Hi Alan
Thanks for your help. Marco -----Original Message----- From: freeradius-users-bounces+marco.de.magistris=ericsson....@lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson....@lists.freeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: martedì 26 maggio 2009 17.58 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 49, Issue 117 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: Statistic Counter (Alan DeKok) 2. problem with rlm_counter module when reset option is set to never (Ahmed Nifaz Faizabadi) 3. Re: problem with rlm_counter module when reset option is set to never (Ivan Kalik) 4. Re: problem with rlm_counter module when reset option is set to never (Ahmed Nifaz Faizabadi) 5. Re: problem with rlm_counter module when reset option is set to never (Alan DeKok) 6. Assigning IP address from RADIUS to Cisco PPTP users (u...@3.am) 7. wired 802.1x for desktops (offtopic) (Mikael Kermorgant) 8. FW: freeradius2.1.4--Simultaneous (??) ---------------------------------------------------------------------- Message: 1 Date: Tue, 26 May 2009 13:29:51 +0200 From: Alan DeKok <al...@deployingradius.com> Subject: Re: Statistic Counter To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4a1bd2af.5050...@deployingradius.com> Content-Type: text/plain; charset=UTF-8 Marco De Magistris wrote: > Can I enable other counters for AuthRadiusClientAccessRetransmissions, > AuthRadiusClientTimeouts, AuthRadiusClientCounterDiscontinuity)? The server does not currently track those statistics. As always, patches are welcome. > Or I should use ?counter? module of FreeRadius? No. It won't do what you want. Alan DeKok. ------------------------------ Message: 2 Date: Tue, 26 May 2009 18:13:59 +0530 From: Ahmed Nifaz Faizabadi <ahmedni...@gmail.com> Subject: problem with rlm_counter module when reset option is set to never To: freeradius-users@lists.freeradius.org Message-ID: <d49df1900905260543k4228999ai4aeb7ff46b595...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hi all, Here is the issue I am facing with rlm_counter module. I am using freeradius-server-2.1.4 and configuring Max session time for each user. for example: user1 Max-Session-Time := 1800, Auth-Type := Reject Reply-Message = "Your time limit is used" user2 Max-Session-Time := 3600, Auth-Type := Reject Reply-Message = "Your time limit is used" and rlm_counter options are : counter daily { counter-name = Max-All-Session-Time check-name = Max-All-Session key = User-Name reset = never } I am observing that the user accounting record is not deleted from rlm_counter module once the user has used his allocated time. For example when user1 has used 1800 seconds allocated to him then I will be deleting the user from users config and then add the same user back. I am getting the "Your time limit is used" message :(. Does somebody has information about how to delete the records from rlm_counter module once they are expired with reset-option set to never. Regards Ahmed Nifaz ------------------------------ Message: 3 Date: Tue, 26 May 2009 14:15:35 +0100 (BST) From: "Ivan Kalik" <t...@kalik.net> Subject: Re: problem with rlm_counter module when reset option is set to never To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <30874.194.176.105.44.1243343735.squir...@webmail.kalik.net> Content-Type: text/plain;charset=utf-8 > Here is the issue I am facing with rlm_counter module. > I am using freeradius-server-2.1.4 and configuring Max session time > for each user. > > for example: > user1 Max-Session-Time := 1800, Auth-Type := Reject > Reply-Message = "Your time limit is used" > > user2 Max-Session-Time := 3600, Auth-Type := Reject > Reply-Message = "Your time limit is used" > > and rlm_counter options are : > > counter daily { > counter-name = Max-All-Session-Time > check-name = Max-All-Session > key = User-Name > reset = never > } > > > I am observing that the user accounting record is not deleted from > rlm_counter module once the user has used his allocated time. And what makes you think it would be. > For > example when user1 has used 1800 seconds allocated to him then I will > be deleting the user from users config and then add the same user > back. I am getting the "Your time limit is used" message :(. > > Does somebody has information about how to delete the records from > rlm_counter module once they are expired with reset-option set to > never. Yes. Delete accounting records as well when you delete user details. Ivan Kalik Kalik Informatika ISP ------------------------------ Message: 4 Date: Tue, 26 May 2009 19:03:34 +0530 From: Ahmed Nifaz Faizabadi <ahmedni...@gmail.com> Subject: Re: problem with rlm_counter module when reset option is set to never To: t...@kalik.net, FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <d49df1900905260633k59bc4b28peeeeb6f6f36d9...@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 >> Here is the issue I am facing with rlm_counter module. >> I am using freeradius-server-2.1.4 and configuring Max session time >> for each user. >> >> for example: >> user1 ? ? ? ? ?Max-Session-Time := 1800, Auth-Type := Reject >> ? ? ? ? ? ? ? ? Reply-Message = "Your time limit is used" >> >> user2 ? ? ? ? ?Max-Session-Time := 3600, Auth-Type := Reject >> ? ? ? ? ? ? ? ? Reply-Message = "Your time limit is used" >> >> and rlm_counter options are : >> >> counter daily { >> ? ? ? ?counter-name = Max-All-Session-Time >> ? ? ? ?check-name = Max-All-Session >> ? ? ? ?key = User-Name >> ? ? ? ?reset = never >> ? ?