IP Pools How ?
Hello ; New to this great mailing list and the whole linux world so please bare with me. :) Im using FreeRADIUS Version 1.1.7 with fedora core 10 and my freeradius frontend is DMA Softlabs Radius Manager. http://www.dmasoftlab.com/cont/home My clients are authenticating through distrubuted remote pppoe servers on a wireless network. I want to use freeradius Ip Pool functionality to assign dynamic public IPs to customers since my frontend doesnt support that feature. Is there a step by step approach on how to do it ? is just modyfying the radius.conf and users file is enough? Do i have to create any sql tables for this ? Thanks and greetings from Northern Cyprus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools How ?
Hi Dogus: In addition to the radiusd.conf and users file config that I assume you've already figured out, you have to define the pool names in raddb/default if you're going to use any pool name other than main_pool. ie: # Return an address to the IP Pool when we see a stop record. # main_pool custom_pool Here I commented out main_pool and defined two new ones, which I configured in radiusd.conf: ippool custom_pool { range-start = 192.168.99.101 range-stop = 192.168.99.253 netmask = 255.255.255.0 cache-size = 251 session-db = ${db_dir}/db.custom_ippool ip-index = ${db_dir}/db.custom_ipindex override = yes } Then in users: DEFAULT Group == vpn_users, Pool-Name :=custom_pool Framed-Protocol == PPP, Framed-Compression = Van-Jacobson-TCP-IP Where vpn_users is a unix group on the radius server. Make sure to remove the db.* files any time you make changes to the pool addresses. You can define as many pools as you want like this. It's not all readily apparent in any docs I found (at least not the first part), but there are examples for the pools in radiusd.conf and users file. HTH, On Tue, 23 Jun 2009, Dogus Yalman wrote: Hello ; New to this great mailing list and the whole linux world so please bare with me. :) Im using FreeRADIUS Version 1.1.7 with fedora core 10 and my freeradius frontend is DMA Softlabs Radius Manager. http://www.dmasoftlab.com/cont/home My clients are authenticating through distrubuted remote pppoe servers on a wireless network. I want to use freeradius Ip Pool functionality to assign dynamic public IPs to customers since my frontend doesnt support that feature. Is there a step by step approach on how to do it ? is just modyfying the radius.conf and users file is enough? Do i have to create any sql tables for this ? Thanks and greetings from Northern Cyprus James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: freeradius and IP pools
Mon Dec 15 10:38:11 2008 : Info: No Pool-Name defined (did cli port user us...@without_ip) Tecnically the authentication works fine, I want only understand if I can avoid this message. Don't log it. You will need to alter the code for that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: freeradius and IP pools
-Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di t...@kalik.net Inviato: venerdì 12 dicembre 2008 18.00 A: FreeRadius users mailing list Oggetto: Re: R: freeradius and IP pools OK. I have in proxy.conf: realm with_ip { authhost= LOCAL accthost= LOCAL realm without_ip { authhost= LOCAL accthost= LOCAL Next I have mysql tables containing usernames: mysql select * from radcheck; ++--+-+++---+ | id | username | realm | attribute | op | value | ++--+-+++---+ | 1 | user | with_ip | Cleartext-Password | := | ip| ++--+-+++---+ mysql select * from radgroupcheck; ++-+---++--+ | id | groupname | attribute | op | value| ++-+---++--+ | 1 | withipgroup | Pool-Name | := | ip_pool | ++-+---++--+ mysql select * from radippool; ++---+-+ | id | pool_name | framedipaddress | ++---+-+ | 1 | ip_pool | 10.0.0.1| | 2 | ip_pool | 10.0.0.2| ++---+-+ mysql select * from radusergroup; +--+-+-+--+ | username | realm | groupname | priority | +--+-+-+--+ | user | with_ip | withipgroup |1 | +--+-+-+--+ That's good for ip-provided users and it works. But I need to understand how to configure the second user, the without-ip one. Make just radcheck entry for that one. Ivan Kalik Kalik Informatika ISP I configured user2 in radcheck table ++--++++---+ | id | username | realm | attribute | op | value | ++--++++---+ | 1 | user1| with_ip| Cleartext-Password | := | ip| | 2 | user2| without_ip | Cleartext-Password | := | noip | ++--++++---+ without group membership for this user2. In radius.log I see this message: Mon Dec 15 10:38:11 2008 : Info: No Pool-Name defined (did cli port user us...@without_ip) Tecnically the authentication works fine, I want only understand if I can avoid this message. Thanks, Arrigo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: freeradius and IP pools
If both users are the same, it is better to configure just one user and make checks stripping the realm. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and IP pools
Hi. I need to use freeradius in multiple ways. I mean: based on realm, I need to assign or not an IP address. For example: u...@with_ip has to receive an IP from configured RADIPPOOL table u...@without_ip has only to be authenticated (a user who log to a portal, for example). How can I make it possibile? Where can I setup this behaviuor? Thanks. Arrigo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and IP pools
For example: u...@with_ip has to receive an IP from configured RADIPPOOL table u...@without_ip has only to be authenticated (a user who log to a portal, for example). How can I make it possibile? Where can I setup this behaviuor? Create those realms as local realms in proxy.conf. Put: DEFAULT Realm == with_ip, Pool-Name:= your_pool_name in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: freeradius and IP pools
OK. I have in proxy.conf: realm with_ip { authhost= LOCAL accthost= LOCAL realm without_ip { authhost= LOCAL accthost= LOCAL Next I have mysql tables containing usernames: mysql select * from radcheck; ++--+-+++---+ | id | username | realm | attribute | op | value | ++--+-+++---+ | 1 | user | with_ip | Cleartext-Password | := | ip| ++--+-+++---+ mysql select * from radgroupcheck; ++-+---++--+ | id | groupname | attribute | op | value| ++-+---++--+ | 1 | withipgroup | Pool-Name | := | ip_pool | ++-+---++--+ mysql select * from radippool; ++---+-+ | id | pool_name | framedipaddress | ++---+-+ | 1 | ip_pool | 10.0.0.1| | 2 | ip_pool | 10.0.0.2| ++---+-+ mysql select * from radusergroup; +--+-+-+--+ | username | realm | groupname | priority | +--+-+-+--+ | user | with_ip | withipgroup |1 | +--+-+-+--+ That's good for ip-provided users and it works. But I need to understand how to configure the second user, the without-ip one. Arrigo -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di t...@kalik.net Inviato: venerdì 12 dicembre 2008 17.02 A: FreeRadius users mailing list Oggetto: Re: freeradius and IP pools For example: u...@with_ip has to receive an IP from configured RADIPPOOL table u...@without_ip has only to be authenticated (a user who log to a portal, for example). How can I make it possibile? Where can I setup this behaviuor? Create those realms as local realms in proxy.conf. Put: DEFAULT Realm == with_ip, Pool-Name:= your_pool_name in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: freeradius and IP pools
OK. I have in proxy.conf: realm with_ip { authhost= LOCAL accthost= LOCAL realm without_ip { authhost= LOCAL accthost= LOCAL Next I have mysql tables containing usernames: mysql select * from radcheck; ++--+-+++---+ | id | username | realm | attribute | op | value | ++--+-+++---+ | 1 | user | with_ip | Cleartext-Password | := | ip| ++--+-+++---+ mysql select * from radgroupcheck; ++-+---++--+ | id | groupname | attribute | op | value| ++-+---++--+ | 1 | withipgroup | Pool-Name | := | ip_pool | ++-+---++--+ mysql select * from radippool; ++---+-+ | id | pool_name | framedipaddress | ++---+-+ | 1 | ip_pool | 10.0.0.1| | 2 | ip_pool | 10.0.0.2| ++---+-+ mysql select * from radusergroup; +--+-+-+--+ | username | realm | groupname | priority | +--+-+-+--+ | user | with_ip | withipgroup |1 | +--+-+-+--+ That's good for ip-provided users and it works. But I need to understand how to configure the second user, the without-ip one. Make just radcheck entry for that one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
