812
>> User-Name = "user1"
>>  User-Password = "meruvian"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 1812
>>  Message-Authenticator = 0x
>> radclient: no response from server for ID 12 socket 3
>>
>>
>>
>> Note:192.168.2.3 is ip of radius server.
>>
>> How i can try to  connect radius server from another host  ? i've try to
>> disable my firewall. but still get no respon from server.
>>
>> Help me to solve this.
>>
>> Thanks
>>
>>
>> --
>> *M.Iftakhul Anwar*
>> Meruvian Integrator
>> High Performance Computing / Cloud Computing (HPC/CC)
>>
>>
>> Office Phone  : 021-93586577
>> Mobile Phone : 085215331477
>> Blog   :  http://blog.mervpolis.com/roller/anwar
>> FB :  http://www.facebook.com/troya.adromeda
>> Website : www.meruvian.org
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards
> Muhammad Nadeem
> Muhammad Ali Jinnah University
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redirecting Reject Request To Webpage

[Russell Mike]

Thanks Dear Arran. your input is very much appreciated. I will check on NAS
side.
Thanks


On Fri, Mar 8, 2013 at 4:30 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 8 Mar 2013, at 11:22, Russell Mike  wrote:
>
> > Thanks Dear Alan D.
> >
> > Good answer with explanations. Appreciated your input. I am using
> CoovaChilli as NAS, i will check with them also. But i would appreciate if
> you could please indicate the FR attribute may can use.
>
> Consult the CoovaChilli docs for attributes. If we have an attribute
> define it's either for internal use, for an RFC, or because someone has
> contributed dictionaries that define it.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Redirecting Reject Request To Webpage

[Russell Mike]

Thanks Dear Alan D.

Good answer with explanations. Appreciated your input. I am using
CoovaChilli as NAS, i will check with them also. But i would appreciate if
you could please indicate the FR attribute may can use.

Thanks / Regards
RM --

On Fri, Mar 8, 2013 at 2:14 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > *Question:* Redirecting Reject Request To Webpage
> >
> > For example, a customer would get reject from FR due to non payment. but
> > at this stage customer do not know, what is happening. Why internet in
> > down. We want the request to redirected to a web page that will display
> > the cause of disconnection.
>
>   RADIUS doesn't do that.  It does authorization or authentication.  It
> doesn't do firewalling or routing.
>
>   Read the NAS documentation to see if it's possible.  It might be, but
> it would involve FreeRADIUS sending an attribute to the NAS saying "do
> this".  The NAS would then be responsible for firewalling.
>
>   Remember, RADIUS carries *suggestions*.  The RADIUS protocol isn't
> involved in routing, filtering, firewalling, web serving, etc.  No user
> traffic ever goes through a RADIUS server, so redirecting user traffic
> in RADIUS is *impossible*.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Redirecting Reject Request To Webpage

[Russell Mike]

Hi FreeRadius List Members,

Thanks for all the support ever. i am having difficulty to understand
something, i need help. i am able to configure mac authentication base on
the following logic. it Works !!

username="";attribute="Auth-Type";op=":=";value="Accept"

username="";attribute="Auth-Type";op=":=";value="Reject"

*Question:* Redirecting Reject Request To Webpage

For example, a customer would get reject from FR due to non payment. but at
this stage customer do not know, what is happening. Why internet in down.
We want the request to redirected to a web page that will display the cause
of disconnection.

Thanks

RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Using "Framed-IP-Address"

[Russell Mike]

Hi Arran,

Thanks for the answer to my question. Nothing wrong to say thanks but
perhaps to see it from that angle.

Regards / RM --

On Thu, Mar 7, 2013 at 3:12 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

>
> On 7 Mar 2013, at 09:50, Russell Mike  wrote:
>
> > Dear Alan. De. & List Greetings
> >
> > May i please ask your opinion, if it possible to accept & reject users
> base on "Framed-IP-Address".
>
> Yes if the Framed-IP-Address is available in the request. There are
> however, no IP specific operators,
> so it's more difficult to check whether an IP address is in a certain
> range.
>
> Also, Alan doesn't need his ego stroking any more, addressing questions to
> the list works just as well.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

[Russell Mike]

Understood, Thanks dear David. P, for participating in my troubleshoot. i
am grateful.
Thanks / Regards
RM --

