Re: Expiration and EAP verification question
WorkingMan wrote: > Can you give me an example on how to always accept connection on EAP-* > authentication (it will be password based from xauth-eap from strongswan) No. EAP doesn't (and can't) work that way. > but at the same time still honour Expiration logic? I am not sure what to > do it (or what to look for). I have been trying different settings for a > week now without success. Because EAP is designed to make this impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
Alan DeKok deployingradius.com> writes: > > WorkingMan wrote: > > My design is that I don't actually care about secondary authentication with > > RADIUS since it's already doing certificate validation from strongswan side > > before doing secondary authentication. All is good if I was only need > > secondary authentication since I can bypass with verify_eap from strongswan > > side but I want to make use of the Expiration module on freeradius side (works > > great). > > Bypassing authentication is generally a bad idea. > > > I have few questions so it can help me determine next course of action: > > > > 1) is there a way to configure freeradius for Accounting only and also does > > the user expiration check? > > No. User expiration checks are done on authentication. > > > 2) is it possible for me in any way to reject expired user but accept eap > > based authentication (from configuration or code modification)? > > Yes. > > > 3) when connection is rejected does the strongswan side (xauth-eap plugin in > > particular) receive information that can differentiate this logic (send > > attribute that it can handle maybe? I have no idea how that work)? > > A reject is a reject. The client usually doesn't get told *why* it > was rejected. > > Rather than asking vague questions, it would help to read the config > files. They're documented in exhaustive detail. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > Can you give me an example on how to always accept connection on EAP-* authentication (it will be password based from xauth-eap from strongswan) but at the same time still honour Expiration logic? I am not sure what to do it (or what to look for). I have been trying different settings for a week now without success. Background: As you know default IPSec VPN clients for iOS and Android are ikev1 based and that doesn't support EAP-TLS which is ideal for me (mutual certificate authentication). For ikev1 I can still do mutual certificate authentication but I want freeradius to do accounting stuff and sort of centralize login (otherwise there is no need of RADIUS). the only option with strongswan is via xauth-eap (internally via eap-radius; using eap-md5, eap-mschapv2, etc password based authentication). There is no way according to strongswan's team to do accounting only with ikev1 that's why I need to use xauth-eap so I can talk to freeradius. There is no need to do password authentication when certificate is already validated by the server and you can filter clients via certificate details (so it is safe; unless someone can sign fake client certificate). If I didn't care about user expiration (and simultaneous access control) I wouldn't need to ask for help (simply modify xauth-eap to always pass authentication and doesn't bother talking to RADIUS during authentication). I really want to use as much freeradius' feature as possible so I don't have to do things on the side (ex: do expiration check on VPN side). Any help would be much appreciated. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: > My design is that I don't actually care about secondary authentication with > RADIUS since it's already doing certificate validation from strongswan side > before doing secondary authentication. All is good if I was only need > secondary authentication since I can bypass with verify_eap from strongswan > side but I want to make use of the Expiration module on freeradius side > (works > great). Bypassing authentication is generally a bad idea. > I have few questions so it can help me determine next course of action: > > 1) is there a way to configure freeradius for Accounting only and also does > the user expiration check? No. User expiration checks are done on authentication. > 2) is it possible for me in any way to reject expired user but accept eap > based authentication (from configuration or code modification)? Yes. > 3) when connection is rejected does the strongswan side (xauth-eap plugin in > particular) receive information that can differentiate this logic (send > attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration and EAP verification question
In strongswan for ikev1 it uses xauth-eap that I use to do validation with RADIUS (that's the only way for ikev1 clients with strongswan). My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS-Client-Cert-Expiration date format
On 07/25/2013 04:50 AM, George Ross wrote: >> Just wondering if anyone knew what the expiration date format was back >> from eap-tls transactions? I have a cert here that expires 23/07/2015 >> and FR gives back "150723132302Z". >> That's a Z on the end..? > > <http://en.wikipedia.org/wiki/ISO_8601>. Sorry, but "150723132302Z" is not 8601. https://en.wikipedia.org/wiki/ISO_8601 "150723132302Z" is universaTime a subset of ASN.1 GeneralizedTime http://www.obj-sys.com/asn1tutorial/node14.html http://luca.ntop.org/Teaching/Appunti/asn1.html (see section 5.17) universalTime is being used because certs are encoded in ASN.1, specifically they require the use of GeneralizedTime. The GeneralizedTime form was standardized before RFC 8601. The use of GeneralizedTime is an artifact of the certificate binary encoding format. I'm not sure that's the best presentation these days. I'd rather see GeneralizedTime values presented in 8601 format to be consistent with modern standards. To properly parse the universalTime format being used one has to understand the nuances of X509 certificate encoding which is expecting too much. I wonder if the OpenSSL library has an option or function to convert to 8601. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS-Client-Cert-Expiration date format
Thanks guys, that's great Andy From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org] On Behalf Of Michael Schwartzkopff Sent: 25 July 2013 09:38 To: FreeRadius users mailing list Subject: Re: TLS-Client-Cert-Expiration date format > Just wondering if anyone knew what the expiration date format was back > from eap-tls transactions? I have a cert here that expires 23/07/2015 > and FR gives back "150723132302Z". > That's a Z on the end..? <http://en.wikipedia.org/wiki/ISO_8601>. -- George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh, School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB Mail: g...@inf.ed.ac.uk Voice: 0131 650 5147 Fax: 0131 650 6899 PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Am Donnerstag, 25. Juli 2013, 09:32:46 schrieb Franks Andy IT Systems Engineer: > Hi All, > Just wondering if anyone knew what the expiration date format was back > from eap-tls transactions? I have a cert here that expires 23/07/2015 > and FR gives back "150723132302Z". > That's a Z on the end..? Zulu time. Equals GMT. > It's certainly not seconds since epoch or Jan 01 - 1601 which is seen in > certain other operating systems. YYMMDDhhmmss"Z" -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS-Client-Cert-Expiration date format