syntax errors on mysql ip pools
Hello, I've been trying for a few days to configure a new freeradius server with mysql IP pools support and I noticed there's a few errors with the syntax of some queries on sqlippool.conf for mysql. First of all, some queries would never match because the schema provided with freeradius for the radippools table would set the 'expiry_time' field as default to NULL and then the queries would try something like expiry_time NOW(), which would never match if the field as NULL. So, the correct schema for the database would be: CREATE TABLE radippool ( id int(11) unsigned NOT NULL auto_increment, pool_name varchar(30) NOT NULL, framedipaddress varchar(15) NOT NULL default '', nasipaddress varchar(15) NOT NULL default '', calledstationid VARCHAR(30) NOT NULL, callingstationid VARCHAR(30) NOT NULL, expiry_time DATETIME NOT NULL, username varchar(64) NOT NULL default '', pool_key varchar(30) NOT NULL, PRIMARY KEY (id) ); And the, the complete ippool.conf should be: -- begin --- # ## This series of queries allocates an IP address allocate-clear = UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, \ callingstationid = '', username = '', \ expiry_time = '-00-00' \ WHERE pool_key = '${pool-key}' ## This series of queries allocates an IP address ## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port ## then you may wish to delete the AND nasipaddress = '%{Nas-IP-Address}' ## from the WHERE clause) allocate-clear = UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, \ callingstationid = '', username = '', \ expiry_time = '-00-00' \ WHERE expiry_time = NOW() - INTERVAL 1 SECOND \ AND nasipaddress = '%{Nas-IP-Address}' ## The ORDER BY clause of this query tries to allocate the same IP-address ## which user had last session... allocate-find = SELECT framedipaddress FROM ${ippool_table} \ WHERE pool_name = '%{control:Pool-Name}' AND expiry_time NOW() \ ORDER BY (username '%{User-Name}'), \ (callingstationid '%{Calling-Station-Id}'), \ expiry_time \ LIMIT 1 \ FOR UPDATE # ## If you prefer to allocate a random IP address every time, i # ## use this query instead # allocate-find = SELECT framedipaddress FROM ${ippool_table} \ # WHERE pool_name = '%{control:Pool-Name}' \ # AND expiry_time IS NULL \ # ORDER BY RAND() \ # LIMIT 1 \ # FOR UPDATE ## If an IP could not be allocated, check to see if the pool exists or not ## This allows the module to differentiate between a full pool and no pool ## Note: If you are not running redundant pool modules this query may be ## commented out to save running this query every time an ip is not allocated. pool-check = SELECT id FROM ${ippool_table} \ WHERE pool_name='%{control:Pool-Name}' LIMIT 1 ## This is the final IP Allocation query, which saves the allocated ip details allocate-update = UPDATE ${ippool_table} \ SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \ callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \ expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE framedipaddress = '%I' ## This series of queries frees an IP number when an accounting ## START record arrives start-update = UPDATE ${ippool_table} \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}' ## This series of queries frees an IP number when an accounting ## STOP record arrives stop-clear = UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \ expiry_time = '-00-00' \ WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND framedipaddress = '%{Framed-IP-Address}' ## This series of queries frees an IP number when an accounting ## ALIVE record arrives alive-update = UPDATE ${ippool_table} \ SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \ WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}' \ AND username = '%{User-Name}' \ AND callingstationid = '%{Calling-Station-Id}' \ AND framedipaddress = '%{Framed-IP-Address}' ## This series of queries frees the IP numbers allocate to a ## NAS when an accounting ON record arrives on-clear = UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \ expiry_time = '-00-00' \ WHERE nasipaddress = '%{Nas-IP-Address}' ## This series of queries frees the IP numbers allocate to a ## NAS when an accounting OFF record arrives off-clear = UPDATE ${ippool_table} \ SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', \ expiry_time = '-00-00' \ WHERE nasipaddress = '%{Nas-IP-Address}' -- end of file -- I might add I'm not any Mysql expert so any opinions about what I said are really welcome... I've tested it and apparently it works and I couldn't find any
Re: Help with IP Pools and multiple ranges with same pool name
Dave wrote: I cant seem to find the relative documentation or examples, but I want to have an IP pool pool2 with multiple range-start and range-stop IP ranges in it, but Im not sure how to put together the config for it. You configure multiple instances of the pool module, one for each start/stop range. You will also need to have per-pool session DB's and IP index DB's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with IP Pools and multiple ranges with same pool name
Dave wrote: I cant seem to find the relative documentation or examples, but I want to have an IP pool pool2 with multiple range-start and range-stop IP ranges in it, but Im not sure how to put together the config for it. Can't be done. You'd need to use sqlippool for that. Something like this? *ippool* pool2 { range-start = 208.64.35.2 range-start = 208.5.60.100 range-stop = 208.64.35.254 range-stop = 208.5.60.200 netmask = 255.255.255.255 cache-size = 253 session-db = ${raddbdir}/db.*ippool* *ip*-index = ${raddbdir}/db.*ipindex* override = no maximum-timeout = 0 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with IP Pools and multiple ranges with same pool name
I cant seem to find the relative documentation or examples, but I want to have an IP pool pool2 with multiple range-start and range-stop IP ranges in it, but Im not sure how to put together the config for it. Something like this? *ippool* pool2 { range-start = 208.64.35.2 range-start = 208.5.60.100 range-stop = 208.64.35.254 range-stop = 208.5.60.200 netmask = 255.255.255.255 cache-size = 253 session-db = ${raddbdir}/db.*ippool* *ip*-index = ${raddbdir}/db.*ipindex* override = no maximum-timeout = 0 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multipls IP Pools
Hi, I have different Wireless Access Points across the students campus. Each of them support Radius Authentication for users. My question is: Based on Client (i.e. AP) IP address, can i assign different ip pools to them ?? Plz suggest. Regards -Azher -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multipls IP Pools
On Sun 01 Apr 2007 20:28, Azher Amin wrote: Hi, I have different Wireless Access Points across the students campus. Each of them support Radius Authentication for users. My question is: Based on Client (i.e. AP) IP address, can i assign different ip pools to them ?? You may easily assign different IP Pools to different NAS. However in your case you are using WiFi which is assigns IPs with the DHCP protocol, NOT with RADIUS. See: http://wiki.freeradius.org/DHCP FreeRADIUS does not at present support IP assignment via DHCP, only via RADIUS.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FREERADIUS USING IP POOLS
HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54Gnow im working with freeradius 1.1.3 and mysql 5.02in ubuntu drapper and is working fine, i have my users stored in the radcheck table, but iwant to dividethe users in two groups and assing a different range of ip pools to each group of users dynamically so i want to know how can i create two ippools and assing dinamically this ips to the users of the radcheck table depending if they belong to a group A or a group B. help please! thanks in advance!!! EDUARDOLlamadas grátis de PC a PC Haz clic aquí - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREERADIUS USING IP POOLS
