Re: [rad] Re: pseudo-newbie exec scripts and session-time
> You better believe that if I 'work > it out for myself' I will be coming back to this list with a howto and > examples for any other 1.x user who runs into the same situation that I > have. Work what out? Your problem has nothing to do with freeradius vesrion. exec module hasn't changed in years. While you were moaning, another user resolved such problem (post:refresh variable after exec module). Whatever applies to him, applies to you as well. And the post points to the example included with the server saying how to call the script, from where, how to set attributes, system variables, even how to list them all (what more would you want). It should be in the same place in your server version too. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Charles Gregory wrote: > ...there really > should either be a repository of documents applying to 1.x (similar to > how Apache mainatains its separate document trees for 1.x and 2x), Sure. Apache has 1000 times as many installations as FreeRADIUS, and probably 1000 times as much funding, and probably 100 times as many developers. There are very, very, few Open Source projects with as good documentation as Apaches. The simple reason is that there are very, very, few projects with as much funding and as many developers. > But yes, John, I *knew* what I was choosing. This is one reason I get so > incensed by people who clutter a group with replies that tell me I made > a bad choice. Not that their opinions 'hurt' me directly, but I am > concerned that people are hanging on the fringes, and perhaps have an > answer to my questions, but they see an 'official-sounding' response, > and maybe they think they're not "supposed" or "allowed" to answer > questions about earlier versions.. Sounds silly, I know, but people > are like that. :) Anyone is free to ask, or answer, questions about any version of the server. As it happens, the most active people responding to messages all use recent versions of the server. And it is their professional opinion that most everyone else should, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Charles Gregory wrote: > On Fri, 12 Jun 2009, Alan DeKok wrote: >> The CentOS people answer questions about CentOS on the CentOS mailing >> list. That is the limit of their support. >> Similarly, the FreeRADIUS people answer questions about FreeRADIUS on >> the freeradius-users list. > > What do you mean by "people"? The people on this list. Whoever they are. > What *I* mean is not just the developers > and volunteers, whose time is often quite precious, but the many USERS > who have the package installed on many different systems. THAT is the > strength of open source. Which is what I said, too. See my other messages. > All of *us* banding together. I don't just come > to these groups asking questions. I answer them. You better believe that > if I 'work it out for myself' I will be coming back to this list with a > howto and examples for any other 1.x user who runs into the same > situation that I have. Sure. We'll wait. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, Alan DeKok wrote: The CentOS people answer questions about CentOS on the CentOS mailing list. That is the limit of their support. Similarly, the FreeRADIUS people answer questions about FreeRADIUS on the freeradius-users list. What do you mean by "people"? What *I* mean is not just the developers and volunteers, whose time is often quite precious, but the many USERS who have the package installed on many different systems. THAT is the strength of open source. All of *us* banding together. I don't just come to these groups asking questions. I answer them. You better believe that if I 'work it out for myself' I will be coming back to this list with a howto and examples for any other 1.x user who runs into the same situation that I have. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
> So if I have any legitimate complaint against the "FreeRADIUS team" it is > only that with versions so 'close together' in time, there really should > either be a repository of documents applying to 1.x Documentation is included with the server. Read comments in configuration files you are changing/using, man and doc pages included in the distribution. That is the most relevant documentation for the version you have. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, John Dennis wrote: BTW, the philosophy of RHEL (why it's "older"), the philosophy of Fedora (why it's bleeding edge) and CentOS is explained on the FreeRadius FAQ under Red Hat (http://wiki.freeradius.org/Red_Hat_FAQ). It's incumbent upon you when selecting an OS to install to comprehend the associated issues of that choice. Firstly, thank you for the very thoughtful and well-worded reply. Sadly, the problem I am complaining about here is that so many people spend so much time providing answers like this one you gave, when I ALREADY HAVE THAT ANSWER. I'd already read all the FAQ's, and so on. I quoted your above paragraph because it is central to my thinking. I made a CHOICE. I was constrained by budget to 'free' software. But I could have still chosen Debian or another 