} >> >> >> I am observing that the user accounting record is not deleted from >> rlm_counter module once the user has used his allocated time. > > And what makes you think it would be. > This would increase the accounting file size indefenitely and cause some other problems as the user records are not at all being deleted. >> For >> example when user1 has used 1800 seconds allocated to him then I will >> be deleting the user from users config and then add the same user >> back. I am getting the "Your time limit is used" message :(. >> >> Does somebody has information about how to delete the records from >> rlm_counter module once they are expired with reset-option set to >> never. > > Yes. Delete accounting records as well when you delete user details. > I tried that but that accounting file is in binary or some other encrypted format. Will you please let me know about how to delete that accounting record or how to convert that to simple text file ( which would make easy deleting expired records) . Ahmed Nifaz ------------------------------ Message: 5 Date: Tue, 26 May 2009 15:49:26 +0200 From: Alan DeKok <al...@deployingradius.com> Subject: Re: problem with rlm_counter module when reset option is set to never To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4a1bf366.5020...@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Ahmed Nifaz Faizabadi wrote: .... >>> counter daily { >>> counter-name = Max-All-Session-Time >>> check-name = Max-All-Session >>> key = User-Name >>> reset = never ... >>> I am observing that the user accounting record is not deleted from >>> rlm_counter module once the user has used his allocated time. ... > This would increase the accounting file size indefenitely and cause > some other problems as the user records are not at all being deleted. See the configuration: "reset = never" means "never reset". Which means "don't reset". > I tried that but that accounting file is in binary or some other > encrypted format. Will you please let me know about how to delete that > accounting record or how to convert that to simple text file ( which > would make easy deleting expired records) . It's just a DBM file. See the "rad_counter.pl" file in the source tree. It shows how to edit the file. Alan DeKok. ------------------------------ Message: 6 Date: Tue, 26 May 2009 11:34:41 -0400 (EDT) From: u...@3.am Subject: Assigning IP address from RADIUS to Cisco PPTP users To: freeradius-users@lists.freeradius.org Message-ID: <pine.bsf.4.64.0905261122570.14...@richard2.pil.net> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Hi: I've used Livingston and Cistron radiusd's in the past with dialup ppp users and Cisco/Lucent NASes and have been able to do this with no problems. Users are currently authenticating fine and getting assigned IPs from the IP pool as defined in the Cisco NAS. However, I'd like to have a few, select users assigned static IPs from outside that pool, but the Cisco (2811) is simply ignoring the raddb/users file entry for that user and assigning an IP from the pool on the NAS. Here is my Cisco config:: -------------------- aaa new-model aaa authentication login default local group radius aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network default if-authenticated aaa session-id common vpdn-group 1 accept-dialin protocol pptp virtual-template 1 interface Loopback0 ip address 99.99.99.99 255.255.255.255 ip nat inside ip virtual-reassembly interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip policy route-map VPN-Client peer match aaa-pools peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ppp authentication pap chap ms-chap ms-chap-v2 ! ip local pool vpnpool 172.16.30.2 172.16.30.254 --------- Here is the raddb/users file entry: --------- testuser Service-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 172.16.1.2, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP -------------- The DEFAULT entry allows users in /etc/passwd to authenticate fine, but "testuser" still gets an IP from the NAS pool instead of the one above.. Any pointers appreciated! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am ========================================================================= ------------------------------ Message: 7 Date: Tue, 26 May 2009 17:49:03 +0200 From: Mikael Kermorgant <mikael.kermorg...@gmail.com> Subject: wired 802.1x for desktops (offtopic) To: freeradius-users@lists.freeradius.org Message-ID: <9711147e0905260849o189c2601w5c1e378769668...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" Hello, Sorry for this off-topic message, I have a question about 802.1x deployment and don't know where to ask. As freeradius is one of the element I think of, maybe someone here can help me find the solution ? My Goals : 1) authenticate access to the network from Open Public Access Catalog (OPAC) desktop machines available to every user of a biblioteque. 2) have a guest account with limited LAN access (no access to internet, or just a very short whitelist) 3) Keep the machines reachable from some servers (ghost server, monitoring, etc). (this criteria eliminates the solution of a captive portal) I thought 802.1x with dynamic vlans would be a nice solution as it should permit to put the guest account in a specific vlan. But how would it be possible to reach the machine from the management servers before someone authenticates ? Is it possible to have a default vlan activated on startup of the machine ? Or do you know where I should ask this question ? Regards, -- Mikael Kermorgant -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/37c1e41c/attachment.html> ------------------------------ Message: 8 Date: Tue, 26 May 2009 23:57:27 +0800 From: ?? <jiang...@seec.com.cn> Subject: FW: freeradius2.1.4--Simultaneous To: <freeradius-users@lists.freeradius.org> Message-ID: <fed9eb928de94c60a0bed02f25242...