Read the documentation in radiusd.conf, and experimental.conf. It's all there. You need two rlm_ippool modules instantiated, and placed in the postauth and accounting sections of the config file. You also need to add Pool-Name := pool1name in radgroupcheck under the name of group 1, and the same again for pool 2/group 2. Post what you come up with if you need further help - this configuration is in the documentation. Jan On 15/12/06, Tomas Eduardo Lotina Ramos [EMAIL PROTECTED] wrote: HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54G now im working with freeradius 1.1.3 and mysql 5.02 in ubuntu drapper and is working fine, i have my users stored in the radcheck table, but i want to divide the users in two groups and assing a different range of ip pools to each group of users dynamically so i want to know how can i create two ippools and assing dinamically this ips to the users of the radcheck table depending if they belong to a group A or a group B. help please! thanks in advance!!! EDUARDO -- Llamadas grátis de PC a PC Haz clic aquí http://g.msn.com/8HMBESMX/2749??PS=47575 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREERADIUS USING IP POOLS
Tomas Eduardo Lotina Ramos wrote: HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54G Which is doing wireless, right? You will need a DHCP server to assign IP addresses. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pools
Hi All, I need some assistance with assigning IP addresses from a pool to certain clients. The way I have it setup is doing AUTH through a mysql database, this all works briliantly. Now currently my NAS Server is actually giving out the IP addresses to the clients, I can overwrite it using Framed-IP-Address and then it gets a different IP. I want my radius server to get an IP out of a pool for each client, If the client is in a group called hardcapped it should give them a ip out of a different IP Pool. Otherwise it should pull A IP from the main_pool. Any suggestions? -- Kind Regards, Michael da Silva Pereira -- Office: 0861 74 73 72 Mobile: +27 84 245 2376 Fax:086 657 5004 Email: [EMAIL PROTECTED] Skype: michael_da_silva_pereira skype:michael_da_silva_pereira?add MSN:[EMAIL PROTECTED] msnim:[EMAIL PROTECTED] -- Tradepage.netBusiness on the Internet SA Business Directoryhttp://www.tradepage.co.za/ Internet Products Services http://www.tradepage.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure IP Pools
Hi, I´ve got freeradius instaled on redhat enterprise 3, configured and working :-) But now I need to create a diferents IP pools, I tryed to do it but I can't :-( I´ve created two ippool on radiusd.conf. # ippool main_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start = 192.168.1.1 range-stop = 192.168.3.254 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a Framed-IP-Address already set override = no # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 } ippool General { range-start = 192.168.75.1 range-stop = 192.168.75.126 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } If I configure the user to take an static IP it works fine, but when I try to take from IP pool it doesn´t works. javi Auth-Type := Local, User-Password == 123456 Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 192.168.77.35, Framed-IP-Netmask = 255.255.255.255, Ascend-Maximum-Time = 28800, Ascend-Idle-Limit = 1800 ion Auth-Type := Local, User-Password == 123456 Pool-Name := General Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 7, Ascend-Maximum-Time = 28800, Ascend-Idle-Limit = 1800 Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure IP Pools
Hi Try to put the IP-Pool in check items (not reply items) miguel -Message d'origine- De : [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] De la part de DK Envoyé : vendredi 24 juin 2005 11:45 À : freeradius-users@lists.freeradius.org Objet : Configure IP Pools Hi, I´ve got freeradius instaled on redhat enterprise 3, configured and working :-) But now I need to create a diferents IP pools, I tryed to do it but I can't :-( I´ve created two ippool on radiusd.conf. # ippool main_pool { # range-start,range-stop: The start and end ip # addresses for the ip pool range-start = 192.168.1.1 range-stop = 192.168.3.254 # netmask: The network mask used for the ip's netmask = 255.255.255.0 # cache-size: The gdbm cache size for the db # files. Should be equal to the number of ip's # available in the ip pool cache-size = 800 # session-db: The main db file used to allocate ip's to clients session-db = ${raddbdir}/db.ippool # ip-index: Helper db index file used in multilink ip-index = ${raddbdir}/db.ipindex # override: Will this ippool override a Framed-IP-Address already set override = no # maximum-timeout: If not zero specifies the maximum time in seconds an # entry may be active. Default: 0 maximum-timeout = 0 } ippool General { range-start = 192.168.75.1 range-stop = 192.168.75.126 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } If I configure the user to take an static IP it works fine, but when I try to take from IP pool it doesn´t works. javi Auth-Type := Local, User-Password == 123456 Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 192.168.77.35, Framed-IP-Netmask = 255.255.255.255, Ascend-Maximum-Time = 28800, Ascend-Idle-Limit = 1800 ion Auth-Type := Local, User-Password == 123456 Pool-Name := General Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 7, Ascend-Maximum-Time = 28800, Ascend-Idle-Limit = 1800 Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic client ip pools
Hi Guys, Im not sure which forum to post this to, freeradius or poptop?. i've been using poptop and freeradius now for a while and it works great, im using dynamic ip addresses for clients via poptop, so trying to keep everything dynamic. My problem is that i want to have diffrent ip pools for diffrent clients to connect to the internet, I want to be able to put a certain ip pool range through a slow connection and another via a fast connection at the moment i route every 30 ips addresses through a specific internet connection and so forth, My service provider does a proxy radius for for our adsl resell service and I can specify diffrent pools with Cisco-AVPair, but i guess that is cisco related? Please advice if this is possible? Thanks Jandre -- Regards Jandre Some people are alive only because it is illegal to kill them. _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools distributed on multiple FreeRADIUS Servers
On Sat, 7 May 2005, Nizar Shana'ah wrote: Hello all, I have two freeRADIUS Server, the second one is used for redundancy, how can i distribute the IP pools and have full redundancy, I am afraid of the conflicts that this may cause, I dont want them leasing the same IP to multiple clients when something happens and the other server is down. See bug #46 http://bugs.freeradius.org/show_bug.cgi?id=46 rlm_ippool should also renew ip address leasing informatio on accounting-start packets to achieve full redundancy (as long as accounting relaying works fine). Right now the lease databases are only synchronized on accounting-stop packets which means that a backup server *may* give out an ip already taken. BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pools distributed on multiple FreeRADIUS Servers
Hello all, I have two freeRADIUS Server, the second one is used for redundancy, how can i distribute the IP pools and have full redundancy, I am afraid of the conflicts that this may cause, I dont want them leasing the same IP to multiple clients when something happens and the other server is down. BR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Give 2 ip pools to the clients
On Fri, 1 Apr 2005, eDoS wrote: Hi, i get alocation 2 network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i have use just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 pool2) ? You can set Pool-Name to DEFAULT to match all ippool modules. best regards, eDoS -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Give 2 ip pools to the clients
