Re: Group ip pools
Nah still not working, works fine if i use radping or what ever that program is and I specify a nas port. But the nas port only seems to come through from the nas on a start request maybe. The port range starts from 0 and increments by 1 per user. Any ideas? Barry - Original Message - From: "Paul Hampson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 02, 2004 2:17 PM Subject: Re: Group ip pools > On Sun, Aug 01, 2004 at 02:17:41PM +1200, Barry Murphy wrote: > > Going forward I have looked at the scripts and it shows that TTY is being > > used and clients are getting a Nas-Port begining with 0, then 1 for the > > second user as shown below. > > > Sun Aug 1 12:00:49 2004 > > Acct-Session-Id = "410C2FFA01F0" > > User-Name = "icepick" > > Acct-Status-Type = Start > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Acct-Authentic = RADIUS > > NAS-Port-Type = Async > > Framed-IP-Address = 219.88.249.85 > > NAS-IP-Address = 10.23.19.2 > > NAS-Port = 0 > > Acct-Delay-Time = 0 > > Client-IP-Address = 10.22.19.2 > > Acct-Unique-Session-Id = "819283b999345e7d" > > Timestamp = 1091318449 > > > Sun Aug 1 13:26:04 2004 > > Acct-Session-Id = "410C43DA0201" > > User-Name = "neil" > > Acct-Status-Type = Start > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Acct-Authentic = RADIUS > > NAS-Port-Type = Async > > Framed-IP-Address = 219.88.249.89 > > NAS-IP-Address = 10.23.19.2 > > NAS-Port = 1 > > Acct-Delay-Time = 0 > > Client-IP-Address = 10.22.19.2 > > Acct-Unique-Session-Id = "f27a28a784f81cba" > > Timestamp = 1091323564 > > Those are Accounting-Start packets... To assign an address from an > ippool, the port needs to be present in the Access-Request packet. By > the time the RADIUS server sees the Accounting-Start packet, the IP > address needs to've been already transmitted in the Access-Accept > packet. > > On the other hand, it looks like a Framed-IP-Address _is_ being > assigned... Is this still not working? > > -- > Paul "TBBle" Hampson, on an alternate email client. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sun, Aug 01, 2004 at 02:17:41PM +1200, Barry Murphy wrote: > Going forward I have looked at the scripts and it shows that TTY is being > used and clients are getting a Nas-Port begining with 0, then 1 for the > second user as shown below. > Sun Aug 1 12:00:49 2004 > Acct-Session-Id = "410C2FFA01F0" > User-Name = "icepick" > Acct-Status-Type = Start > Service-Type = Framed-User > Framed-Protocol = PPP > Acct-Authentic = RADIUS > NAS-Port-Type = Async > Framed-IP-Address = 219.88.249.85 > NAS-IP-Address = 10.23.19.2 > NAS-Port = 0 > Acct-Delay-Time = 0 > Client-IP-Address = 10.22.19.2 > Acct-Unique-Session-Id = "819283b999345e7d" > Timestamp = 1091318449 > Sun Aug 1 13:26:04 2004 > Acct-Session-Id = "410C43DA0201" > User-Name = "neil" > Acct-Status-Type = Start > Service-Type = Framed-User > Framed-Protocol = PPP > Acct-Authentic = RADIUS > NAS-Port-Type = Async > Framed-IP-Address = 219.88.249.89 > NAS-IP-Address = 10.23.19.2 > NAS-Port = 1 > Acct-Delay-Time = 0 > Client-IP-Address = 10.22.19.2 > Acct-Unique-Session-Id = "f27a28a784f81cba" > Timestamp = 1091323564 Those are Accounting-Start packets... To assign an address from an ippool, the port needs to be present in the Access-Request packet. By the time the RADIUS server sees the Accounting-Start packet, the IP address needs to've been already transmitted in the Access-Accept packet. On the other hand, it looks like a Framed-IP-Address _is_ being assigned... Is this still not working? -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Going forward I have looked at the scripts and it shows that TTY is being used and clients are getting a Nas-Port begining with 0, then 1 for the second user as shown below. Sun Aug 1 12:00:49 2004 Acct-Session-Id = "410C2FFA01F0" User-Name = "icepick" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.85 NAS-IP-Address = 10.23.19.2 NAS-Port = 0 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = "819283b999345e7d" Timestamp = 1091318449 Sun Aug 1 13:26:04 2004 Acct-Session-Id = "410C43DA0201" User-Name = "neil" Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.89 NAS-IP-Address = 10.23.19.2 NAS-Port = 1 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = "f27a28a784f81cba" Timestamp = 1091323564 Barry - Original Message - From: "Barry Murphy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 01, 2004 1:39 PM Subject: Re: Group ip pools > NTRadPing confirmed what you mentioned, i'm wondering if anyone has managed > to get debian ppp to send the interface number as the NAS-Port? > > i.e. ppp0 would be port 0, ppp1 would be Nas-Port=1 etc. Been googling for > hours for this and days on this topic and come up with nothing. > > A link off http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ shows: > RADIUS plugin now uses ppp interface number instead of terminal device > number as NAS-Port value because interface number is guaranteed to be > unique. > > Barry > - Original Message - > From: "Kostas Kalevras" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, August 01, 2004 2:42 AM > Subject: Re: Group ip pools > > > > On Sat, 31 Jul 2004, Barry Murphy wrote: > > > > > Could hte problem be because the user is connecting with a "Virtual" > > > NAS-Port... > > > > > > rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, > > > length=113 > > > User-Name = "testing" > > > Service-Type = Framed-User > > > Framed-Protocol = PPP > > > Framed-IP-Address = 192.168.44.59 > > > Framed-IP-Netmask = 255.255.255.255 > > > NAS-Identifier = "ns.unix.co.nz" > > > NAS-Port-Type = Virtual > > > Acct-Status-Type = Start > > > Acct-Session-Id = "31558-testing1091264221" > > > Acct-Multi-Session-Id = "" > > > Acct-Delay-Time = 0 > > > > The accounting packet does not contain a nas-port attribute. You need to > fix > > that, or rlm_ippool won't work > > > > > > > > > > > modcall: group Auth-Type returns ok for request 12 > > > Login OK: [testing] (from client 192.168.4.1 port 0) > > > modcall: entering group post-auth for request 12 > > > rlm_ippool: Could not find nas port information. Return NOOP. > > > modcall[post-auth]: module "mainpool" returns noop for request 12 > > > radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' > > > > > > > > > Barry > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
NTRadPing confirmed what you mentioned, i'm wondering if anyone has managed to get debian ppp to send the interface number as the NAS-Port? i.e. ppp0 would be port 0, ppp1 would be Nas-Port=1 etc. Been googling for hours for this and days on this topic and come up with nothing. A link off http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ shows: RADIUS plugin now uses ppp interface number instead of terminal device number as NAS-Port value because interface number is guaranteed to be unique. Barry - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 01, 2004 2:42 AM Subject: Re: Group ip pools > On Sat, 31 Jul 2004, Barry Murphy wrote: > > > Could hte problem be because the user is connecting with a "Virtual" > > NAS-Port... > > > > rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, > > length=113 > > User-Name = "testing" > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Framed-IP-Address = 192.168.44.59 > > Framed-IP-Netmask = 255.255.255.255 > > NAS-Identifier = "ns.unix.co.nz" > > NAS-Port-Type = Virtual > > Acct-Status-Type = Start > > Acct-Session-Id = "31558-testing1091264221" > > Acct-Multi-Session-Id = "" > > Acct-Delay-Time = 0 > > The accounting packet does not contain a nas-port attribute. You need to fix > that, or rlm_ippool won't work > > > > > > > modcall: group Auth-Type returns ok for request 12 > > Login OK: [testing] (from client 192.168.4.1 port 0) > > modcall: entering group post-auth for request 12 > > rlm_ippool: Could not find nas port information. Return NOOP. > > modcall[post-auth]: module "mainpool" returns noop for request 12 > > radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' > > > > > > Barry > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