> Just wondering if anyone knew what the expiration date format was back > from eap-tls transactions? I have a cert here that expires 23/07/2015 > and FR gives back "150723132302Z". > That's a Z on the end..? <http://en.wikipedia.org/wiki/ISO_8601>. -- George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh, School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB Mail: g...@inf.ed.ac.uk Voice: 0131 650 5147 Fax: 0131 650 6899 PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpA5w0hgUwpC.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS-Client-Cert-Expiration date format
Am Donnerstag, 25. Juli 2013, 09:32:46 schrieb Franks Andy IT Systems Engineer: > Hi All, > Just wondering if anyone knew what the expiration date format was back > from eap-tls transactions? I have a cert here that expires 23/07/2015 > and FR gives back "150723132302Z". > That's a Z on the end..? Zulu time. Equals GMT. > It's certainly not seconds since epoch or Jan 01 - 1601 which is seen in > certain other operating systems. YYMMDDhhmmss"Z" -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS-Client-Cert-Expiration date format
Hi All, Just wondering if anyone knew what the expiration date format was back from eap-tls transactions? I have a cert here that expires 23/07/2015 and FR gives back "150723132302Z". That's a Z on the end..? It's certainly not seconds since epoch or Jan 01 - 1601 which is seen in certain other operating systems. As part of fault finding I wanted to report back if the certificate has expired as I can't work out how to get the eap-tls failure message to a linelog. If I do an explicit check in post-auth-reject at least I can determine whether it's failed because the certificate that's expired. It would also be nice to have a list of people authenticating and report how many days left until the certificate they have expires, so we can take steps in the auto enrolment doesn't work. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: certificate expiration proble
Have you opened the certificates you believe to be the latest in something else (like Windows perhaps) and checked that the expiry dates of these certificates is correct? And have you checked that your server's time is correct too? Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org<mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org> [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Muhammad Nadeem Sent: 19 July 2013 11:24 To: FreeRadius users mailing list Subject: Re: certificate expiration proble thanx for you reply, but as i said certificates are ok. Please see this log [tls] --> User-Name = 0026826172C4@test_cpe.com<mailto:0026826172C4@test_cpe.com> [tls] --> BUF-Name = wi-tribe Pakistan Certification Authority [tls] --> subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan limited/OU=Network Operations/CN=wi-tribe Pakistan Certification Authority/emailAddress=pkwi...@pk.wi-tribe.com<mailto:pkwi...@pk.wi-tribe.com> [tls] --> issuer = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan limited/OU=Network Operations/CN=wi-tribe Pakistan Certification Authority/emailAddress=pkwi...@pk.wi-tribe.com<mailto:pkwi...@pk.wi-tribe.com> [tls] --> verify return:1 --> verify error:num=10:certificate has expired [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned thanks On Fri, Jul 19, 2013 at 2:58 PM, mailto:a.l.m.bu...@lboro.ac.uk>> wrote: Hi, >I am trying to configure eap with some customized certificates, I have >configured eap.config correctly. >But I am getting the error of "certificate expired". Although i have the >latest certificates. certificate has expired. FreeRADIUS has no reason to lie. check the startup output of 'radiusd -X' - look for when it loads the certs. then use openssl to read those certs to see what the values are - server cert, CA certor client cert. whatever you're using eg openssl x509 -in server.pem -noout -text alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate expiration proble
thanx for you reply, but as i said certificates are ok. Please see this log [tls] --> User-Name = 0026826172C4@test_cpe.com [tls] --> BUF-Name = wi-tribe Pakistan Certification Authority [tls] --> subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan limited/OU=Network Operations/CN=wi-tribe Pakistan Certification Authority/emailAddress=pkwi...@pk.wi-tribe.com [tls] --> issuer = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan limited/OU=Network Operations/CN=wi-tribe Pakistan Certification Authority/emailAddress=pkwi...@pk.wi-tribe.com *[tls] --> verify return:1* *--> verify error:num=10:certificate has expired * *[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired * *TLS Alert write:fatal:certificate expired* *TLS_accept: error in SSLv3 read client certificate B* *rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned* * * *thanks* On Fri, Jul 19, 2013 at 2:58 PM, wrote: > Hi, > > >I am trying to configure eap with some customized certificates, I have > >configured eap.config correctly. > >But I am getting the error of "certificate expired". Although i have > the > >latest certificates. > > certificate has expired. FreeRADIUS has no reason to lie. > > check the startup output of 'radiusd -X' - look for when it loads the > certs. > then use openssl to read those certs to see what the values are - server > cert, > CA certor client cert. whatever you're using eg > > openssl x509 -in server.pem -noout -text > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate expiration proble
Hi, >I am trying to configure eap with some customized certificates, I have >configured eap.config correctly. >But I am getting the error of "certificate expired". Although i have the >latest certificates. certificate has expired. FreeRADIUS has no reason to lie. check the startup output of 'radiusd -X' - look for when it loads the certs. then use openssl to read those certs to see what the values are - server cert, CA certor client cert. whatever you're using eg openssl x509 -in server.pem -noout -text alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter for Expiration Attribute - Prepaid Cards
Hi, > Dear List Members, people read this list. you do yourself no favours by repeating the same question all the time. you have been given advice but appear to want someone to do all the work for you. there are companies/consultants that can deliver the product that you need. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter for Expiration Attribute - Prepaid Cards
> > > Hi there, > You can use the frontend tool called daloradius, it will sort you out in > what you are trying to achieve, it uses freeradius as the back end. > > -- > On Tue, Jan 1, 2013 12:01 PM MSK Prabhpal S. Mavi wrote: > Dear Mulindwa, Thanks for your response. I am using Daloradius as front End. How it will solve my problem, can you explain? i am able to create batch (Prepaid) users alright using daloradius, i am able to assign specific attributes using profiles (Group) also and it is working as well. such as "Max-All-Session". users are logged off on time specified as attribute. but they can re login using same prepaid card that was just used recently. should have expired !! my problem is to expire user NOT by date (03 Jan 2013). Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter for Expiration Attribute - Prepaid Cards
Hi there,
You can use the frontend tool called daloradius, it will sort you out in what
you are trying to achieve, it uses freeradius as the back end.