thank you kostas, but i have another problem if there is 1 network of public ip, ippool public { range-start = 223.xxx.xxx.xxx range-stop = 223.xxx.xxx.xxx netmask = 255.255.255.0 cache-size = 62 session-db = ${raddbdir}/db.ippublic ip-index = ${raddbdir}/db.ippublic_idx } and i want to separate my public users and my private users, if i use DEFAULT value for Pool-Name it will be including public ip. is there a way that just give pool1 and pool2 to my private users ? regards eDoS - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, April 04, 2005 6:32 PM Subject: Re: Give 2 ip pools to the clients On Fri, 1 Apr 2005, eDoS wrote: Hi, i get alocation 2 network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i have use just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 pool2) ? You can set Pool-Name to DEFAULT to match all ippool modules. best regards, eDoS -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Give 2 ip pools to the clients
On Mon, 4 Apr 2005, eDoS wrote: thank you kostas, but i have another problem if there is 1 network of public ip, ippool public { range-start = 223.xxx.xxx.xxx range-stop = 223.xxx.xxx.xxx netmask = 255.255.255.0 cache-size = 62 session-db = ${raddbdir}/db.ippublic ip-index = ${raddbdir}/db.ippublic_idx } and i want to separate my public users and my private users, if i use DEFAULT value for Pool-Name it will be including public ip. is there a way that just give pool1 and pool2 to my private users ? You can also use the Post-Auth attribute. Use the public ippool module for public users and put pool1 and pool2 in a Post-Auth section available only to private users: users (example!!): #private DEFAULT Group == private, Pool-Name := DEFAULT, Post-Auth := private #public DEFAULT Pool-Name := public postauth { public Post-Auth private { pool1 pool2 } } Hope you get the picture. regards eDoS - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, April 04, 2005 6:32 PM Subject: Re: Give 2 ip pools to the clients On Fri, 1 Apr 2005, eDoS wrote: Hi, i get alocation 2 network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size = 14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i have use just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 pool2) ? You can set Pool-Name to DEFAULT to match all ippool modules. best regards, eDoS -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with ip pools
Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ip pools
On Thu, 31 Mar 2005, Sbastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
RE: Problem with ip pools
Hi, The main_pool line in the accounting section of the radiusd.conf file was commented ... Maybe that was my mistake. Ok for the rlm_ippool_tool I'm gonna use it to see if my modification of radiusd.conf is working or not. I was not using accounting at all so I forgot about it but it seems that I will have to configure it well to get the ip_pool working. Thank for answering. Best regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoy : jeudi 31 mars 2005 13:47 : freeradius-users@lists.freeradius.org Objet : Re: Problem with ip pools On Thu, 31 Mar 2005, Sbastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ip pools
Still no luck. I made a connection, the disconnect but the IP it is always in the databases. I would like to understand if accounting is working well. Only thing I know is that files in [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8 are being fullfiled. (192.168.10.8 is a cisco router which acts as a NAS forwarding NAS requests). [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat auth-detail-20050331 Packet-Type = Access-Request Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP User-Name = masqued CHAP-Password = masqued NAS-Port-Type = Virtual NAS-Port = 135 Calling-Station-Id = masqued Called-Station-Id = masqued Service-Type = Framed-User NAS-IP-Address = 192.168.10.8 Client-IP-Address = 192.168.10.8 CHAP-Challenge = masqued [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat reply-detail-20050331 Packet-Type = Access-Accept Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP Framed-MTU = 576 Framed-IP-Address = 192.168.52.79 Framed-IP-Netmask = 255.255.255.0 Does this means that accounting is working ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Sébastien Cantos Envoyé : jeudi 31 mars 2005 14:26 À : freeradius-users@lists.freeradius.org Objet : RE: Problem with ip pools Hi, The main_pool line in the accounting section of the radiusd.conf file was commented ... Maybe that was my mistake. Ok for the rlm_ippool_tool I'm gonna use it to see if my modification of radiusd.conf is working or not. I was not using accounting at all so I forgot about it but it seems that I will have to configure it well to get the ip_pool working. Thank for answering. Best regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoyé : jeudi 31 mars 2005 13:47 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with ip pools On Thu, 31 Mar 2005, S?bastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ip pools
Sébastien Cantos [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat reply-detail-20050331 Packet-Type = Access-Accept Does this means that accounting is working ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Give 2 ip pools to the clients
Hi, i get alocation 2network of ip, the range is : 192.168.2.1 - 192.168.2.14 192.168.5.1 - 192.168.5.14 my conf : ippool pool1 { range-start = 192.168.2.1 range-stop = 192.168.2.14 netmask = 255.255.255.0 cache-size =14 session-db = ${raddbdir}/db.ippool1 ip-index = ${raddbdir}/db.ipindex1 } ippool pool2 { range-start = 192.168.5.1 range-stop = 192.168.5.14 netmask = 255.255.255.0 cache-size =14 session-db = ${raddbdir}/db.ippool2 ip-index = ${raddbdir}/db.ipindex2 } i want to give all ip alocation to all of clients. i haveuse just 1 network of ip but sometimes my clients couldn't get any more ip. is there any way to give 2 attribute pool-name (pool1 pool2) ? best regards, eDoS
Re: Using IP Pools
On Sat, 12 Mar 2005 15:15:58 +0200 (EET), Kostas Kalevras [EMAIL PROTECTED] wrote: --users-- DEFAULT NAS-IP-Address == $RAS-IP Framed-IP-Address = 255.255.255.254 DEFAULT NAS-IP-Address == $OTHER-NAS-IP, Pool-Name := pool1 DEFAULT NAS-IP-Address == $OTHER-NAS-IP2, Pool-Name := pool2 I haven't found a way to represent this in the mysql database. Am I correct in that these must be in the users file and cannot be placed in the database? If not, how do I represent this in the database? -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using IP Pools
On Fri, 11 Mar 2005, Jason Frisvold wrote: Hi all I want to set up freeradius to use IP pools. I see the section in the radius.conf file where I can set this up, but I'm a bit unsure of how to proceed. Currently we're using freeradius to authenticate dial-up users. The RAS only needs to receive a Framed-IP-Address of 255.255.255.254 to trigger the internal pools. Moving forward, we want to continue with this, and also use freeradius for some other devices that don't have internal IP Pools. Is there a document somewhere that describes how to handle all of this? No there isn't. There is documentation for how the server works though. It's your job to use them all together. I believe I'm going to need multiple pools for this, depending on the device that the user is authenticating on... --users-- DEFAULT NAS-IP-Address == $RAS-IP Framed-IP-Address = 255.255.255.254 DEFAULT NAS-IP-Address == $OTHER-NAS-IP, Pool-Name := pool1 DEFAULT NAS-IP-Address == $OTHER-NAS-IP2, Pool-Name := pool2 --radiusd.conf-- ippool pool1 { [...] } ippool pool2 { [...] } postauth{ pool1 pool2 [...] } Any help would be appreciated... Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic IP Pools on Freeradius
Hi all, sorry to bother you, I searched all on google but didn`t find a solution, either it is not designed as I think or I misunderstand something So here the story : I have to assign IP addresses via dynamic pools on Freeradius and via some local pool on NAS. (requirement) So I added in radiusd.conf ippool my_pool { some stuff , mostly copied form main_pool } in the usersfile I added a testuser test Password == test, Pool-Name := my_pool after restarting the server and some trying, I never got a IP returned from Freeradius. I expected to see Framed-IP-Address attribute added to the user with some IP of the specified pool. Is this how it should work or is my assumption wrong. When running radius in Debug mode (radiusd -X ) I just can see log messages module my_pool returns NOOP Did I miss something to configure ? I haven`t found much documentation about radius based IP pools. Sorry that I can`t post the whole debugging log currently, it`s located on a PC in a non-internet connected area. Any could help with this issue. Thanks and regards Michael -- Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Pools on Freeradius