It's a pptp connection using debian poptop and ppp. Any ideas? Thanks Barry - Original Message - From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 01, 2004 2:42 AM Subject: Re: Group ip pools > On Sat, 31 Jul 2004, Barry Murphy wrote: > > > Could hte problem be because the user is connecting with a "Virtual" > > NAS-Port... > > > > rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, > > length=113 > > User-Name = "testing" > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Framed-IP-Address = 192.168.44.59 > > Framed-IP-Netmask = 255.255.255.255 > > NAS-Identifier = "ns.unix.co.nz" > > NAS-Port-Type = Virtual > > Acct-Status-Type = Start > > Acct-Session-Id = "31558-testing1091264221" > > Acct-Multi-Session-Id = "" > > Acct-Delay-Time = 0 > > The accounting packet does not contain a nas-port attribute. You need to fix > that, or rlm_ippool won't work > > > > > > > modcall: group Auth-Type returns ok for request 12 > > Login OK: [testing] (from client 192.168.4.1 port 0) > > modcall: entering group post-auth for request 12 > > rlm_ippool: Could not find nas port information. Return NOOP. > > modcall[post-auth]: module "mainpool" returns noop for request 12 > > radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' > > > > > > Barry > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Barry Murphy <[EMAIL PROTECTED]> wrote: > Could hte problem be because the user is connecting with a "Virtual" > NAS-Port... Yes. There's nothing in the Access-Request packet which lets the server tell one virtual port from another. The server therefore cannot assign IP addresses, as it has no way of tracking who was assigned what. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sat, 31 Jul 2004 10:44 -0400, Bruce A. Friend wrote: I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend Bruce, I assume you'll see this when you return from vacation. Will you please learn how to configure your vacation autoresponder to ignore mailing list messages? Every time a freeradius-users message hits your system, your autoresponder responds to the list address. Surely if you're savvy enough to use radius, you're savvy enough to learn to use your autoresponder correctly. -- Chip Old (Francis E. Old) E-Mail: [EMAIL PROTECTED] Manager, BCPL Network ServicesPhone: 410-887-6180 Manager, BCPL.NET Internet Services FAX: 410-887-2091 320 York Road Towson, MD 21204 USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sat, 31 Jul 2004, Barry Murphy wrote: > Could hte problem be because the user is connecting with a "Virtual" > NAS-Port... > > rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, > length=113 > User-Name = "testing" > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 192.168.44.59 > Framed-IP-Netmask = 255.255.255.255 > NAS-Identifier = "ns.unix.co.nz" > NAS-Port-Type = Virtual > Acct-Status-Type = Start > Acct-Session-Id = "31558-testing1091264221" > Acct-Multi-Session-Id = "" > Acct-Delay-Time = 0 The accounting packet does not contain a nas-port attribute. You need to fix that, or rlm_ippool won't work > > > modcall: group Auth-Type returns ok for request 12 > Login OK: [testing] (from client 192.168.4.1 port 0) > modcall: entering group post-auth for request 12 > rlm_ippool: Could not find nas port information. Return NOOP. > modcall[post-auth]: module "mainpool" returns noop for request 12 > radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' > > > Barry -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Could hte problem be because the user is connecting with a "Virtual" NAS-Port... rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, length=113 User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.44.59 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = "ns.unix.co.nz" NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = "31558-testing1091264221" Acct-Multi-Session-Id = "" Acct-Delay-Time = 0 modcall: group Auth-Type returns ok for request 12 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 12 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module "mainpool" returns noop for request 12 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Barry - Original Message - From: "Barry Murphy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, July 31, 2004 7:26 PM Subject: Re: Group ip pools > I'm guessing