'newer' OS. I CHOSE CentOS for it's *simplicity* and stability. I KNEW I was also choosing to have fewer/older features. I had (and have) the option to upgrade if it is necessary. But where possible, I try to work within the 'basic' framework of this easily understood 'basic' OS and environment, so that for potential future volunteers life will be simpler. I really believe that the problem here is my understanding of FreeRADIUS. It is NOT a 'shortcoming' of version 1.x (at least I can't imagine why it would be). All I need is a bit of advice or a pointer to a 1.x-specific FAQ/howto. So if I have any legitimate complaint against the "FreeRADIUS team" it is only that with versions so 'close together' in time, there really should either be a repository of documents applying to 1.x (similar to how Apache mainatains its separate document trees for 1.x and 2x), or in the 'main' documentation, there 'should' be those little footnotes that say "applies to 2.1 and later" in the descriptions of commands. I put 'should' in quotes, because I recognize that sometimes volunteers don't have time to do these things, and I always try not to sound like I'm 'demanding' on the time of other volunteers. But yes, John, I *knew* what I was choosing. This is one reason I get so incensed by people who clutter a group with replies that tell me I made a bad choice. Not that their opinions 'hurt' me directly, but I am concerned that people are hanging on the fringes, and perhaps have an answer to my questions, but they see an 'official-sounding' response, and maybe they think they're not "supposed" or "allowed" to answer questions about earlier versions.. Sounds silly, I know, but people are like that. :) Thank you John! - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
John Dennis wrote: > Let's clarify something, calling CentOS a "supported" OS is a little > misleading. The CentOS people answer questions about CentOS on the CentOS mailing list. That is the limit of their support. Similarly, the FreeRADIUS people answer questions about FreeRADIUS on the freeradius-users list. For readers who didn't already know: that's the limit of *free* support for Open Source projects. Getting more requires paying for support contract with a company who is willing to support whatever software that the customer has chosen to install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On 06/12/2009 01:23 AM, Alan DeKok wrote: Charles Gregory wrote: But CentOS is supposedly still a 'supported' OS, so I think it's fair to ask simple 'how to' questions for that environment. Centos supports their OS. This list answers questions about FreeRADIUS. Let's clarify something, calling CentOS a "supported" OS is a little misleading. Red Hat produces a commercial enterprise OS called RHEL (Red Hat Enterprise Linux). It's 100% open source, the source for it is freely available, but to get RHEL you must purchase a "subscription" which amongst other things provides you with support. Lot's of folks like the engineering and stability which Red Hat adds to RHEL, but they would prefer not to have to pay for a support subscription, thus CentOS was born. CentOS takes the fully open RHEL source, strips all the Red Hat branding from it, rebuilds it, and offers it for free download. That's all well and good, buts what's clearly missing in the CentOS model is support (unless you're willing to call the CentOS mailing lists and the CentOS bugzilla "support", but for most folks that does not constitute support). You may be surprised to learn Red Hat has a positive and good relationship with CentOS. We believe they are contributing to the open source ecosystem we espouse. Generally myself and most other Red Hat engineers try to help CentOS users despite the obvious sidestepping of the subscription fee. We also believe when CentOS users come to believe having a support contract is in their best interest they will switch to RHEL, because they've effectively have been running RHEL, just without support. So is CentOS supported? Not in my book, but we'll still try to help you (within limits, after which we'll politely suggest you pay for the support by becoming a RHEL customer). Make sense? BTW, the philosophy of RHEL (why it's "older"), the philosophy of Fedora (why it's bleeding edge) and CentOS is explained on the FreeRadius FAQ under Red Hat (http://wiki.freeradius.org/Red_Hat_FAQ). It's incumbent upon you when selecting an OS to install to comprehend the associated issues of that choice. And the 1.x versions are *not* supported by us. When people ask questions about them, they get told to upgrade to 2.1. The 1.x versions are over two years old. Everything is easier and better in 2.1. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Charles Gregory wrote: > Why do you LET RedHat use the old version if it is so unsupported? There appears to be a fundamental misconception in that sentence: We don't control RedHat. So... RedHat does whatever the heck makes them happy. And it makes them happy to keep their customers happy. And their customers are happy using versions of software that are supported by RedHat. And Redhat doesn't want to upgrade their software every 6 months. As a result, the software shipped by RedHat (and therefore CentOS), is often years out of date. Why does this happen? The people who PAY REDHAT for support want it this way. And I can understand why. The people who DO NOT PAY for support are out of luck. If you want to leverage (for free) the work that RedHat has done to create a stable system, then you use software that is out of date. If you want to leverage (for free) the work that we have done to create an up to date version of FreeRADIUS, then you don't have a version "blessed" by RedHat. There is a simple fix: pay someone for support. See the "support" link on http://freeradius.org for support specific to FreeRADIUS. Or, ask RedHat for a support contract for the entire OS and packages. > Quite right. CentOS supports their OS, not the component packages. So I > cannto ask *them* a FreeRADIUS question. They tell me to come HERE. Exactly. They build CentOS and can *for free*, answer questions about their work. We build FreeRADIUS, and can *for free* answer questions about it. But the free answers might not always be what you want to hear. > Now, in the spirit of the sarcasm with which your comment was offered, > I reply, gee, I think I *am* on the wrong list. Yes. You want *guaranteed* support for an older version of the server. The only question now is, do you want to pay for it, or do you want it for free? > I am looking for a FreeRADIUS *USERS* forum. Obivously, with FreeRADIUS > 1.x in wide deployment in RHEL and CentOS there HAS to be a 'community' > of 1.x users, or at the least a community of FreeRADIUS users who, even > if they have migrated to later versions themselves, still *remember* the > basic syntax of a version of FreeRADIUS that they must have been using > *very* recently (for anyone getting a decent life-expectancy out of > servers and OS's, three years is 'recent'). I had thought that *this* > forum would have many people like this. Sure. Anyone using 1.x is able to subscribe to this list, and to answer questions about it. There is no one stopping them from supporting you *for free*. But sadly, there doesn't seem to be a great crush of people supporting 1.x. Maybe you would be willing to stay on this list and help others? > So, at the risk of sounding like a whiner, why the *HECK* am I stuck > with something "not easier and better" in a CURRENT release? Because that's what you chose to install. We can't help that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Fri, 12 Jun 2009, Alan DeKok wrote: Charles Gregory wrote: But CentOS is supposedly still a 'supported' OS, so I think it's fair to ask simple 'how to' questions for that environment. Centos supports their OS. This list answers questions about FreeRADIUS. Quite right. CentOS supports their OS, not the component packages. So I cannto ask *them* a FreeRADIUS question. They tell me to come HERE. Now, in the spirit of the sarcasm with which your comment was offered, I reply, gee, I think I *am* on the wrong list. I am looking for a FreeRADIUS *USERS* forum. Obivously, with FreeRADIUS 1.x in wide deployment in RHEL and CentOS there HAS to be a 'community' of 1.x users, or at the least a community of FreeRADIUS users who, even if they have migrated to later versions themselves, still *remember* the basic syntax of a version of FreeRADIUS that they must have been using *very* recently (for anyone getting a decent life-expectancy out of servers and OS's, three years is 'recent'). I had thought that *this* forum would have many people like this. But maybe people only come here for 'bleeding edge' stuff. If so, could someone be kind enough to direct me to the FreeRADIUS community/forum where 1.x is still discussed and used? Everything is easier and better in 2.1. So, at the risk of sounding like a whiner, why the *HECK* am I stuck with something "not easier and better" in a CURRENT release? Why do you LET RedHat use the old version if it is so unsupported? - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Charles Gregory wrote: > But CentOS is > supposedly still a 'supported' OS, so I think it's fair to ask simple > 'how to' questions for that environment. Centos supports their OS. This list answers questions about FreeRADIUS. And the 1.x versions are *not* supported by us. When people ask questions about them, they get told to upgrade to 2.1. The 1.x versions are over two years old. Everything is easier and better in 2.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On Thu, 11 Jun 2009, John Dennis wrote: No you're not stuck with an old 1.x. See: http://wiki.freeradius.org/Red_Hat_FAQ Go read the thread "Version... Version..."... I posted that thread partly in anticipation that when I started to ask for help with my 'standard' CentOS FreeRadius, people with the luxury of installing from source or other 'bleeding edge' would immediately start nagging me about how and where to install new versions. Begging pardon, but we installed CentOS with a *principle* in mind, to have a simple common *base* installation. I see no reason to use a new version unless the version I have does not have the features I need. I've already got my radius executing one script, so its not like it doesn't run scripts at all. I just need to get the right syntax. So thank you, if you don't know the answer to the question. But CentOS is supposedly still a 'supported' OS, so I think it's fair to ask simple 'how to' questions for that environment. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