rlm_ippool requires that the packet contain NAS-IP-Address and NAS-Port. Are you sending those attributes? If not, you may need to modify rlm_ippool to uniquely identify a user by something else. On Wed, 2 Feb 2005, Michael Kopp wrote: Hi all, sorry to bother you, I searched all on google but didn`t find a solution, either it is not designed as I think or I misunderstand something So here the story : I have to assign IP addresses via dynamic pools on Freeradius and via some local pool on NAS. (requirement) So I added in radiusd.conf ippool my_pool { some stuff , mostly copied form main_pool } in the usersfile I added a testuser test Password == test, Pool-Name := my_pool after restarting the server and some trying, I never got a IP returned from Freeradius. I expected to see Framed-IP-Address attribute added to the user with some IP of the specified pool. Is this how it should work or is my assumption wrong. When running radius in Debug mode (radiusd -X ) I just can see log messages module my_pool returns NOOP Did I miss something to configure ? I haven`t found much documentation about radius based IP pools. Sorry that I can`t post the whole debugging log currently, it`s located on a PC in a non-internet connected area. Any could help with this issue. Thanks and regards Michael -- Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Pools on Freeradius
Hi Dustin, thanks , that worked for me ! (didn`t know that the NAS-Port is necessary) Regards Michael --__--__-- Message: 3 Date: Wed, 2 Feb 2005 10:39:32 -0500 (EST) From: Dustin Doris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: Re: Dynamic IP Pools on Freeradius Reply-To: freeradius-users@lists.freeradius.org rlm_ippool requires that the packet contain NAS-IP-Address and NAS-Port. Are you sending those attributes? If not, you may need to modify rlm_ippool to uniquely identify a user by something else. On Wed, 2 Feb 2005, Michael Kopp wrote: Hi all, sorry to bother you, I searched all on google but didn`t find a solution, either it is not designed as I think or I misunderstand something So here the story : I have to assign IP addresses via dynamic pools on Freeradius and via some local pool on NAS. (requirement) So I added in radiusd.conf ippool my_pool { some stuff , mostly copied form main_pool } in the usersfile I added a testuser test Password == test, Pool-Name := my_pool after restarting the server and some trying, I never got a IP returned from Freeradius. I expected to see Framed-IP-Address attribute added to the user with some IP of the specified pool. Is this how it should work or is my assumption wrong. When running radius in Debug mode (radiusd -X ) I just can see log messages module my_pool returns NOOP Did I miss something to configure ? I haven`t found much documentation about radius based IP pools. Sorry that I can`t post the whole debugging log currently, it`s located on a PC in a non-internet connected area. Any could help with this issue. Thanks and regards Michael -- Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GMX im TV ... Die Gedanken sind frei ... Schon gesehen? Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding ip pools
You can return VSA with poolname. It depends on your NAS vendor. For example we use: USR-Framed_IP_Address_Pool_Name = poolname for our HiperArc. Hope this helps. Best Regards, athif abdul aziz wrote: Hi , Can anyone please give me idea as to how i can configure freeradius to assign addressess to dial-in users from an ip-pool ? Regards Athif -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pools question
Paul Hampson wrote: On Wed, Sep 22, 2004 at 04:20:23AM -0700, Evren Yurtesen wrote: Hello, I want to use the freeradius ip pools. I just wonder something though ever ip pool name I define should be included in the accounting and post-auth sections? Its kind of confusing, whats the point of defining the Pool-Name attribute in users file and then define the same name in accounting and post-auth sections? The Pool-Name attribute is attached to a RADIUS request, and is checked by the rlm_ippool module before any action is taken. Its existance does not depend on the rlm_ippool module, but nothing else (to my knowledge) uses it. Putting the pool name into the sections of the config file triggers the instance of the rlm_ipool module to act upon the current request, as it passes through that stage of processing. rlm_ippool allocates IP addresses when called from post-auth, and marks IP addresses as free again when called from accounting. I hope that clarifies things. So if I put the pool name to accounting and post-auth, then I dont have to have Pool-Name in users file? All the users would use the pool which is defined in accounting and post-auth? If I have to define every pool name in those sections. I mean what if I have 100 different pools? wouldnt it be just extra work to edit conf file every time in 2 different sections? But then why just above the main_pool says that it is REQUIRED to have Pool-Name? # The module also requires the existance of the Pool-Name # attribute. That way the administrator can add the Pool-Name # attribute in the user profiles and use different pools # for different users. The Pool-Name attribute is a *check* item not # a reply item. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pools question
On Wed, 22 Sep 2004, Evren Yurtesen wrote: So if I put the pool name to accounting and post-auth, then I dont have to have Pool-Name in users file? All the users would use the pool which is defined in accounting and post-auth? No, you HAVE to define the Pool-Name If I have to define every pool name in those sections. I mean what if I have 100 different pools? wouldnt it be just extra work to edit conf file every time in 2 different sections? 100 different pools are 100 different ippool module instances. So you need to add them in the accounting,post-auth sections. Though if you use 100 pools the ippool module won't be the best choise. But then why just above the main_pool says that it is REQUIRED to have Pool-Name? # The module also requires the existance of the Pool-Name # attribute. That way the administrator can add the Pool-Name # attribute in the user profiles and use different pools # for different users. The Pool-Name attribute is a *check* item not # a reply item. You need to set the Pool-Name. That's how the ippool module works, it needs the Pool-Name to make sure it is the one that should handle the corresponding request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pools question
Hello, I want to use the freeradius ip pools. I just wonder something though ever ip pool name I define should be included in the accounting and post-auth sections? Its kind of confusing, whats the point of defining the Pool-Name attribute in users file and then define the same name in accounting and post-auth sections? Thanks, Evren - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pools question
On Wed, Sep 22, 2004 at 04:20:23AM -0700, Evren Yurtesen wrote: Hello, I want to use the freeradius ip pools. I just wonder something though ever ip pool name I define should be included in the accounting and post-auth sections? Its kind of confusing, whats the point of defining the Pool-Name attribute in users file and then define the same name in accounting and post-auth sections? The Pool-Name attribute is attached to a RADIUS request, and is checked by the rlm_ippool module before any action is taken. Its existance does not depend on the rlm_ippool module, but nothing else (to my knowledge) uses it. Putting the pool name into the sections of the config file triggers the instance of the rlm_ipool module to act upon the current request, as it passes through that stage of processing. rlm_ippool allocates IP addresses when called from post-auth, and marks IP addresses as free again when called from accounting. I hope that clarifies things. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