--
On Tue, Jan 1, 2013 12:01 PM MSK Prabhpal S. Mavi wrote:
>
>Dear List Members,
>
>i have working setup of FreeRadius 2x (freeradius-2.1.12-4.el6_3.x86_64)
>including "rlm_sqlcounter" (Max-Daily-Session). User are logged off
>alright when "Max Session Timeout" is reached. But users can re login to
>gain access. The username and passwords are for hotspot. We do not want
>the username and password to work again once it has been used.
>
>For example: prepaid voucher (MySQL username & password) has 1 hour
>access. User should be able to use sum of one hour, either continuously
>once they are logged in or in parts (30min today & 30min tomorrow so on)
>username & password must never work for more than 1 hour to access our
>network. i am bit confuse attribute to use, i would grateful if someone
>can advice the correct attribute to use for the purpose.
>
>Thanks
>
>
>Hi Members,
>
>
>after working for four days still unable to make it work. Alan Buxey
>advised me to implemented "Expiration" Attribute. Expiration works just
>fine. If i specify any date (01 Sep 2013). But i am working to expire
>username after certain amount of time, such as one hour (not one hour
>after first log in) sum of one hour internet used either by one time login
>or multiple logins (30Min morning & 30min afternoon etc..).
>
>i understand i would need sql_counter to achieve. I am trying but not
>working. my configuration.
>
>1.) Created Counter:
>
>sqlcounter expiration {
> count-attribute = "Acct-Session-Time"
> counter-name = "Max-Allowed-Session"
> check-name = "Expiration"
> sqlmod-inst = "sql"
> key = "User-Name"
> reset = "never"
> query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(),
>MIN(AcctStartTime))),0) FROM radacct WHERE
>UserName='${key}' ORDER BY AcctStartTime LIMIT 1;"
>
>
>2.) Added in radiusd.conf
>
>
>instantiate {
>expiration
>}
>
>
>3.) Added under auth section:
>
>
>authorize {
>expiration
>}
>
>
>When we expire account with expiration attribute which kind of value can
>we define to the attribute so that account gets expire after 1 hour of
>internet use (using sql counter). Date format is working alright (01 Sep
>2013).
>
>
>Thanks everyone for attending to this material.
>
>
>
>
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Counter for Expiration Attribute - Prepaid Cards
Dear List Members,
i have working setup of FreeRadius 2x (freeradius-2.1.12-4.el6_3.x86_64)
including "rlm_sqlcounter" (Max-Daily-Session). User are logged off
alright when "Max Session Timeout" is reached. But users can re login to
gain access. The username and passwords are for hotspot. We do not want
the username and password to work again once it has been used.
For example: prepaid voucher (MySQL username & password) has 1 hour
access. User should be able to use sum of one hour, either continuously
once they are logged in or in parts (30min today & 30min tomorrow so on)
username & password must never work for more than 1 hour to access our
network. i am bit confuse attribute to use, i would grateful if someone
can advice the correct attribute to use for the purpose.
Thanks
Hi Members,
after working for four days still unable to make it work. Alan Buxey
advised me to implemented "Expiration" Attribute. Expiration works just
fine. If i specify any date (01 Sep 2013). But i am working to expire
username after certain amount of time, such as one hour (not one hour
after first log in) sum of one hour internet used either by one time login
or multiple logins (30Min morning & 30min afternoon etc..).
i understand i would need sql_counter to achieve. I am trying but not
working. my configuration.
1.) Created Counter:
sqlcounter expiration {
count-attribute = "Acct-Session-Time"
counter-name = "Max-Allowed-Session"
check-name = "Expiration"
sqlmod-inst = "sql"
key = "User-Name"
reset = "never"
query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(),
MIN(AcctStartTime))),0) FROM radacct WHERE
UserName='${key}' ORDER BY AcctStartTime LIMIT 1;"
2.) Added in radiusd.conf
instantiate {
expiration
}
3.) Added under auth section:
authorize {
expiration
}
When we expire account with expiration attribute which kind of value can
we define to the attribute so that account gets expire after 1 hour of
internet use (using sql counter). Date format is working alright (01 Sep
2013).