On Sun, Feb 24, 2013 at 3:31 PM, David Peterson <
dav...@wirelessconnections.net> wrote:

> He approached the problem differently than most people.  He already had a
> database with the MAC addresses.  Due to a deployment mistake in the past
> he did not have the passwords from each of 500 EAP clients.  So rather than
> going out and changing those addresses he matches up the MAC address with a
> paying customer from the database.
>
> ** **
>
> The person is in charge of a wireless ISP so scheduling 500 home visits
> was a worse option than writing some code to authorize the CPE.
>
> ** **
>
> David
>
> ** **
>
> *From:* Russell Mike [mailto:radius@gmail.com]
> *Sent:* Sunday, February 24, 2013 10:00 AM
> *To:* David Peterson-WirelessConnections; FreeRadius users mailing list
> *Subject:* Re: MAC-Auth + Freeradius + MySQL Database
>
> ** **
>
> ** **
>
> ** **
>
> On Sun, Feb 24, 2013 at 1:55 PM, David Peterson <
> dav...@wirelessconnections.net> wrote:
>
> I know of one person doing something similar to what you are looking to
> do.  If your NAS sends the MAC of the device with the EAP request, you can
> extract the MAC from the request using unlang and check that against a
> database of MACs.
>
>  
>
> No clue how to do this, I just know it can be done.
>
>
> David
>
>  
>
> Dear David, thanks for attending to the request, what do you mean when you
> say 
>
> "one person doing something similar to what you are looking to do". Does
> other do the MAC-Auth in different way i am doing? 
>
> ** **
>
> I read the response from Mr. Alan De. about storing MAC in to Database.
> Following wiki also explain how to rewrite calling-station-id using unlang
> and further compair against file or DB. 
>
> ** **
>
>
> http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL
> 
>
> ** **
>
> Your information is appreciable. 
>
> ** **
>
> Thanks / Regards
>
> RM --
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

[Russell Mike]

On Sun, Feb 24, 2013 at 1:55 PM, David Peterson <
dav...@wirelessconnections.net> wrote:

> I know of one person doing something similar to what you are looking to
> do.  If your NAS sends the MAC of the device with the EAP request, you can
> extract the MAC from the request using unlang and check that against a
> database of MACs.
>
> ** **
>
> No clue how to do this, I just know it can be done.
>
>
> David
>
> ** **
>
> Dear David, thanks for attending to the request, what do you mean when you
say
"one person doing something similar to what you are looking to do". Does
other do the MAC-Auth in different way i am doing?

I read the response from Mr. Alan De. about storing MAC in to Database.
Following wiki also explain how to rewrite calling-station-id using unlang
and further compair against file or DB.

http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL

Your information is appreciable.

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

[Russell Mike]

On Sun, Feb 24, 2013 at 2:20 PM, Alan DeKok wrote:

> Russell Mike wrote:
> > Thanks for guidelines. exactly, as you stated I simple want to store MAC
> > address somewhere & compair against the request. Can they be in
> > "radcheck"?
>
>   I wouldn't do that.  Just create your own table of MAC addresses.  If
> all you want is to list known MACs, you can do that with a custom table.
>
>   Then, do:
>
> if ("%{sql: SELECT ...}") {
> # known MAC
> }
>
>   Use a SQL client to write the correct SELECT statement, and then put
> it into the example above.  Then apply any "known MAC" rule inside of
> the "if" statement.
>
> > Secondly, i would have list of maximum 500 MACs, how about listing them
> > in a file. Would it be considerably slow reading from file than DB? I
> > have no idea because I never used radius with files.
>
>   See "man rlm_passwd".  It contains examples.  You could put the MACs
> into a group via that module, and then do group checking.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


Dear Alan De.