manage more ip pools with mysql tables
Thanks to doris. How can i modify sql tables to enable ippools function with only connection to mysql db and radiusd.conf file?? Thanks a lot -Messaggio originale- Da: Simone Giovanardi Inviato: venerdì 20 agosto 2004 16.21 A:'[EMAIL PROTECTED]' Oggetto: manage more ip pools Is it possible manage more thn one ippool in radiusd.conf?? I' ve tried to make this but doesn't work properly Is there an example of radiusd.conf and users file to consulting? Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Nah still not working, works fine if i use radping or what ever that program is and I specify a nas port. But the nas port only seems to come through from the nas on a start request maybe. The port range starts from 0 and increments by 1 per user. Any ideas? Barry - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 02, 2004 2:17 PM Subject: Re: Group ip pools On Sun, Aug 01, 2004 at 02:17:41PM +1200, Barry Murphy wrote: Going forward I have looked at the scripts and it shows that TTY is being used and clients are getting a Nas-Port begining with 0, then 1 for the second user as shown below. Sun Aug 1 12:00:49 2004 Acct-Session-Id = 410C2FFA01F0 User-Name = icepick Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.85 NAS-IP-Address = 10.23.19.2 NAS-Port = 0 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = 819283b999345e7d Timestamp = 1091318449 Sun Aug 1 13:26:04 2004 Acct-Session-Id = 410C43DA0201 User-Name = neil Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.89 NAS-IP-Address = 10.23.19.2 NAS-Port = 1 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = f27a28a784f81cba Timestamp = 1091323564 Those are Accounting-Start packets... To assign an address from an ippool, the port needs to be present in the Access-Request packet. By the time the RADIUS server sees the Accounting-Start packet, the IP address needs to've been already transmitted in the Access-Accept packet. On the other hand, it looks like a Framed-IP-Address _is_ being assigned... Is this still not working? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sun, Aug 01, 2004 at 02:17:41PM +1200, Barry Murphy wrote: Going forward I have looked at the scripts and it shows that TTY is being used and clients are getting a Nas-Port begining with 0, then 1 for the second user as shown below. Sun Aug 1 12:00:49 2004 Acct-Session-Id = 410C2FFA01F0 User-Name = icepick Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.85 NAS-IP-Address = 10.23.19.2 NAS-Port = 0 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = 819283b999345e7d Timestamp = 1091318449 Sun Aug 1 13:26:04 2004 Acct-Session-Id = 410C43DA0201 User-Name = neil Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.89 NAS-IP-Address = 10.23.19.2 NAS-Port = 1 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = f27a28a784f81cba Timestamp = 1091323564 Those are Accounting-Start packets... To assign an address from an ippool, the port needs to be present in the Access-Request packet. By the time the RADIUS server sees the Accounting-Start packet, the IP address needs to've been already transmitted in the Access-Accept packet. On the other hand, it looks like a Framed-IP-Address _is_ being assigned... Is this still not working? -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group ip pools
Hi, I'm trying to setup ippools on a per group basis, I tried examples from the below and couldn't get it to work. Any ideas? http://lists.cistron.nl/pipermail/freeradius-users/2001-August/001482.html DEFAULTGroup == dialupnf, Auth-Type := System Service-Type == Framed-User, Framed-IP-Address = 10.10.10.1+, Fall-Through = No http://listserver.uk.freebsd.org/pipermail/freebsd-users/2003-May/007864.html robing Auth-Type := Local, User-Password == password Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 195.8.182.0, Framed-IP-Netmask = 255.255.255.0, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm guessing I can just use ip pools from the radius.conf which I have tried to do but it isn't working... ippool mainpool { range-start = 219.88.249.73 range-stop = 219.88.249.80 netmask = 255.255.255.255 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } under accounting{} I have added mainpool under post-auth {} I have also added mainpool I've added the following to sql on radgroupcheck testing Pool-Name := mainpool radius -X ( rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 0 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Thanks Barry - Original Message - From: Barry Murphy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 31, 2004 6:14 PM Subject: Group ip pools Hi, I'm trying to setup ippools on a per group basis, I tried examples from the below and couldn't get it to work. Any ideas? http://lists.cistron.nl/pipermail/freeradius-users/2001-August/001482.html DEFAULTGroup == dialupnf, Auth-Type := System Service-Type == Framed-User, Framed-IP-Address = 10.10.10.1+, Fall-Through = No http://listserver.uk.freebsd.org/pipermail/freebsd-users/2003-May/007864.html robing Auth-Type := Local, User-Password == password Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 195.8.182.0, Framed-IP-Netmask = 255.255.255.0, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Could hte problem be because the user is connecting with a Virtual NAS-Port... rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, length=113 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.44.59 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = ns.unix.co.nz NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = 31558-testing1091264221 Acct-Multi-Session-Id = Acct-Delay-Time = 0 modcall: group Auth-Type returns ok for request 12 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 12 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 12 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Barry - Original Message - From: Barry Murphy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 31, 2004 7:26 PM Subject: Re: Group ip pools I'm guessing I can just use ip pools from the radius.conf which I have tried to do but it isn't working... ippool mainpool { range-start = 219.88.249.73 range-stop = 219.88.249.80 netmask = 255.255.255.255 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } under accounting{} I have added mainpool under post-auth {} I have also added mainpool I've added the following to sql on radgroupcheck testing Pool-Name := mainpool radius -X ( rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP modcall: entering group Auth-Type for request 0 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module mschap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 0 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 0 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Thanks Barry - Original Message - From: Barry Murphy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 31, 2004 6:14 PM Subject: Group ip pools Hi, I'm trying to setup ippools on a per group basis, I tried examples from the below and couldn't get it to work. Any ideas? http://lists.cistron.nl/pipermail/freeradius-users/2001-August/001482.html DEFAULTGroup == dialupnf, Auth-Type := System Service-Type == Framed-User, Framed-IP-Address = 10.10.10.1+, Fall-Through = No http://listserver.uk.freebsd.org/pipermail/freebsd-users/2003-May/007864.html robing Auth-Type := Local, User-Password == password Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 195.8.182.0, Framed-IP-Netmask = 255.255.255.0, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sat, 31 Jul 2004, Barry Murphy wrote: Could hte problem be because the user is connecting with a Virtual NAS-Port... rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, length=113 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.44.59 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = ns.unix.co.nz NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = 31558-testing1091264221 Acct-Multi-Session-Id = Acct-Delay-Time = 0 The accounting packet does not contain a nas-port attribute. You need to fix that, or rlm_ippool won't work modcall: group Auth-Type returns ok for request 12 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 12 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 12 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Barry -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
