Proxy radius
Hi, Can the proxy radius return an additional attribute to NAS apart from the attribute return by the actual radius server? I've an situation where the actual radius server only return the frame-IP-address and netmask in Access-Accept, and we need the frame-Pools (mikrotik library) as well in order to have IP pools selection base on user profile i.e. Public user will get the public IP where else private user will secure the private IP pool. Problem is the administrator of the actual radius server may not want to add in new attribute for all the users in their DB for whatever reason and we are still finding way to see how to inject the Frame-Pool attribute based on the realm of the login id. Looking for your kind assistance in this matter. Cheers, CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius with mysql issue
Hi All, Need help a bit, I've several freeradius (2.x) servers with mysql as backend running for several services. Lately I noticed there is 1 of the radius who will accept any password so long the user account is exist in radcheck. Still trying to trace where the problem is, and would appreciate if someone can share with me is any. Cheers, CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? Regards CK On 09/02/2011 04:29 PM, cktan wrote: Hi All, Need help a bit, I've several freeradius (2.x) servers with mysql as backend running for several services. Lately I noticed there is 1 of the radius who will accept any password so long the user account is exist in radcheck. Still trying to trace where the problem is, and would appreciate if someone can share with me is any. Cheers, CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 CK On 09/02/2011 05:27 PM, Alan Buxey wrote: Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
Tested on 3rd FR (same 2.1.7-7), both OP (:= ==) work fine. would it be my configuration error? Hereby confirmed op == is working fine but not for :=. Any different to use := or ==? CK On 09/02/2011 05:36 PM, cktan wrote: I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 CK On 09/02/2011 05:27 PM, Alan Buxey wrote: Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
send radius.log to mysql
Dear all, I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Regards CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: send radius.log to mysql
The main reason is to monitor the login activity for my radius server i.e. Login Accept, Reject or Deny. cktan wrote: Dear all, I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Regards CK -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: send radius.log to mysql
Hi G, thank for your suggestion. Just noticed I can log a post-auth reject message into sql and it was work fine for me. However, it is only for Reject message but for the Denied message where is the user account's attribute is set to deny. Is that possible the post-auth can log for Denied message? Regards cK Gideon le Grange wrote: On 17 Dec 2010, at 11:13 AM, cktan wrote: I'm looking for possibility to inject the log from radius.log into mysql DB for some monitoring purpose. Any better suggestion? I tried with Syslog-NG and it just won't send radius.log to my syslog server but only system log... Have a look at rsyslog http://www.rsyslog.com/ G - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Hi Mike, Do you mind to share with us how it work and where do you get the python middleware? Thanks in advance. Mike Tkachuk wrote: Hello cktan, I use 'mpd-drop-user' and it working ok, but I have a python middleware that actually add this in accounting response, not using freeradius SQL. Monday, November 30, 2009 11:51:46 AM, you wrote: Dear all, Is anyone try this attribute mpd-drop-user in freeradius with Mysql? MPD support this attribute to check the status of account during it update the accounting and if the value for this attribute become non-zero, it will disconnect the session for the user. We use MPD to setup a PPPoE server with freeradius to provide authentication to users and we have come across to drop the session if the user's account suspended but we have no luck to make it work. Currently we try to put this attribute in radreply table and it doesn't work for us. Looking for your kind information in this matter. Thanks in advance. -- Mike Tkachuk -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Dear Ivan Kalik, Can you share with me how to add vendor attributes in Acct Response Packet? Regards t...@kalik.net wrote: I read some of the information saying it is possible to insert attribute in Accounting Response Packet but RFC said almost no attribute will inject into response packet. No, it says that there is no need for any attribute in it. You can add vendor specific attributes. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remote access control in freeradius with mysql
Dear all, Problem solved. Using Auth-Type attribute in radcheck table solve the problem. Cheers. cktan wrote: Dear all, I've a freeradius server running with LDAP as the Authentication and Authorization where else Accounting running on Mysql. It was working well at the moment and I'm looking to migrate from LDAP to run fully in Mysql. Question is I need to have control on remote access for certain users. In LDAP, I used to have dialupAccess attribute to control the access for user and I can't find it in Mysql. I come across to radreply table but not sure which attribute should I use to have authorization for user to access. Looking for your kind information in this matter. Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MPD : mpd-drop-user
Dear all, Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql? MPD support this attribute to check the status of account during it update the accounting and if the value for this attribute become non-zero, it will disconnect the session for the user. We use MPD to setup a PPPoE server with freeradius to provide authentication to users and we have come across to drop the session if the user's account suspended but we have no luck to make it work. Currently we try to put this attribute in radreply table and it doesn't work for us. Looking for your kind information in this matter. Thanks in advance. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: {Disarmed} Re: mpd-drop-user