Thanks for your input, you are so helpful. And the information sent is also
very much useful, i will try to more forward base on your guidelines.
Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC-Auth + Freeradius + MySQL Database

[Russell Mike]

On Sunday, February 24, 2013, Alan DeKok wrote:

> Russell Mike wrote:
> >i also
> > came across where guys are discussing EAP and MAC authentication. i
> > could not conclude, if it is a better way of doing
> > MAC authentication using EAP.
>
>   To be clear: you don't.  EAP is authentication.  MAC "authentication"
> is just checking if the MAC address is in a known list.
>
>   Terminology matters.  Using the right terminology means that the
> solution is usually simple.  Using the wrong terminology means you're
> using the wrong design.
>
> > How to store MACs in MySQL database. Perhaps, i need to
> > create additional table to store MAC, Honestly, i am not sure how to go
> > about it. Is there any documentation that i may do NOT know of. and i
> > can follow to finish the setup.
>
>   If all you want is a "known MAC" list, then just put them into a table
> in SQL.  Then, select MAC addresses from the table at run time.  If
> they're found, continue.  If not, reject.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


Dear Alan D.

Thanks for guidelines. exactly, as you stated I simple want to store MAC
address somewhere & compair against the request. Can they be in
"radcheck"? Would you recommend that? or seperate table? Storing MAC in
radcheck, would it be correct terminology?

Secondly, i would have list of maximum 500 MACs, how about listing them in
a file. Would it be considerably slow reading from file than DB? I have no
idea because I never used radius with files.

Thanks Alan De. for your support ever
Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC-Auth + Freeradius + MySQL Database

[Russell Mike]

Greetings Dear Alan D. & List Members,

First of all, thank you very much for developing such application. I need
help, i have functional Freeradius server with MySQL backend. i have been
asked to add MAC address authentication support for the servers. i googled
the topic and got many many mail archive results, i tried to read those for
about a day before posting to the maling list. Most of them, administrators
are discussing troubleshoot topics, but i was searching how to.. start
implementation and the REQUIREMENTS. i also came across where guys
are discussing EAP and MAC authentication. i could not conclude, if it is a
better way of doing MAC authentication using EAP.

Finally, i came across wiki documentation. almost everything is there and it
is well explained as well, thanks.  i have now understand how it works. But
SQL part is not still a question.

http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL

How to store MACs in MySQL database. Perhaps, i need to create additional table
to store MAC, Honestly, i am not sure how to go about it. Is there any
documentation that i may do NOT know of. and i can follow to finish the
setup.

Grate thanks for attending to this request and thanks for your support ever
since !

additional Information: FR_v2.2 With Coova 1.3.0

Regards -- RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Russell Mike]

On Tue, Feb 19, 2013 at 5:28 PM, Phil Mayers wrote:

> On 19/02/13 16:09, Russell Mike wrote:
>
>  *A.) *Enable interim accounting
>>
>
> Yes
>
>  *B.)* Enable
>>
>> post-auth {
>>update reply {
>>  Acct-Interim-Interval = 900
>>}
>> }
>>
>
> Yes
>
>
>> C.) *You Said:* You also need to ensure the
>> "accounting_update_query{,___**alt}" are configured in your sql.conf;
>> this
>>
>> is the default.
>>
>> C1.) Unclear to this, i have nothing like this in my sql.conf
>>
>>  $INCLUDE sql/${database}/dialup.conf
>>
>
> See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf
>
>  *D.) * *You Said:* I also found that sometimes removing the last
>>
>> accounting record for the locked user in the radacct table won't work
>> and you need to set "/var/log/freeradius/radutmp" to null, to unlock
>> that user.
>>
>
> No, I didn't say that. Someone else did.
>
>
>> *D1.)* I use "radutmp" For Simultaneous-Use tracking. Do you mean it
>> should be disable ?
>>
>
> radutmp is inferior to SQL. There is no point in using both, and radutmp
> has problems.
>
>  I am clear with A&B. I need more help to tell us more about *"C"* what
>> exactly should be added in "sql.conf"  and *"D"* how to set null
>>
>
> The default SQL schema and queries that come with the server support
> interim accounting. If you haven't changed them, you don't need to do thing
> for "C". Just tell the NAS to send interim accounting, and then check using
> debug/tcpdump/radsniff/**whatever that it's actually doing that.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>



Dear Phil Mayers,

Thank you very much for your kind assistance also being patience with slow
learners. You are so gental man indeed, i have no words to thank you for
helping us out step by step. Everything is clear at this point after
reading your message. i wish to thank once again for attending to us in
your time.