Thanks everyone for attending to this material.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql expiration do not checked
Oddly problem. freeradius 2.1.12 up and running authentication ntlm & sql no problem to authenticate users (ntlm on AD and local on mysql ), both from radtest and from NAS work fine I start to work with sql with the idea to set up some "local" users with a well defined expiration date. I imposed an expiration date in radcheck table, but it seems that freeradius doesn't care….of course it's my fault from radius -X I see sql user succefully authenticated but no message related with "expiration" I suppose to have insert all sql directives in proper place…is anything special to be done to tell free radius to check "expiration" attribute ? here dump from mysql…both paolo and pluto work mysql> SELECT * FROM `radcheck` LIMIT 0,1000; ++--+++-+ | id | username | attribute | op | value | ++--++----+-+ | 9 | paolo| Expiration | := | 04 Mar 2012 | | 10 | pippo| Cleartext-Password | := | BvKHknVN| | 8 | paolo| Cleartext-Password | := | paolo | | 11 | pippo| Expiration | := | 07 Mar 2012 | ++--+++-+ 4 rows in set (0.00 sec) Any hints ? Regards, Paolo. Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
thanks Fajar, Let me give a try. From: Fajar A. Nugraha To: john decot ; FreeRadius users mailing list Sent: Tuesday, December 6, 2011 6:38 PM Subject: Re: Expiration email On Tue, Dec 6, 2011 at 7:22 PM, john decot wrote: > Thanks for the reply. I am also trying same but couldn't compare with the > field on the database as Expiration attribute use character value. I wish > someone give me any idea on comparing those parameter inside database. Several ways I can think of (completely untested): (1) Use http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html#function_str-to-date (or whatever equivalent function in your db) to convert the column to date before comparison (2) Pick a time to alert the user (e.g. ONE WEEK before expiration), then use whatever programming language of your choice (e.g. php) to convert the date into the format used in expiration attribute (e.g. using date_format). Then you only need to compare for exact string match. -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
Everything can be found via Google in less than 1 minute. On 12/6/2011 1:22 PM, john decot wrote: Thanks for the reply. I am also trying same but couldn't compare with the field on the database as Expiration attribute use character value. I wish someone give me any idea on comparing those parameter inside database. *From:* Marinko Tarlać *To:* freeradius-users@lists.freeradius.org *Sent:* Tuesday, December 6, 2011 1:33 PM *Subject:* Re: Expiration email If you're asking me, I wouldn't mess with freeradius. Maybe the better idea is to create a small cron script which can read the database and send email according to the date and the time diff you want (1, 2, 3 etc days before the expiration) On 12/6/2011 3:54 AM, john decot wrote: Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
On Tue, Dec 6, 2011 at 7:22 PM, john decot wrote: > Thanks for the reply. I am also trying same but couldn't compare with the > field on the database as Expiration attribute use character value. I wish > someone give me any idea on comparing those parameter inside database. Several ways I can think of (completely untested): (1) Use http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html#function_str-to-date (or whatever equivalent function in your db) to convert the column to date before comparison (2) Pick a time to alert the user (e.g. ONE WEEK before expiration), then use whatever programming language of your choice (e.g. php) to convert the date into the format used in expiration attribute (e.g. using date_format). Then you only need to compare for exact string match. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
Thanks for the reply. I am also trying same but couldn't compare with the field on the database as Expiration attribute use character value. I wish someone give me any idea on comparing those parameter inside database. From: Marinko Tarlać To: freeradius-users@lists.freeradius.org Sent: Tuesday, December 6, 2011 1:33 PM Subject: Re: Expiration email If you're asking me, I wouldn't mess with freeradius. Maybe the better idea is to create a small cron script which can read the database and send email according to the date and the time diff you want (1, 2, 3 etc days before the expiration) On 12/6/2011 3:54 AM, john decot wrote: Hi, > > > I am looking for how to send email before expiration of account. The value >used for the expiration in radius is character format. So, I would like to >know how to compare the expiration data and send email accordingly. > > > > >Thanks in advance. > > > > >John. > > >- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
If you're asking me, I wouldn't mess with freeradius. Maybe the better idea is to create a small cron script which can read the database and send email according to the date and the time diff you want (1, 2, 3 etc days before the expiration) On 12/6/2011 3:54 AM, john decot wrote: Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration email
Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module Not Returning the Error Message
hey thanks! it's working now. it was because the op in radcheck is "==" which
is the default from the schema. I changed it to ":=" and it is working now. :)
From: Fajar A. Nugraha
To: FreeRadius users mailing list
Sent: Tuesday, September 6, 2011 1:28 PM
Subject: Re: Expiration Module Not Returning the Error Message
On Tue, Sep 6, 2011 at 11:41 AM, Det Det wrote:
> Hi,
> The expiration module works but it is not returning the error message.
> Everytime I include the Expiration attribute and set date accordingly. The
> user is denied login. The reason is because the account expired and NOT
> because there is "no known good password found" as shown below. How to tell
> RADIUS to stop processing anything after expiration check? I suspect it
> proceeds the rest of the checks and so the error message has been
> overwritten by other modules' error message.
>
>
> +++[sql2] returns ok
> ++- redundant-load-balance group redundant_load_balance_sql returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
Works for me. From modules/expiration: "It should be included in the
*end* of the authorize section in order to handle user Expiration" (or
just uncomment expiration line in sites-available/default). The debug
log should show something like this
[expiration] Checking Expiration time: '2011 Sep 6 03:00:00'
[expiration] Account has expired
[expiration] expand: Password Has Expired -> Password Has Expired
++[expiration] returns userlock
Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]):
[testuser] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 242 to 127.0.0.1 port 52990
Reply-Message += "Password Has Expired\r\n"
If it doesn't, then either:
- you're using an old FR version with some bugs regarding expiration
on it, in which case you should upgrade, or
- you didn't list expiration in authorize section, or
- you didn't have Expiration attribute for your user (in users
file/sql/whatever)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module Not Returning the Error Message
On Tue, Sep 6, 2011 at 11:41 AM, Det Det wrote:
> Hi,
> The expiration module works but it is not returning the error message.
> Everytime I include the Expiration attribute and set date accordingly. The
> user is denied login. The reason is because the account expired and NOT
> because there is "no known good password found" as shown below. How to tell
> RADIUS to stop processing anything after expiration check? I suspect it
> proceeds the rest of the checks and so the error message has been
> overwritten by other modules' error message.