On Sat, 31 Jul 2004 10:44 -0400, Bruce A. Friend wrote: I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend Bruce, I assume you'll see this when you return from vacation. Will you please learn how to configure your vacation autoresponder to ignore mailing list messages? Every time a freeradius-users message hits your system, your autoresponder responds to the list address. Surely if you're savvy enough to use radius, you're savvy enough to learn to use your autoresponder correctly. -- Chip Old (Francis E. Old) E-Mail: [EMAIL PROTECTED] Manager, BCPL Network ServicesPhone: 410-887-6180 Manager, BCPL.NET Internet Services FAX: 410-887-2091 320 York Road Towson, MD 21204 USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
I'm on vacation Aug 2 - 6 and will return to the office on Monday the 9th. Bruce Friend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Barry Murphy [EMAIL PROTECTED] wrote: Could hte problem be because the user is connecting with a Virtual NAS-Port... Yes. There's nothing in the Access-Request packet which lets the server tell one virtual port from another. The server therefore cannot assign IP addresses, as it has no way of tracking who was assigned what. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
It's a pptp connection using debian poptop and ppp. Any ideas? Thanks Barry - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 01, 2004 2:42 AM Subject: Re: Group ip pools On Sat, 31 Jul 2004, Barry Murphy wrote: Could hte problem be because the user is connecting with a Virtual NAS-Port... rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, length=113 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.44.59 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = ns.unix.co.nz NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = 31558-testing1091264221 Acct-Multi-Session-Id = Acct-Delay-Time = 0 The accounting packet does not contain a nas-port attribute. You need to fix that, or rlm_ippool won't work modcall: group Auth-Type returns ok for request 12 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 12 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 12 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Barry -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
NTRadPing confirmed what you mentioned, i'm wondering if anyone has managed to get debian ppp to send the interface number as the NAS-Port? i.e. ppp0 would be port 0, ppp1 would be Nas-Port=1 etc. Been googling for hours for this and days on this topic and come up with nothing. A link off http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ shows: RADIUS plugin now uses ppp interface number instead of terminal device number as NAS-Port value because interface number is guaranteed to be unique. Barry - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 01, 2004 2:42 AM Subject: Re: Group ip pools On Sat, 31 Jul 2004, Barry Murphy wrote: Could hte problem be because the user is connecting with a Virtual NAS-Port... rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, length=113 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.44.59 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = ns.unix.co.nz NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = 31558-testing1091264221 Acct-Multi-Session-Id = Acct-Delay-Time = 0 The accounting packet does not contain a nas-port attribute. You need to fix that, or rlm_ippool won't work modcall: group Auth-Type returns ok for request 12 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 12 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 12 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Barry -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group ip pools
Going forward I have looked at the scripts and it shows that TTY is being used and clients are getting a Nas-Port begining with 0, then 1 for the second user as shown below. Sun Aug 1 12:00:49 2004 Acct-Session-Id = 410C2FFA01F0 User-Name = icepick Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.85 NAS-IP-Address = 10.23.19.2 NAS-Port = 0 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = 819283b999345e7d Timestamp = 1091318449 Sun Aug 1 13:26:04 2004 Acct-Session-Id = 410C43DA0201 User-Name = neil Acct-Status-Type = Start Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS NAS-Port-Type = Async Framed-IP-Address = 219.88.249.89 NAS-IP-Address = 10.23.19.2 NAS-Port = 1 Acct-Delay-Time = 0 Client-IP-Address = 10.22.19.2 Acct-Unique-Session-Id = f27a28a784f81cba Timestamp = 1091323564 Barry - Original Message - From: Barry Murphy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 01, 2004 1:39 PM Subject: Re: Group ip pools NTRadPing confirmed what you mentioned, i'm wondering if anyone has managed to get debian ppp to send the interface number as the NAS-Port? i.e. ppp0 would be port 0, ppp1 would be Nas-Port=1 etc. Been googling for hours for this and days on this topic and come up with nothing. A link off http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ shows: RADIUS plugin now uses ppp interface number instead of terminal device number as NAS-Port value because interface number is guaranteed to be unique. Barry - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 01, 2004 2:42 AM Subject: Re: Group ip pools On Sat, 31 Jul 2004, Barry Murphy wrote: Could hte problem be because the user is connecting with a Virtual NAS-Port... rad_recv: Accounting-Request packet from host 192.168.4.1:1084, id=74, length=113 User-Name = testing Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 192.168.44.59 Framed-IP-Netmask = 255.255.255.255 NAS-Identifier = ns.unix.co.nz NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = 31558-testing1091264221 Acct-Multi-Session-Id = Acct-Delay-Time = 0 The accounting packet does not contain a nas-port attribute. You need to fix that, or rlm_ippool won't work modcall: group Auth-Type returns ok for request 12 Login OK: [testing] (from client 192.168.4.1 port 0) modcall: entering group post-auth for request 12 rlm_ippool: Could not find nas port information. Return NOOP. modcall[post-auth]: module mainpool returns noop for request 12 radius_xlat: '/var/log/radacct/192.168.4.1/reply-detail-20040731' Barry -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools Error?
Hello m0bius, Friday, November 7, 2003, 4:56:58 PM, you wrote: m I seem to be having a strange error occurring during the past few days m that I think has something to do with the IP Pools Management. We use m two Ascend Lucent MAX 3000 NAS (the one with one PRI while the second m carries two). The problem occurs while there are more than 50 dialup m users in which case the users can't connect and get an error type 738: m Server did not assign an IP address... m I've enabled ippools in radius.conf with the correct start and stop m values and added the main_pool in the accounting and post-auth section m as mentioned. However the weird thing is that I don't seem to have any m logs via the radius of the unsuccessful attempts (either via the m detail/reply logs or the dialup admin) and I can't trace the problem by m debugging mode since the error doesn't happen all the times. It would m look like the nases are blocking the connections. m I believe that it has something to do with the NASes but the strange m thing is that while using the Cistron radius server no such issue had m been observed. I have pretty the same problem here. When i'm testing connection - all working fine. But when there's some users connected - rlm_ippool seems to be not working. In debug mode i've seen that processing of such 'bad' requests are finished right after entering 'post-auth' block, and in these cases ippool is not invoked - radiusd says 'Finished request blah-blah' and then it comes to another request. Maybe, some server tuning should be done? I mean, number of threads, timeouts and such. Tomorrow i will try it. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools Error?