Thanks / REGARDS   --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Russell Mike]

>The more I read about this, the more complicated it gets!
>>
>
> It's quite simple in principle.
>
>
>Dear Phil, the first and third solutions you provided will work great
>> but their implementation is not that easy. As you said above, following
>> the first approach needs packet monitoring as well, which is not easy to
>> implement unless there be a log file/table in freeradius for this
>>
>
> I don't know what this means, I'm afraid.
>
>
>  packets. And the value for "acctsessiontime" is 0 until the user
>> disconnects and freeradius sets the correct value for this field and
>> some other fields in radacct table.
>>
>
> As I said, you need to enable interim accounting. If you do this, the NAS
> should send accounting packets at frequent intervals that update
> acctsessiontime, amongst other things.
>
> If your NAS doesn't support interim accounting, you're stuck.
>
> If it does, you should just need to set the interim interval, either
> statically on the NAS  or dynamically in the Access-Accept, like so:
>
> post-auth {
>   ...
>   update reply {
> # accounting packets every 15 minutes
> Acct-Interim-Interval = 900
>   }
>   ...
> }
>
> You also need to ensure the "accounting_update_query{,_**alt}" are
> configured in your sql.conf; this is the default.
>
>
>
>>   I also found that sometimes removing the last accounting record for
>> the locked user in the radacct table won't work and you need to set
>> "/var/log/freeradius/radutmp" to null, to unlock that user.
>>
>
> Don't use utmp; disable the module if you are using SQL, it's unnecessary
> and bug prone.
>
>
>
>>   I wish there was a table for online users in NAS and we could compare
>> online user in NAS and online users in RADIUS and decide what to do.
>>
>
> Some devices do have this. It's vendor-specific, and often accessible via
> SNMP. Consult the docs for your NAS. Since this isn't a RADIUS question,
> it's best to look elsewhere for this.
>
>
>I am still looking forward for your helpful comments and suggestion on
>> this topic.
>>
>
> As above: enable interim accounting. The effects should be obvious if it
> works, and the next steps clear.
>
>
>


Hi Phil, thanks for taking the time to attend to this material. i am sure i
need to study more to work around the issue.


i understand three steps from your guidelines to get rid of this problem,
you can respond with just yes or no.

*
*
*A.) *Enable interim accounting
*
*
*B.)* Enable
post-auth {
  update reply {
Acct-Interim-Interval = 900
  }
}

C.) *You Said:* You also need to ensure the "accounting_update_query{,_**alt}"
are configured in your sql.conf; this is the default.

C1.) Unclear to this, i have nothing like this in my sql.conf

sql {
server = "localhost"
database = "mysql"
driver = "rlm_sql_mysql"
driver = "rlm_sql_${database}"
port = 3306
login = "root"
password = "x"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = yes
read_groups = yes
nas_table = "nas"
sqltrace = yes
$INCLUDE sql/${database}/dialup.conf
}


*D.) * *You Said:* I also found that sometimes removing the last accounting
record for the locked user in the radacct table won't work and you need to
set "/var/log/freeradius/radutmp" to null, to unlock that user.

*D1.)* I use "radutmp" For Simultaneous-Use tracking. Do you mean it should
be disable ?


*E.)* Testing

I am clear with A&B. I need more help to tell us more about *"C"* what
exactly should be added in "sql.conf"  and *"D"* how to set null
"/var/log/freeradius/radutmp".

Please do not think i want you to do all for me, Since you have help us
this far please clarify with CD for us to put the fix in place.

Thanks Phil

Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Russell Mike]

On Tue, Feb 19, 2013 at 11:23 AM, Mobin Yazarlou wrote:

>
> On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike wrote:
>
>>
>>
>> On Monday, February 18, 2013, Mobin Yazarlou wrote:
>>
>>>
>>>
>>> On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers wrote:
>>>
>>>> On 18/02/13 18:02, Mobin Yazarlou wrote:
>>>>
>>>>> Hi,
>>>>>   I am using freeradius v2.1.12 with MySQL support and noticed if a
>>>>> user
>>>>> disconnect when radius server is down, NAS can not inform radius about
>>>>> user being disconnected and radius assume user is still online after
>>>>> coming up again. This restricts user from connecting again when you set
>>>>> simultaneous-use to 1.
>>>>>   Is there any solution for this? My NAS is pptpd on Debian 6.
>>>>>
>>>>
>>>> RADIUS uses UDP, and NASes don't "save" accounting packets which don't
>>>> get a reply; they usually send 1-5 attempts over a few seconds, then give
>>>> up (or move to the 2nd RADIUS server).
>>>>
>>>> You need to take this into account.
>>>>
>>>> Possible solutions include some combination of:
>>>>
>>>>  1. Use interim accounting. Then, use a script to expire any sessions
>>>> which have not seen accounting packets in X*interim-interval; X==3 for
>>>> example
>>>>
>>>>  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
>>>> servers configured. Use one of several configs to write the accounting data
>>>> to a robust, replicated database. One way to do this is with the "robust"
>>>> accounting that comes with FreeRADIUS.
>>>>
>>>>  3. Use a script to check your NASes active sessions and compare to
>>>> accounting data at a certain interval.
>>>>
>>>> ...and so on.
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>>>> list/users.html <http://www.freeradius.org/list/users.html>
>>>>
>>>
>>>
>>> Hi,
>>>  That you for the quick reply Phil. The solutions you have provided
>>> brought new thing into my mind.
>>>  I was thinking about similar scenarios that I found out if NAS crashes,
>>> same thing will happen. Clients will get disconnected due to NAS
>>> unavailability and when NAS is unavailable, radius won't be notified about
>>> users getting disconnected.
>>>  By taking this into consideration, the most effective solution would be
>>> the first or the third approach you have listed. And between this two
>>> solutions, the last one seems to be easier to implement.
>>>
>>>  Please correct me if I am wrong.
>>>
>>> Thank you,
>>> Moby
>>>
>>
>> Hi Phil & Moby,
>>
>> I am also interested in this solution since experiencing the same
>> problem.  I liked the solution no1.
>>
>> But I have no idea where I can get that script but I can modify if I have
>> one.
>>
>> Thanks / RM--
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> Hi Mike,
>  Now it is an hour that I am looking for a built-in solution or a
> ready-to-use script. The only thing I found was 
> Idle-Timeout<http://freeradius.org/rfc/rfc2865.html#Idle-Timeout> attribute.
> This problem could be solved if RADIUS was responsible for handling this
> attribute but from what I read, it's the NAS's responsibility.
>
>  I hope someone helps us to find the easiest and most effective solution.
>
> Thank you,
> Moby
>
>
>
Dear Moby,

That is brilliant, i also read after your advise, and i feel that nothing
can be easiest and effective than this, once Freeraiuds knows the ideal
timeout value, user can be logged out by Freeradius this is what we were
trying to do. Lets use it and see, i trust that it would do.

Great Thanks !! For Helping Community By Sharing Solutions.

Thanks Moby & Phil


Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Russell Mike]

On Tue, Feb 19, 2013 at 11:08 AM, Phil Mayers wrote:

> On 19/02/13 06:53, Russell Mike wrote:
>
>> Hi Phil & Moby,
>>
>> I am also interested in this solution since experiencing the same
>> problem.  I liked the solution no1.
>>
>> But I have no idea where I can get that script but I can modify if I
>> have one.
>>
>
> It's a pretty simple script. Depending on your SQL database, you just do a
> "select from radacct where acctstarttime + acctsessiontime < 'now - 2
> hours'" or whatever.
>
> It should be a 1-line SQL query.
>
> However - I should emphasise that interim accounting and expiring dead SQL
> sessions is no substitute for a resilient RADIUS service; you should really
> have two servers, and look to use robust accounting *as well* as interim
> acct.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>


Dear Phil,

Thanks for the guidelines again, maintaing two radius seems to be simple
and right solution, whereas it also offer high availability within the fix.
do you think problem would be solve? if i have two radius configured in
coova "config"

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Russell Mike]

On Monday, February 18, 2013, Mobin Yazarlou wrote:

>
>
> On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers 
>  'p.may...@imperial.ac.uk');>
> > wrote:
>
>> On 18/02/13 18:02, Mobin Yazarlou wrote:
>>
>>> Hi,
>>>   I am using freeradius v2.1.12 with MySQL support and noticed if a user
>>> disconnect when radius server is down, NAS can not inform radius about
>>> user being disconnected and radius assume user is still online after
>>> coming up again. This restricts user from connecting again when you set
>>> simultaneous-use to 1.
>>>   Is there any solution for this? My NAS is pptpd on Debian 6.
>>>
>>
>> RADIUS uses UDP, and NASes don't "save" accounting packets which don't
>> get a reply; they usually send 1-5 attempts over a few seconds, then give
>> up (or move to the 2nd RADIUS server).
>>
>> You need to take this into account.
>>
>> Possible solutions include some combination of:
>>
>>  1. Use interim accounting. Then, use a script to expire any sessions
>> which have not seen accounting packets in X*interim-interval; X==3 for
>> example
>>
>>  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
>> servers configured. Use one of several configs to write the accounting data
>> to a robust, replicated database. One way to do this is with the "robust"
>> accounting that comes with FreeRADIUS.
>>
>>  3. Use a script to check your NASes active sessions and compare to
>> accounting data at a certain interval.
>>
>> ...and so on.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html 
>>
>
>
> Hi,
>  That you for the quick reply Phil. The solutions you have provided
> brought new thing into my mind.
>  I was thinking about similar scenarios that I found out if NAS crashes,
> same thing will happen. Clients will get disconnected due to NAS
> unavailability and when NAS is unavailable, radius won't be notified about
> users getting disconnected.
>  By taking this into consideration, the most effective solution would be
> the first or the third approach you have listed. And between this two
> solutions, the last one seems to be easier to implement.
>
>  Please correct me if I am wrong.
>
> Thank you,
> Moby
>

Hi Phil & Moby,

I am also interested in this solution since experiencing the same problem.
 I liked the solution no1.

But I have no idea where I can get that script but I can modify if I have
one.

Thanks / RM--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

[Russell Mike]

On Monday, February 18, 2013, Phil Mayers wrote:

> On 18/02/13 18:02, Mobin Yazarlou wrote:
>
>> Hi,
>>   I am using freeradius v2.1.12 with MySQL support and noticed if a user
>> disconnect when radius server is down, NAS can not inform radius about
>> user being disconnected and radius assume user is still online after
>> coming up again. This restricts user from connecting again when you set
>> simultaneous-use to 1.
>>   Is there any solution for this? My NAS is pptpd on Debian 6.
>>
>
> RADIUS uses UDP, and NASes don't "save" accounting packets which don't get
> a reply; they usually send 1-5 attempts over a few seconds, then give up
> (or move to the 2nd RADIUS server).
>
> You need to take this into account.
>
> Possible solutions include some combination of:
>
>  1. Use interim accounting. Then, use a script to expire any sessions
> which have not seen accounting packets in X*interim-interval; X==3 for
> example
>
>  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
> servers configured. Use one of several configs to write the accounting data
> to a robust, replicated database. One way to do this is with the "robust"
> accounting that comes with FreeRADIUS.
>
>  3. Use a script to check your NASes active sessions and compare to
> accounting data at a certain interval.
>
> ...and so on.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>


Hi,

Very good & elaborated response, it also helped me. Quality of Information
was superB. Thanks Man
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radiusd starts but rejects test user

[Russell Mike]

On Fri, Feb 15, 2013 at 3:50 PM,  wrote:

> Hi,
>
> >I am new to radius. I have installed the freeradius to my linux and
> after
> >starting radiusd -X
> >I executed radtest tool for testing as below but it could not get
> >authenticated and Access-Reject returned.
> >$ radtest testing password localhost 0 testing123
> >Can any one plz help me in fixing this issue?  below is radtest and
> >radiusd log in debug mode.
> >/root>radtest testing password 127.0.0.1 0 testing123
> >Sending Access-Request of id 251 to 127.0.0.1 port 1812
> >User-Name = "testing"
> >User-Password = "password"
> >NAS-IP-Address = 127.0.1.1
> >NAS-Port = 0
> >rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251,
> >length=20
>
> I *assume* that you put
>
> testing Cleartext-Password := "password"
>
> at the top of the $RADDB/users  file?
>
>
> alan
> -
>
>

Hi,
might you would have see the error in debug. As Alan indicated, it is
authentication problem. He has also told the solution.