>
>
> +++[sql2] returns ok
> ++- redundant-load-balance group redundant_load_balance_sql returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
Works for me. From modules/expiration: "It should be included in the
*end* of the authorize section in order to handle user Expiration" (or
just uncomment expiration line in sites-available/default). The debug
log should show something like this
[expiration] Checking Expiration time: '2011 Sep 6 03:00:00'
[expiration] Account has expired
[expiration]expand: Password Has Expired -> Password Has Expired
++[expiration] returns userlock
Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]):
[testuser] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 242 to 127.0.0.1 port 52990
Reply-Message += "Password Has Expired\r\n"
If it doesn't, then either:
- you're using an old FR version with some bugs regarding expiration
on it, in which case you should upgrade, or
- you didn't list expiration in authorize section, or
- you didn't have Expiration attribute for your user (in users
file/sql/whatever)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module Not Returning the Error Message
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is "no known good password found" as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message. +++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Automatically Generating "Expiration" - Freeradius 2.1.9 / mysql 5.1 / dialup admin
On Wed, Nov 24, 2010 at 7:50 AM, mikal wrote: > > What I'm trying to do is enable a non-technical person to create temporary, > "guest like" accounts using the dialup admin interface. The accounts will > be created as needed, they need to expire within a predetermined time > frame(s) and I'm trying to avoid asking the person creating the accounts to > be entering "Expiration". > > So how would I approach having the "Expiration" field auto populated based > on the account creation date/time and a predetermined account lifetime? For > instance, creation date/time + 12-hours, or date + 1-day. > > Thanks in advance for any guidance. Why don't you simply write some kind of small webif in php to do this? It's easy to predefine values and just add them to the database when a non-technical person presses a button or something like it. (you could even add multiple timeframes in a dropdownbox or so) With a little coding you could even integrate such a page in the existing dialup admin if this is desired. I would not use expiration also, but some no-resetting sql counter. You will also need to find a way to auto-delete expired accounts. Just my 2cents. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Automatically Generating "Expiration" - Freeradius 2.1.9 / mysql 5.1 / dialup admin
I don't know of a way to do that in dialup_admin, but you could potentially look at using a trigger on insert in MySQL. That might be problematic however if you have some users that you don't want to automatically assign this Expiration to. Otherwise if the services assigned are simple it might be easier to create a pared down account creation script either as an extension of dialup_admin or as a standalone app. Ben > -Original Message- > From: freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org > [mailto:freeradius-users- > bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of > mikal > Sent: Wednesday, November 24, 2010 12:51 AM > To: freeradius-users@lists.freeradius.org > Subject: Automatically Generating "Expiration" - Freeradius 2.1.9 / > mysql 5.1 / dialup admin > > > What I'm trying to do is enable a non-technical person to create > temporary, > "guest like" accounts using the dialup admin interface. The accounts > will > be created as needed, they need to expire within a predetermined time > frame(s) and I'm trying to avoid asking the person creating the > accounts to > be entering "Expiration". > > So how would I approach having the "Expiration" field auto populated > based > on the account creation date/time and a predetermined account lifetime? > For > instance, creation date/time + 12-hours, or date + 1-day. > > Thanks in advance for any guidance. > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Automatically-Generating- > Expiration-Freeradius-2-1-9-mysql-5-1-dialup-admin- > tp3277961p3277961.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration stored on sql
Thanks this little story was turning me crazy, and as i mentionned it in subject it is when using mysql. so it seems expiration stored on wifigator mysql server are wrong. regards Le mercredi 24 novembre 2010 à 17:47 +0700, EasyHorpak.com a écrit : > On 24/11/2553 16:41, yzy-oui-fi wrote: > > So this is interessting because i followed this source taht says that > > expiration format is a date... > > > > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg60233.html > > > > i will give a try with timestamp. > > > > regards > > > > Le mercredi 24 novembre 2010 ร 10:06 +0700, EasyHorpak.com a รฉcrit : > > > >> On 23/11/2553 21:51, yzy-oui-fi wrote: > >> > >>> Wifigator server > >>> > >> wifigator server is right. freeradius is right. you may misunderstand. > >> Freeradius always send time to nas for termiate when time expire. > >> The good time for nas is timestamp format which nas can count down. > >> NAS dosn't know about date form. > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >> > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > yes. expiration format is date but in mysql not at nas > > > mysql[expiration format is date] --> freeradius[check then convert from > date to timestamp and send as session-timeout ]--->NAS[session-timeout > is timestamp format] > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration stored on sql
On 24/11/2553 16:41, yzy-oui-fi wrote: So this is interessting because i followed this source taht says that expiration format is a date... http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg60233.html i will give a try with timestamp. regards Le mercredi 24 novembre 2010 ? 10:06 +0700, EasyHorpak.com a ??crit : On 23/11/2553 21:51, yzy-oui-fi wrote: Wifigator server wifigator server is right. freeradius is right. you may misunderstand. Freeradius always send time to nas for termiate when time expire. The good time for nas is timestamp format which nas can count down. NAS dosn't know about date form. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html yes. expiration format is date but in mysql not at nas mysql[expiration format is date] --> freeradius[check then convert from date to timestamp and send as session-timeout ]--->NAS[session-timeout is timestamp format] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration stored on sql
So this is interessting because i followed this source taht says that expiration format is a date... http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg60233.html i will give a try with timestamp. regards Le mercredi 24 novembre 2010 à 10:06 +0700, EasyHorpak.com a écrit : > On 23/11/2553 21:51, yzy-oui-fi wrote: > > Wifigator server > wifigator server is right. freeradius is right. you may misunderstand. > Freeradius always send time to nas for termiate when time expire. > The good time for nas is timestamp format which nas can count down. > NAS dosn't know about date form. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Automatically Generating "Expiration" - Freeradius 2.1.9 / mysql 5.1 / dialup admin
What I'm trying to do is enable a non-technical person to create temporary, "guest like" accounts using the dialup admin interface. The accounts will be created as needed, they need to expire within a predetermined time frame(s) and I'm trying to avoid asking the person creating the accounts to be entering "Expiration". So how would I approach having the "Expiration" field auto populated based on the account creation date/time and a predetermined account lifetime? For instance, creation date/time + 12-hours, or date + 1-day. Thanks in advance for any guidance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Automatically-Generating-Expiration-Freeradius-2-1-9-mysql-5-1-dialup-admin-tp3277961p3277961.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration stored on sql
On 23/11/2553 21:51, yzy-oui-fi wrote: Wifigator server wifigator server is right. freeradius is right. you may misunderstand. Freeradius always send time to nas for termiate when time expire. The good time for nas is timestamp format which nas can count down. NAS dosn't know about date form. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration stored on sql
I have a doubt... I'm using freeradius from Ubuntu 8.04. if i have to store an expiration date i stored some thing like that: username Attribute op Value someuser Expiration := 24 Nov 2010 13:58 I have a check to a Wifigator server and i see that they stored it as a timestamp (in secondes)... Who is right? who is wrong? regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration linked to both huntgroup and user
Hi, So here's my hurdle. I have multiple groups and use hunt-groups plus expiration time on the users for authentication. Assuming I have groups 1 & 2 how is it possible to link the expiration time to a group and the user and not just for the user. The expiration time is set on a per user level (not per group) which means a given user will either have access or not have access. A user can not have access to hunt-group 1 with an expiration in 10 days as well as an access expiring in 2 hours on hunt-group B. I only want to have one user over the whole domain so do not want to create multiple users and then append to the name on the incoming request and authenticate against multiple users who are in fact the same. Is there any other way round this problem? Many thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration module and reply items
Thanks a lot.