On 06/11/2009 04:42 PM, Charles Gregory wrote: Okay, I'm banging my head up against the expected proverbial wall. Please remember I'm stuck with old 1.x version. on Centos No you're not stuck with an old 1.x. See: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
> Okay, I'm banging my head up against the expected proverbial wall. > Please remember I'm stuck with old 1.x version. on Centos Which is not supported. > > I'm trying to get a script to execute and set the 'Session-Timeout' > value. I've defined the script thusly: > > exec timecalc { > wait = yes > program = "/usr/local/etc/radius_timecalc > %{User-Name}..." > input_pairs = request > output_pairs = reply > # packet_type = Access-Accept > } > > (I've tried it with and without the packet_type) > > I've tried placing just "timecalc" into the post-auth and > alternately the auth sections. Where did you get that ides? Exec module comments do say how to call a script. > I tried using the sytax: > update reply { > timecalc > } > And also tried: > update reply { >Session-Time := "200" > } You can't use unlang in 1.x. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Okay, I'm banging my head up against the expected proverbial wall. Please remember I'm stuck with old 1.x version. on Centos I'm trying to get a script to execute and set the 'Session-Timeout' value. I've defined the script thusly: exec timecalc { wait = yes program = "/usr/local/etc/radius_timecalc %{User-Name}..." input_pairs = request output_pairs = reply # packet_type = Access-Accept } (I've tried it with and without the packet_type) I've tried placing just "timecalc" into the post-auth and alternately the auth sections. I don't get any errors, but the script does not run... (I have the script touch a file to prove it runs, and it doesn't happen). I tried using the sytax: update reply { timecalc } And also tried: update reply { Session-Time := "200" } and got 'rcode' errors under post-auth and 'syntax' errors in auth. I might have mised a magic combination. Anyone care to tell me the exact syntax for making this script run on an access-accept? - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Charles Gregory wrote: > Sorry, maybe I should take 'pseudo' out of the subject line... > Firstly, MY BAD. I forgot to post that I'm on CentOS 4, and therefore > limited to whatever syntax applies to "freeradius-1.0.1-3.RHEL4.5" Upgrade. There should be RPMs available for that. See http://freeradius.org. Click on "download", and then look for "redhat". Really. Install 2.1.6, it is infinitely better than 1.0.1. > Hopefully what I want to do is so 'basic' it doesn't change :) > > Secondly, anyone noticed that the basic MAN pages are hard to find on > the website? I happened to click the link to 'modular' on the home page > and found a link to man pages at the bottom of that page. So at least > now I can see the full list of manuals and start to RTFM. :) The server *includes* man pages when you install it. You can read those. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [rad] Re: pseudo-newbie exec scripts and session-time
Hello again! Sorry, maybe I should take 'pseudo' out of the subject line... Firstly, MY BAD. I forgot to post that I'm on CentOS 4, and therefore limited to whatever syntax applies to "freeradius-1.0.1-3.RHEL4.5" Hopefully what I want to do is so 'basic' it doesn't change :) Secondly, anyone noticed that the basic MAN pages are hard to find on the website? I happened to click the link to 'modular' on the home page and found a link to man pages at the bottom of that page. So at least now I can see the full list of manuals and start to RTFM. :) On Thu, 4 Jun 2009, a.l.m.bu...@lboro.ac.uk wrote: I'm thinking: Session-Timeout := %{exec:timecalc} pretty much Actually, I can't find a good working example from which to lift the exact syntax. Is the above correct? Should I use back ticks? I really don't want hand-holding, but sometimes a good working sample is worth a thousand posts. :) you need to set this via the update reply style as recently posted several times this past month to the list (nod) Found the posts... thanks... post-auth section - thats where you should set any return details (nod) Good point. Thanks. Said I was newb. :) Hmmm. While I'm here, if I set Session-Timeout to ZERO, what will happen? ;-) it should mean there is no session timeout (ie infinite session) (smack forehead) Didn't think of that. But I can set a timeout of one second and that will do the job of dropping someone who is out of time. Probably better that way so that they don't get a message that their userid and password are invalid. Or is there a reply item that a Cisco AS5400 would pass on to the dialing (probably) Windows PPP and have it display a meaningful "you are out of time" message to the user during auth? (Dare I dream? LOL) Thanks. - Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html