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type REJECT

Thanks
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP reply don't go out

[Russell Mike]

Is there any layer 3 device between client and dhcp server? Then you need
dhcp relay agent, if that is not the case chk firewall.
Thanks

On Tuesday, February 12, 2013, Michele Pinassi wrote:

> Hi all,
>
> i've just installed a FreeRadius server 2.2.0 with DHCP support because
> i need a dhcp server that use MySQL ad a backend.
>
> My network topology is:
>
> eth0  inet addr:193.205.4.xxx [PUBLIC]
> eth1  inet addr:172.20.1.2 [PRIVATE]
>
> all dhcp requests and reply should come from eth1. Here is freeradius -X
> dump:
>
> FreeRADIUS Version 2.2.0, for host i486-pc-linux-gnu, built on Sep 20
> 2012 at 13:37:59
> Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/clients.conf
> including files in directory /etc/freeradius/mods-enabled/
> including configuration file /etc/freeradius/mods-enabled/replicate
> including configuration file /etc/freeradius/mods-enabled/smsotp
> including configuration file /etc/freeradius/mods-enabled/preprocess
> including configuration file /etc/freeradius/mods-enabled/ldap
> including configuration file /etc/freeradius/mods-enabled/counter
> including configuration file /etc/freeradius/mods-enabled/detail.log
> including configuration file /etc/freeradius/mods-enabled/otp
> including configuration file /etc/freeradius/mods-enabled/inner-eap
> including configuration file /etc/freeradius/mods-enabled/acct_unique
> including configuration file /etc/freeradius/mods-enabled/wimax
> including configuration file /etc/freeradius/mods-enabled/dynamic_clients
> including configuration file /etc/freeradius/mods-enabled/etc_group
> including configuration file /etc/freeradius/mods-enabled/redis
> including configuration file /etc/freeradius/mods-enabled/cui
> including configuration file /etc/freeradius/mods-enabled/ntlm_auth
> including configuration file /etc/freeradius/mods-enabled/cache
> including configuration file /etc/freeradius/mods-enabled/mac2ip
> including configuration file /etc/freeradius/mods-enabled/dhcp_sqlippool
> including configuration file /etc/freeradius/sql/mysql/ippool-dhcp.conf
> including configuration file /etc/freeradius/mods-enabled/policy
> including configuration file /etc/freeradius/mods-enabled/expiration
> including configuration file /etc/freeradius/mods-enabled/logintime
> including configuration file /etc/freeradius/mods-enabled/radutmp
> including configuration file /etc/freeradius/mods-enabled/smbpasswd
> including configuration file /etc/freeradius/mods-enabled/ippool
> including configuration file /etc/freeradius/mods-enabled/rediswho
> including configuration file /etc/freeradius/mods-enabled/pam
> including configuration file /etc/freeradius/mods-enabled/soh
> including configuration file /etc/freeradius/mods-enabled/
> detail.example.com
> including configuration file /etc/freeradius/mods-enabled/realm
> including configuration file /etc/freeradius/mods-enabled/mac2vlan
> including configuration file /etc/freeradius/mods-enabled/attr_filter
> including configuration file /etc/freeradius/mods-enabled/exec
> including configuration file /etc/freeradius/mods-enabled/pap
> including configuration file /etc/freeradius/mods-enabled/unix
> including configuration file /etc/freeradius/mods-enabled/passwd
> including configuration file /etc/freeradius/mods-enabled/echo
> including configuration file /etc/freeradius/mods-enabled/sradutmp
> including configuration file /etc/freeradius/mods-enabled/always
> including configuration file /etc/freeradius/mods-enabled/checkval
> including configuration file /etc/freeradius/mods-enabled/chap
> including configuration file /etc/freeradius/mods-enabled/mschap
> including configuration file /etc/freeradius/mods-enabled/krb5
> including configuration file /etc/freeradius/mods-enabled/sql_log
> including configuration file /etc/freeradius/mods-enabled/attr_rewrite
> including configuration file /etc/freeradius/mods-enabled/files
> including configuration file /etc/freeradius/mods-enabled/perl
> including configuration file /etc/freeradius/mods-enabled/radrelay
> including configuration file
> /etc/freeradius/mods-enabled/sqlcounter_expire_on_login
> including configuration file /etc/freeradius/mods-enabled/expr
> including configuration file /etc/freeradius/mods-enabled/linelog
> including configuration file /etc/freeradius/mods-enabled/opendirectory
> including configuration file /etc/freeradius/mods-enabled/detail
> including configuration file /etc/freeradius/mods-enabled/digest
> including configuration file /etc/freeradius/eap.conf
> including configuration file /etc/freeradius/sql.conf
> including configuration file /etc/freeradius/sqlippool.c

Re: Load Balancing Issue

[Russell Mike]

There are many different things you are talking at the same time.