> Reply-Message = "LA CUENTA HA EXPIRADO PARA
> > %{%{Stripped-User-Name}:-%{User-Name}}"
> > Codigo-Reject := Cuenta-Expirada
> > }
> >
> > But it doesn't work.
>
> Nothing in the documentation suggests that will work.
>
Sometimes I don't know where can I found what I'm looking for, so I try
different things :)
> Yes. Once the module returns "reject" or "userlock", the server stops
> processing the section and returns. The solution is:
>
>expiration {
>userlock = 1
>}
>if (userlock) {
>update reply {
>Codigo-Reject := Curenta-Expirada
>}
>}
>
> This is documented in doc/configurable_failover, and to a lesser
> extent in "man unlang".
>
Thanks Alan, I love Freeradius and your answers :D
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration module and reply items
Hello,
I'm working with freeradius 2.1.8 and I want to return an attribute when
eexpiration module return 'userlock'.
I try to add the item in expiration module:
/etc/freeradius# cat modules-enabled/expiration
# -*- text -*-
#
# $Id$
expiration {
Reply-Message = "LA CUENTA HA EXPIRADO PARA
%{%{Stripped-User-Name}:-%{User-Name}}"
Codigo-Reject := Cuenta-Expirada
}
But it doesn't work.
I also try using unlang in authorize section:
authorize {
. . .
expiration
if (userlock){
update reply {
Codigo-Reject := Cuenta-Expirada
}
}
pap
}
My debug info:
rad_recv: Access-Request packet from host port 59252, id=177, length=71
User-Name = "pru...@temp.xxx.es"
User-Password = "prueba"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
server XXX {
. . .
[expiration] Checking Expiration time: '1 Jun 2010'
[expiration] Account has expired
[expiration] expand: Password Has Expired -> Password Has Expired
++[expiration] returns userlock
}
Using Post-Auth-Type Reject
+- entering group REJECT {...}
. . .
Sending Access-Reject of id 177 to 158.49.247.199 port 59252
Reply-Message = "Password Has Expired\r\n"
Somebody can help me. Thak you and sorry for my english.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration module and reply items
Ana Gallardo wrote:
> I'm working with freeradius 2.1.8 and I want to return an attribute when
> eexpiration module return 'userlock'.
>
> I try to add the item in expiration module:
> expiration {
> Reply-Message = "LA CUENTA HA EXPIRADO PARA
> %{%{Stripped-User-Name}:-%{User-Name}}"
> Codigo-Reject := Cuenta-Expirada
> }
>
> But it doesn't work.
Nothing in the documentation suggests that will work.
> I also try using unlang in authorize section:
>
> authorize {
>
> . . .
>
> expiration
> if (userlock){
> update reply {
> Codigo-Reject := Cuenta-Expirada
> }
> }
> pap
> }
That will work, with one minor change.
...
> ++[expiration] returns userlock
> }
> Using Post-Auth-Type Reject
Yes. Once the module returns "reject" or "userlock", the server stops
processing the section and returns. The solution is:
expiration {
userlock = 1
}
if (userlock) {
update reply {
Codigo-Reject := Curenta-Expirada
}
}
This is documented in doc/configurable_failover, and to a lesser
extent in "man unlang".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-timeout and expiration problem
Fazal Ahmed Malik wrote:
> I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I
> am having trouble with session-timeout ,expiration. On dialup_admin i
> have correct information for both attributes like user can login for 0
> seconds and similarly for expiration like account expired. But users can
> still logon even after expiration date passed. For session timeout user
> get disconnected right after alocated quota but here again user can
> login. Both attribute are setup from dialupadmin with = operator for
> session timeout and := for expiration
You can set up rules in post-auth to reject anyone who has less than 5
minutes of time:
...