Dear Charles, Thank for your suggestion and in fact I've my last option whereby I will write a simple telnet session to terminate the session if the usage is over. However, I'm looking to have this option work if possible. cheers Charles wrote: Hi cktan, Was looking for a similar solution and never made it work. Basically, in my setup i have users buy airtime for using the internet. I also sell access to video clips, when user downloads the video clip, an entry is made in radacct table. What I wanted to is for the NAS to re-authenticate every minute to check if more entries were added to radacct table. My solution was to us M0n0wall as my NAS, it has an option in the captive portal where you set it to re-authenticate every minute and to disconnect if user has no more credit left. I hope this helps. Charles - Original Message - *From:* cktan mailto:ck...@ocesb.com.my *To:* FreeRadius users mailing list mailto:freeradius-users@lists.freeradius.org *Sent:* Monday, November 30, 2009 11:51 AM *Subject:* MPD : mpd-drop-user Dear all, Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql? MPD support this attribute to check the status of account during it update the accounting and if the value for this attribute become non-zero, it will disconnect the session for the user. We use MPD to setup a PPPoE server with freeradius to provide authentication to users and we have come across to drop the session if the user's account suspended but we have no luck to make it work. Currently we try to put this attribute in radreply table and it doesn't work for us. Looking for your kind information in this matter. Thanks in advance. 5 free Domains with Select Hosting Plans. Get yours! -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 5 free Domains with Select Hosting Plans. Get yours! -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Dear Ivan Kalik, This is what I though as well. However, I read somewhere MPD was support this option but no details on where to put this attribute in. Regards t...@kalik.net wrote: Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql? MPD support this attribute to check the status of account during it update the accounting and if the value for this attribute become non-zero, it will disconnect the session for the user. We use MPD to setup a PPPoE server with freeradius to provide authentication to users and we have come across to drop the session if the user's account suspended but we have no luck to make it work. Currently we try to put this attribute in radreply table and it doesn't work for us. Looking for your kind information in this matter. Read what you wrote in the first paragraph. Attribute works when sent in accounting reply to update packet. radreply table is used for authentication not accounting. You will have to figure out a way of adding this to the accounting reply using unlang or perl (if conditions are more complicated). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Ok, I noted there are ext-accounting script support in MDP and it should do some checking against mpd-drop-user information and action taken accordingly. trying to locate the sample of script now. CK t...@kalik.net wrote: If what you have wrote is correct (and it does make sense) - to Accounting-Response packet. Ivan Kalik This is what I though as well. However, I read somewhere MPD was support this option but no details on where to put this attribute in. Regards t...@kalik.net wrote: Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql? MPD support this attribute to check the status of account during it update the accounting and if the value for this attribute become non-zero, it will disconnect the session for the user. We use MPD to setup a PPPoE server with freeradius to provide authentication to users and we have come across to drop the session if the user's account suspended but we have no luck to make it work. Currently we try to put this attribute in radreply table and it doesn't work for us. Looking for your kind information in this matter. Read what you wrote in the first paragraph. Attribute works when sent in accounting reply to update packet. radreply table is used for authentication not accounting. You will have to figure out a way of adding this to the accounting reply using unlang or perl (if conditions are more complicated). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MPD : mpd-drop-user
Dear Ivan, I read some of the information saying it is possible to insert attribute in Accounting Response Packet but RFC said almost no attribute will inject into response packet. There is also user ( @ year 2005) change some coding in rpm_sql to do query during the accounting update as well to check the termination status and response back to NAS for session termination. For MPD, as long as it received a radius reply and noted mpd-drop-user attribute the value is non-zero, it will just disconnect the user session. Any better suggestion from you? Thanks in advance. cktan wrote: Ok, I noted there are ext-accounting script support in MDP and it should do some checking against mpd-drop-user information and action taken accordingly. trying to locate the sample of script now. CK t...@kalik.net wrote: If what you have wrote is correct (and it does make sense) - to Accounting-Response packet. Ivan Kalik This is what I though as well. However, I read somewhere MPD was support this option but no details on where to put this attribute in. Regards t...@kalik.net wrote: Is anyone try this attribute /*mpd-drop-user*/ in freeradius with Mysql? MPD support this attribute to check the status of account during it update the accounting and if the value for this attribute become non-zero, it will disconnect the session for the user. We use MPD to setup a PPPoE server with freeradius to provide authentication to users and we have come across to drop the session if the user's account suspended but we have no luck to make it work. Currently we try to put this attribute in radreply table and it doesn't work for us. Looking for your kind information in this matter. Read what you wrote in the first paragraph. Attribute works when sent in accounting reply to update packet. radreply table is used for authentication not accounting. You will have to figure out a way of adding this to the accounting reply using unlang or perl (if conditions are more complicated). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Remote access control in freeradius with mysql