Alexander Lunyov [EMAIL PROTECTED] wrote: m I believe that it has something to do with the NASes but the strange m thing is that while using the Cistron radius server no such issue had m been observed. Cistron doesn't have IP pools. I have pretty the same problem here. When i'm testing connection - all working fine. But when there's some users connected - rlm_ippool seems to be not working. In debug mode i've seen that processing of such 'bad' requests are finished right after entering 'post-auth' block, and in these cases ippool is not invoked - radiusd says 'Finished request blah-blah' and then it comes to another request. Maybe, some server tuning should be done? I mean, number of threads, timeouts and such. Tomorrow i will try it. I would suggest adding more debug statements to the rlm_ippool module, so you can see WHY it isn't assigning an IP. Odds are that the request doesn't contain enough information for it to assign an IP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: IP Pools Error?
Hello Alan, Thursday, May 13, 2004, 5:36:18 PM, you wrote: I have pretty the same problem here. When i'm testing connection - all working fine. But when there's some users connected - rlm_ippool seems to be not working. In debug mode i've seen that processing of such 'bad' requests are finished right after entering 'post-auth' block, and in these cases ippool is not invoked - radiusd says 'Finished request blah-blah' and then it comes to another request. Maybe, some server tuning should be done? I mean, number of threads, timeouts and such. Tomorrow i will try it. AD I would suggest adding more debug statements to the rlm_ippool AD module, so you can see WHY it isn't assigning an IP. Odds are that AD the request doesn't contain enough information for it to assign an IP. Yes, it seems that sometimes NAS-Port-Id is missing. For example: Request is: Service-Type = Framed-User User-Name = bpv89 Framed-Protocol = PPP CHAP-Password = xx CHAP-Challenge = xx NAS-Identifier = zeus.domain.ru NAS-Port-Type = Async And this client is not receiving address, because rlm_ippool return NOOP after NAS port id check. I'm using exppp on freebsd-4.8R-p13 and multiport cards as a NAS, and i found that such requests comes only from some ports/modems (i.e. /dev/cuaa10), and other is doing fine. Why NAS-Port-Id so critical for rlm_ippool? Can i do some workaround for this problem, maybe with some hack of rlm_ippool.c? I mean, do rlm_ippool really need NAS-Port-Id? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple IP Pools with Ascend APX's
Anson, You need to look at how pool chaining works with the APX. You might also look into the virtual routers. -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson RinesmithSent: Wednesday, March 17, 2004 6:04 PMTo: [EMAIL PROTECTED]Subject: Multiple IP Pools with Ascend APX's Im using freeRadius with MySQL In radgroupreply, GroupName, Attribute, op, Value, prio I have multiple ISPs logging into one RAS. First ISP needs to class Cs, pools 1 and 2. Second ISP needs 3 Class Cs, pools 3, 4 5. etc.. Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, :=, 0 Would I have isp1, X-Ascend-Assign-IP-Pool, :=, 1 isp1, X-Ascend-Assign-IP-Pool, +=, 2 isp2, X-Ascend-Assign-IP-Pool, :=, 3 isp2, X-Ascend-Assign-IP-Pool, +=, 4 isp2, X-Ascend-Assign-IP-Pool, +=, 5 etc.
Multiple IP Pools with Ascend APX's
Im using freeRadius with MySQL In radgroupreply, GroupName, Attribute, op, Value, prio I have multiple ISPs logging into one RAS. First ISP needs to class Cs, pools 1 and 2. Second ISP needs 3 Class Cs, pools 3, 4 5. etc.. Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, :=, 0 Would I have isp1, X-Ascend-Assign-IP-Pool, :=, 1 isp1, X-Ascend-Assign-IP-Pool, +=, 2 isp2, X-Ascend-Assign-IP-Pool, :=, 3 isp2, X-Ascend-Assign-IP-Pool, +=, 4 isp2, X-Ascend-Assign-IP-Pool, +=, 5 etc.
FreeRADIUS, MySQL, IP Pools
Hi All, My first post so please be gentle :) We've been having a few problems with pupils joining our LAN using their own kit. Although we'd like to allow this at some stage (under our rules obviously) we'd like this to be done in a sensible, secure way. Now I have set up a FreeRADIUS box on OS X, it has MySQL support and so far, so good it works fine. If I setup a wireless AP to use it, it works like a charm. Fine. I'd like to now setup a scheme for the RADIUS box to match MAC Addresses to a range of IP addresses (particularly a scope our DHCP server will send out). I am therefore hoping any pupil laptop in the future will be allowed access as long as the MAC address is known and they are using a particular IP range. Is this doable with FreeRADIUS??? I presently am using dialup_admin to admin the system and it has a IP Address field in the new user and new group setup. Can I add a range in the usual 192.168.1.0/24 notation to say the group and make all Pupil users a member of that group??? Would this work or am I completely barking up the wrong tree. TIA Dan -- Dan Hawker Systems Admin Canford School -- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS, MySQL, IP Pools
The answer depends on your dhcp server (and not) ;) I think. Did you check in your DHCP server manuals if it supports this type of attribute? What is your DHCP server? By the way, it is usually possible that your pupils might give an IP manually, it is not so secure to trust only to the DHCP server. So your pupils use wireless cards to connect to the network? Can you give more details about the hardware and software? Freeradius has IP pools, you can define a pool and make certain MAC addresses use the IPs from the pool. See Framed-IP-Address attribute(if I am not mistaken, it was something like that) But does your wireless ap/dhcp server etc. support this? that is the question... Evren Dan Hawker wrote: Hi All, My first post so please be gentle :) We've been having a few problems with pupils joining our LAN using their own kit. Although we'd like to allow this at some stage (under our rules obviously) we'd like this to be done in a sensible, secure way. Now I have set up a FreeRADIUS box on OS X, it has MySQL support and so far, so good it works fine. If I setup a wireless AP to use it, it works like a charm. Fine. I'd like to now setup a scheme for the RADIUS box to match MAC Addresses to a range of IP addresses (particularly a scope our DHCP server will send out). I am therefore hoping any pupil laptop in the future will be allowed access as long as the MAC address is known and they are using a particular IP range. Is this doable with FreeRADIUS??? I presently am using dialup_admin to admin the system and it has a IP Address field in the new user and new group setup. Can I add a range in the usual 192.168.1.0/24 notation to say the group and make all Pupil users a member of that group??? Would this work or am I completely barking up the wrong tree. TIA Dan -- Dan Hawker Systems Admin Canford School -- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html