if (reply:Session-Timeout < 300) {
reject
}
...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session-timeout and expiration problem
Hi, I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I am having trouble with session-timeout ,expiration. On dialup_admin i have correct information for both attributes like user can login for 0 seconds and similarly for expiration like account expired. But users can still logon even after expiration date passed. For session timeout user get disconnected right after alocated quota but here again user can login. Both attribute are setup from dialupadmin with = operator for session timeout and := for expiration Please help if i am missing some thing in config. Best regards, Fazal Ahmed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius User Password Expiration
Hi, > I've done abit of searching and still been unable to find a really good man > page or other description on the users file. Not even the MAN on the users > file is very descriptive. I just want to expire passwords. Thats it, I've > seen the expiry attribute but nowhere can I find a detailed description of > its variables. From what I have seen, you can just expire by setting a date > using the expiry attribute to a specific date, is there any other way to do > this? from the rlm_expiration document - the document that explains how the expiration code does things.. Expiration attribute format: You can use Expiration := "23 Sep 2004" and the user will no longer be able to connect at 00:00 (midnight) on September 23rd, 2004. If you want a certain time (other than midnight) you can do use Expiration := "23 Sep 2004 12:00". The nas will receive a Session-Timeout attribute calculated to kick the user off when the Expiration time occurs. Example entry (users files): user1 Expiration := "23 Sep 2004" please tell us how we can make this clearer alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius User Password Expiration
Guys, I've done abit of searching and still been unable to find a really good man page or other description on the users file. Not even the MAN on the users file is very descriptive. I just want to expire passwords. Thats it, I've seen the expiry attribute but nowhere can I find a detailed description of its variables. From what I have seen, you can just expire by setting a date using the expiry attribute to a specific date, is there any other way to do this? -- View this message in context: http://old.nabble.com/Freeradius-User-Password-Expiration-tp26831843p26831843.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password expiration and change on next logon options
Alexey Ponomarev wrote: > I am trying to figure out how to do password aging and on next logon > change with freeRadius. Use a database with custom scripts that update the database. FreeRADIUS isn't a database, and doesn't track status changes for a user. Those status changes are best tracked in a database. > Could somebody point to where I can find any documentation about it? > Also, should I use system passwords or keep them in the postgres to make > it working? System passwords or Postgresql are fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password expiration and change on next logon options
Am 03.11.2009 um 17:47 schrieb Ivan Kalik: I am trying to figure out how to do password aging and on next logon change with freeRadius. Custom script on your login. Radius doesn't interact with user interface. I am using ASA firewall with MS-CHAP2 support. mschap is also enabled in freeRadius. Could somebody point to where I can find any documentation about it? Also, should I use system passwords or keep them in the postgres to make it working? You can't use system (crypted) passwords with mschap. See: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password expiration and change on next logon options
> I am trying to figure out how to do password aging and on next logon > change > with freeRadius. Custom script on your login. Radius doesn't interact with user interface. > I am using ASA firewall with MS-CHAP2 support. mschap is also enabled in > freeRadius. > > Could somebody point to where I can find any documentation about it? > Also, should I use system passwords or keep them in the postgres to make > it > working? You can't use system (crypted) passwords with mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password expiration and change on next logon options
Hello All, I am trying to figure out how to do password aging and on next logon change with freeRadius. I am using ASA firewall with MS-CHAP2 support. mschap is also enabled in freeRadius. Could somebody point to where I can find any documentation about it? Also, should I use system passwords or keep them in the postgres to make it working? Thanks, Alex. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Max-All-Session vs. Expiration attributes
> We sell our time in Day, Week and Month > increments, and the users are free to used the system as much as they want > during their time. My Question is, do I really need to use > Max-All-Session > if all I really need is a hard expiration date for my users? You don't need Max-All-Session then. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Max-All-Session vs. Expiration attributes
I have a successful wifi captured portal system running with FreeRadius and HP Procurve equipment. When I originally started learning how to build it, I used WiFiGator as my first test case. When they set up that system, they used both the Max-All-Session and the Expiration attributes for all users, so I am still doing this now. We sell our time in Day, Week and Month increments, and the users are free to used the system as much as they want during their time. My Question is, do I really need to use Max-All-Session if all I really need is a hard expiration date for my users? Thank you in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
Rakotomandimby Mihamina wrote: > 09/25/2009 03:46 PM, Ivan Kalik: >> Why, oh why, do people trawl the internet for outdated and inaccurate > > Ivan, this is just the result of: > http://www.google.com/search?q=radius+expiration+attribute > (the results ranking may differ, we are not near) That's nice. But the documentation you were reading (and the link you posted) was for *another* RADIUS server. Is it really that difficult to tell one product from another? > I usually tend to make the web search before searching the docs, > at least to see wether: > - the doc exists > - I am alone to have my problem The "doc" directory has a file "rlm_expiration". Maybe it would help? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
> I usually tend to make the web search before searching the docs, > at least to see wether: > - the doc exists > - I am alone to have my problem So you buy a washing machine. You don't know which wash is which oprogram. Do you: a) read the user manual that came with it? b) search the Internet in hope of finding a sensible instruction? You would never (I hope) opt for b) when washing machine is in question? Do you behave rationally only if you pay for something? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
09/25/2009 03:46 PM, Ivan Kalik: Why, oh why, do people trawl the internet for outdated and inaccurate Ivan, this is just the result of: http://www.google.com/search?q=radius+expiration+attribute (the results ranking may differ, we are not near) I usually tend to make the web search before searching the docs, at least to see wether: - the doc exists - I am alone to have my problem It's just an informative step, that is going to be followed by the documentation you pointed out. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