Dear all, I've a freeradius server running with LDAP as the Authentication and Authorization where else Accounting running on Mysql. It was working well at the moment and I'm looking to migrate from LDAP to run fully in Mysql. Question is I need to have control on remote access for certain users. In LDAP, I used to have dialupAccess attribute to control the access for user and I can't find it in Mysql. I come across to radreply table but not sure which attribute should I use to have authorization for user to access. Looking for your kind information in this matter. Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius LDAP weird login issue
Dear Alan, Tested with radius 2.1.1, the bug was fixed. Thanks. Alan DeKok wrote: cktan wrote: Previously the freeradius was installed using yum (Centos 4.0) and I'm just make a yum search for freeradius and no new update is available. If I'm going to get the latest RPM and install manually, will the currently configuration is able to work with the latest freeradius? I'm a bit worry to upgrade the RPM on the fly as this server currently is on production. Looking for your advice in this matter. You will need to upgrade your configuration manually, and test it before making it live. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius LDAP weird login issue
Hi all, I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as user=5c=5c=5c=5cu...@domain and surprisingly freeradius allow it to login although the actual username should be u...@domain. I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username user=5c=5c=5c=5cu...@domain but when reach to radius_xlat, the uid will become user only and when it query my LDAP the account for user is available and it will accept the access request. The question is why user=5C=5C=5C=5Cuser = user? We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as u...@domain. After login, the username in radacct will become user=5c=5c=5c=5cu...@domain instead of u...@domain. As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this? rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93 User-Name = *user=5c=5c=5c=5cu...@domain* User-Password = password NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser* radius_xlat: * '(uid=user)'* Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius LDAP weird login issue
Dear Alan, The freeradius version is Version 1.0.1. I will try to upgrade to the latest version to see whether it fix. Thank for your suggestion. Regards Alan DeKok wrote: cktan wrote: Hi all, I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as user=5c=5c=5c=5cu...@domain and surprisingly freeradius allow it to login although the actual username should be u...@domain. FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP if it's OK. I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username user=5c=5c=5c=5cu...@domain but when reach to radius_xlat, the uid will become user only and when it query my LDAP the account for user is available and it will accept the access request. The radius_xlat doesn't delete '=5C' from the User-Name. The question is why user=5C=5C=5C=5Cuser = user? If the User-Name is that in the Access-Request, it's because that's what the user typed. The usual reason for the user typing this is because that are trying to cheat you. We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as u...@domain. I'm not sure I agree. After login, the username in radacct will become user=5c=5c=5c=5cu...@domain instead of u...@domain. As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this? Which version of FreeRADIUS are you running? I suspect that it's older than 1.1.7, which means it's a bug that was fixed *many* years ago. Upgrade to 2.1.6, and the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius LDAP weird login issue
Hi Alan, Previously the freeradius was installed using yum (Centos 4.0) and I'm just make a yum search for freeradius and no new update is available. If I'm going to get the latest RPM and install manually, will the currently configuration is able to work with the latest freeradius? I'm a bit worry to upgrade the RPM on the fly as this server currently is on production. Looking for your advice in this matter. Regards cktan wrote: Dear Alan, The freeradius version is Version 1.0.1. I will try to upgrade to the latest version to see whether it fix. Thank for your suggestion. Regards Alan DeKok wrote: cktan wrote: Hi all, I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as user=5c=5c=5c=5cu...@domain and surprisingly freeradius allow it to login although the actual username should be u...@domain. FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP if it's OK. I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username user=5c=5c=5c=5cu...@domain but when reach to radius_xlat, the uid will become user only and when it query my LDAP the account for user is available and it will accept the access request. The radius_xlat doesn't delete '=5C' from the User-Name. The question is why user=5C=5C=5C=5Cuser = user? If the User-Name is that in the Access-Request, it's because that's what the user typed. The usual reason for the user typing this is because that are trying to cheat you. We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as u...@domain. I'm not sure I agree. After login, the username in radacct will become user=5c=5c=5c=5cu...@domain instead of u...@domain. As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this? Which version of FreeRADIUS are you running? I suspect that it's older than 1.1.7, which means it's a bug that was fixed *many* years ago. Upgrade to 2.1.6, and the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html