You want increase the response time of auth. Is your database indexed?
Thanks

On Tuesday, February 12, 2013, Muhammad Nadeem wrote:

> thanks alan
> Actually I am using load balancing for rapid authentication of users. let
> suppose i have one prosy server that is proxying incoming requests to these
> five servers. Theoratically the speed of authentication should be fast. But
> in case of mine it is too slow.
> I have changed 'max_requests' in radiusd.config. And also remove
> unnecessary processing on radius server (that is proxying requests). Now
> tell me what else can I do?? :(
>
> Though i am a new bee in RADIUS, but I think Proxy server is the bottle
> neck???
>
>
> On Tue, Feb 12, 2013 at 1:44 PM,  'cvml', 'a.l.m.bu...@lboro.ac.uk');>
> > wrote:
>
>> Hi,
>>
>> >I am using Freeradius 2.2.0 on redhat 5. My goal was to increase the
>> speed
>> >of user authentication. To achieve this I configured Load Balancing
>> (with
>> >realms). I have a proxy Freeradius server, that is just proxying
>> requests
>> >to 2 other freeradius servers.
>>
>> you only asked this question less than 2 hours ago.
>>
>> okay, you need to see why the proxy is causing a x3 factor in slowdown?
>>  run the servers
>> in full debug mode with timestamps and check to see where your delay
>> isdont throw
>> 10 million requests at it though, just a dozen should be enought in the
>> first instance
>> to see where the hit is.  I'd assume that you havent made any
>> configuration changes
>> or tweaked any configs...in which case your proxy box is probably not
>> ready to be dealing with
>> that many in transit requests (whereas the authentication servers can
>> handle multiple
>> requests per thread) - so, some basic tweaking will probably do
>> something
>>
>> ..though I think you've already found that you dont need to load-balance
>> ;-)
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards
> Muhammad Nadeem
> Muhammad Ali Jinnah University
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: free radius output attributes configuration

[Russell Mike]

what is output attributes ?


On Wed, Feb 6, 2013 at 10:19 AM, Lakshmi Narayana Baliah <
lb0074...@techmahindra.com> wrote:

> Hi All,
>
> How can configure output attributes in free-radius?
> How do i do that ??? please help
>
>
> Thanks
> Lakshmi
>
>
>
>
> 
> Disclaimer:  This message and the information contained herein is
> proprietary and confidential and subject to the
>  Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html";>
> http://www.techmahindra.com/Disclaimer.html
> externally and http://tim.techmahindra.com/tim/disclaimer.html";>
> http://tim.techmahindra.com/tim/disclaimer.html internally within
> Tech Mahindra.
>
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Realm

[Russell Mike]

On Wed, Jan 23, 2013 at 2:47 PM, Miha  wrote:

>  Hi,
>
> my radius client is sending with user-name and password aslo realm. I can
> not disable sending realm, is it possible to configure radius that will not
> user realm with user-name (user-name@realm)?
>
> i only know that it is function of proxy (realm), if helps. Are you
> including proxy.conf ?
>

R M
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Usage Limit and Accounting Plan

[Russell Mike]

On Tue, Jan 22, 2013 at 10:17 AM, Sokphak TOUCH wrote:

> Thanks Russell for your respond. It would more appreciate if you can share
> some document. At the mean time I will doing research about it.
>
> Regards,
> Sokphak
>
> Understand the concept here, it is very easy with FreeRadius
http://wiki.freeradius.org/modules/Rlm_sqlcounter
Thanks


>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Usage Limit and Accounting Plan

[Russell Mike]

1. I need to limit the user monthly usage, for example bandwidth 2Mbps with
5GB monthly usage.

1a.) You would not need script, you need "RLM SQLCOUNTER"  to limit
daily/weekly/monthly traffic quota
1b.) you need to control the bandwidth using radius and radius client
attributes, such as WISPr-Bandwidth-Max-Down; WISPr-Bandwidth-Max-Up

Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html