@it0508023> Content-Type: text/plain; charset="gb2312" HI: I use freebsd7.0+mysql+freeradius2.1.4 Can use the raidus data base to be hit by a consumer at the same time, by verifying with a consumer. But, I am put into use coming to control a consumer "Simultaneous" in raidus. When condition now is that second consumers log on,before acctstoptime in billing form renew with classics. But, nas does not initiate consumer time line information kit. (The consumer continues using a network). Feel that the radius does not send out acc-reject or acc-stop Bao Lai stops using a family. Thank you! System localhost# whereis perl perl: /usr/bin/perl /usr/local/man/man1/perl.1 localhost# whereis snmpget snmpget: /usr/local/bin/snmpget /usr/local/man/man1/snmpget.1 Cisco config aaa authentication enable default none aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting send stop-record authentication failure aaa accounting suppress null-username aaa accounting session-duration ntp-adjusted aaa accounting update newinfo periodic 5 aaa accounting dot1x default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting resource default start-stop-failure group radius interface FastEthernet0/1 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode protect dot1x timeout quiet-period 2 dot1x guest-vlan 3 dot1x auth-fail vlan 4 dot1x auth-fail max-attempts 2 spanning-tree portfast redius.conf # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = "SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" INSERT INTO `radius`.`radgroupcheck` (`groupname` ,`attribute` ,`op` ,`value` )VALUES ( 'user', 'Simultaneous-Use', ':=', '1'); ?????????????mysql?radacct????????????????? ??????????? mysql> select username,acctstarttime,acctstoptime from radacct where username="jsh"; +----------+---------------------+---------------------+ | username | acctstarttime | acctstoptime | +----------+---------------------+---------------------+ | jsh | 2009-05-19 07:34:57 | 2009-05-19 07:35:49 | | jsh | 2009-05-19 07:35:49 | NULL | +----------+---------------------+---------------------+ 2 rows in set (0.00 sec) mysql> sites-available/default accounting { radutmp ... sql .... } session { #radutmp sql } ? ?.. Mysql query is radacct,radpostauth radacct username acctstarttime acctstoptime count(*) jsh 2009-05-26 07:45:09 NULL 1 radpostauth <http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+% 3D+14&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit <http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b 30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6 0radpostauth%60.%60id%60+%3D+14+LIMIT+1&zero_rows=The+row+has+been+deleted&g oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a 59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2 6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php> Delete 14 jsh Access-Accept 2009-05-26 07:30:04 <http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+% 3D+15&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit <http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b 30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6 0radpostauth%60.%60id%60+%3D+15+LIMIT+1&zero_rows=The+row+has+been+deleted&g oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a 59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2 6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php> Delete 15 jsh Access-Accept 2009-05-26 07:45:08 <http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+% 3D+16&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit <http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b 30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6 0radpostauth%60.%60id%60+%3D+16+LIMIT+1&zero_rows=The+row+has+been+deleted&g oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a 59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2 6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php> Delete 16 jsh Access-Accept 2009-05-26 07:45:08 ?Radgroupcheck <http://192.168.0.1/phpadmin/sql.php?db=radius&table=radgroupcheck&sql_query =SELECT+%2A+FROM+%60radgroupcheck%60&goto=tbl_structure.php&dontlimitchars=1 &token=9954b30f278d52fb0a59651606dd9117> Full Texts id groupname attribute op value <http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radgroupcheck&to ken=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radgroupcheck%60.%60id% 60+%3D+1&sql_query=SELECT+%2A+FROM+%60radgroupcheck%60&goto=sql.php> Edit <http://192.168.0.1/phpadmin/sql.php?db=radius&table=radgroupcheck&token=995 4b30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radgroupcheck%60+WHER E+%60radgroupcheck%60.%60id%60+%3D+1+LIMIT+1&zero_rows=The+row+has+been+dele ted&goto=sql.php%3Fdb%3Dradius%26table%3Dradgroupcheck%26token%3D9954b30f278 d52fb0a59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radgroupche ck%2560%26zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structur e.php> Delete 1 user Simultaneous-Use := 1 Nas nasname shortname type ports secret community description 192.168.0.100 cisco3560 cisco 1812 cisco cisco3560 RADIUS Client ???? ? ? ? ? ? ?__????? ????????????22?????10? 100020 Tel?010-85650282 Mobi:13810174932 Fax?010-65880126 msn?mouse...@hotmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 401 bytes Desc: not available Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment.gif> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 201 bytes Desc: not available Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment-0001.gif> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 235 bytes Desc: not available Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment-0002.gif> ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 49, Issue 117 ************************************************* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html