I can just use ip pools from the radius.conf which I have tried > to do but it isn't working... > > ippool mainpool { > range-start = 219.88.249.73 > range-stop = 219.88.249.80 > netmask = 255.255.255.255 > cache-size = 800 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > override = no > } > > > under accounting{} I have added mainpool > under post-auth {} I have also added mainpool > > I've added the following to sql on radgroupcheck > testing Pool-Name := mainpool > > radius -X ( > rlm_sql (sql): Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type MS-CHAP > auth: type "MS-CHAP" > modcall: entering group Auth-Type for request 0 > rlm_mschap: doing MS-CHAPv2 with NT-Password > rlm_mschap: adding MS-CHAPv2 MPPE keys > modcall[authenticate]: module "mschap" returns ok for request 0 > modcall: group Auth-Type returns ok for request 0 > Login OK: [testing] (from client 192.168.4.1 port 0) > modcall: entering group post-auth for request 0 > rlm_ippool: Could not find nas port information. Return NOOP. > modcall[post-auth]: module "mainpool" returns noop for request 0 > radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' > > Thanks > Barry > > - Original Message - > From: "Barry Murphy" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, July 31, 2004 6:14 PM > Subject: Group ip pools > > > > Hi, > > > > I'm trying to setup ippools on a per group basis, I tried examples from > the > > below and couldn't get it to work. Any ideas? > > > > http://lists.cistron.nl/pipermail/freeradius-users/2001-August/001482.html > > >DEFAULTGroup == "dialupnf", Auth-Type := System > > >Service-Type == Framed-User, > > >Framed-IP-Address = 10.10.10.1+, > > >Fall-Through = No > > > > > > > http://listserver.uk.freebsd.org/pipermail/freebsd-users/2003-May/007864.html > > > robing Auth-Type := Local, User-Password == "password" > > >Service-Type = Framed-User, > > >Framed-Protocol = PPP, > > >Framed-IP-Address = 195.8.182.0, > > >Framed-IP-Netmask = 255.255.255.0, > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm guessing I can just use ip pools from the radius.conf which I have tried to do but it isn't working... ippool mainpool { range-start = 219.88.249.73 range-stop = 219.88.249.80 netmask = 255.255.255.255 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } under accounting{} I have added mainpool under post-auth {} I have also added mainpool I've added the following to sql on radgroupcheck testing Pool-Name := mainpool radius -X ( rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module "mainpool" returns noop for request 0 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Thanks Barry - Original Message - From: "Barry Murphy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, July 31, 2004 6:14 PM Subject: Group ip pools > Hi, > > I'm trying to setup ippools on a per group basis, I tried examples from the > below and couldn't get it to work. Any ideas? > > http://lists.cistron.nl/pipermail/freeradius-users/2001-August/001482.html > >DEFAULTGroup == "dialupnf", Auth-Type := System > >Service-Type == Framed-User, > >Framed-IP-Address = 10.10.10.1+, > >Fall-Through = No > > > http://listserver.uk.freebsd.org/pipermail/freebsd-users/2003-May/007864.html > > robing Auth-Type := Local, User-Password == "password" > >Service-Type = Framed-User, > >Framed-Protocol = PPP, > >Framed-IP-Address = 195.8.182.0, > >Framed-IP-Netmask = 255.255.255.0, > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group ip pools
Hi, I'm trying to setup ippools on a per group basis, I tried examples from the below and couldn't get it to work. Any ideas? http://lists.cistron.nl/pipermail/freeradius-users/2001-August/001482.html >DEFAULTGroup == "dialupnf", Auth-Type := System >Service-Type == Framed-User, >Framed-IP-Address = 10.10.10.1+, >Fall-Through = No http://listserver.uk.freebsd.org/pipermail/freebsd-users/2003-May/007864.html > robing Auth-Type := Local, User-Password == "password" >Service-Type = Framed-User, >Framed-Protocol = PPP, >Framed-IP-Address = 195.8.182.0, >Framed-IP-Netmask = 255.255.255.0, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html