> 09/24/2009 12:03 PM, Ivan Kalik:: >>> What RADIUS attribute would suit to account expiration? >> >> Expiration. > > I cannot find its documentation (its syntax) doc/rlm_expiration. > A hint: > http://www.open.com.au/pipermail/radiator/2008-July/014935.html Why, oh why, do people trawl the internet for outdated and inaccurate (this one is not even for freeradius) information. Why not try man and doc pages included with the server first??? Even if you have installed some binary distribution and documentation is not included in the primary package it's probably in some additional package (freeradius-documentation or something like that). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
09/25/2009 02:59 PM, Rakotomandimby Mihamina:: 09/24/2009 12:03 PM, Ivan Kalik:: What RADIUS attribute would suit to account expiration? Expiration. I cannot find its documentation (its syntax) http://www.portmasters.com/tech/docs/pdf/radius-release20.pdf In RADIUS 1.16, if a user record contained an incorrectly formatted Expiration date (for example, the Expiration check item was “Oct 1 1996”, rather than “Oct 01 1996”), the user would be authenticated even after this expiration date. With RADIUS server 2.0, attempts on or after the expiration date display an Account has expired message. Incorrectly formatted expiration dates are now logged. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
09/24/2009 12:03 PM, Ivan Kalik:: What RADIUS attribute would suit to account expiration? Expiration. I cannot find its documentation (its syntax) A hint: http://www.open.com.au/pipermail/radiator/2008-July/014935.html But not more... A help? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: account expiration attribute
> What RADIUS attribute would suit to account expiration? Expiration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
account expiration attribute
Hi all, What RADIUS attribute would suit to account expiration? the context: - prepaid users must regularily add credit to his account - big credit -> big validity extension - small credit -> small validity extension - no account removal, just auth reject if validity date passed Credit adding and account validity extension is not managed by the RADIUS stuff, it's about a manual external insert What we just need is the right RADIUS attribute to be checked during auth, in order to reject if the date is passed. Thanks for any help. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration vs WISPr-Session-Terminate-Time
Hi, Today I did some test with radreply.WISPr-Session-Terminate-Time and radcheck.Expiration. It is supposed both attributes do the same, but Expiration is from AAA server side, meanwhile Session-Terminate-Time is from NAS side. However, there is a difference if you want to to set a username with Session-Timeout (johndoe, Session-Timeout, :=, 3600) since the NAS rewrite the Session-Timeout according to the Date in Session-Terminate-Time. This behaviour does not happen with Expiration attribute. Do you confirm this? _ ¿Quieres ver los mejores videos de MSN? Enciende Messenger TV http://messengertv.msn.com/mkt/es-es/default.htm- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Radius with expiry & Windows domain password expiration
kesm0724 wrote: > Is there anything special (ntlm_auth, ldap_attr,etc) that I need to configure > for FreeRadius to recognize that an active directory account has expired and > the user needs to be prompted to change his/her password? The server doesn't support "change password" requests. The MS-CHAP extensions are undocumented && Microsoft proprietary. Even if FreeRADIUS implemented them, Samba would need to implement them, too. > I am not even > receiving the "user needs to change password" dialogue box from the Cisco > VPN client. I'm not even sure it's possible to do that without using undocumented Microsoft extensions. You could try adding a Reply-Message attribute, and maybe the VPN will show them to the user. Or maybe not. It's up to the VPN if it shows messages, and many don't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Radius with expiry & Windows domain password expiration
Is there anything special (ntlm_auth, ldap_attr,etc) that I need to configure
for FreeRadius to recognize that an active directory account has expired and
the user needs to be prompted to change his/her password? I am not even
receiving the "user needs to change password" dialogue box from the Cisco
VPN client.
Full Debug:
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Oct 1 2008
at 15:12:24
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc//raddb/radiusd.conf
including configuration file /etc//raddb/clients.conf
including configuration file /etc//raddb/snmp.conf
including files in directory /etc//raddb/modules/
including configuration file /etc//raddb/modules/krb5
including configuration file /etc//raddb/modules/chap
including configuration file /etc//raddb/modules/echo
including configuration file /etc//raddb/modules/always
including configuration file /etc//raddb/modules/preprocess
including configuration file /etc//raddb/modules/sql_log
including configuration file /etc//raddb/modules/expiration
including configuration file /etc//raddb/modules/acct_unique
including configuration file /etc//raddb/modules/digest
including configuration file /etc//raddb/modules/pap
including configuration file /etc//raddb/modules/passwd
including configuration file /etc//raddb/modules/ippool
including configuration file /etc//raddb/modules/attr_rewrite
including configuration file /etc//raddb/modules/logintime
including configuration file /etc//raddb/modules/policy
including configuration file /etc//raddb/modules/radutmp
including configuration file /etc//raddb/modules/unix
including configuration file /etc//raddb/modules/smbpasswd
including configuration file /etc//raddb/modules/sradutmp
including configuration file /etc//raddb/modules/ldap
including configuration file /etc//raddb/modules/mac2vlan
including configuration file /etc//raddb/modules/realm
including configuration file /etc//raddb/modules/expr
including configuration file /etc//raddb/modules/mschap
including configuration file /etc//raddb/modules/checkval
including configuration file /etc//raddb/modules/mac2ip
including configuration file /etc//raddb/modules/counter
including configuration file /etc//raddb/modules/etc_group
including configuration file /etc//raddb/modules/pam
including configuration file /etc//raddb/modules/attr_filter
including configuration file /etc//raddb/modules/detail
including configuration file /etc//raddb/modules/detail.log
including configuration file /etc//raddb/modules/exec
including configuration file /etc//raddb/modules/files
including configuration file /etc//raddb/sql/mysql/counter.conf
including configuration file /etc//raddb/policy.conf
including files in directory /etc//raddb/sites-enabled/
including configuration file /etc//raddb/sites-enabled/inner-tunnel
including configuration file /etc//raddb/sites-enabled/default
including dictionary file /etc//raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
requi
Cisco VPN Radius with expiry & Windows domain password expiration
Hello All,
I have a cisco vpn concentrator and in the past have had it pointed to a
Windows IAS Server. I have now switched to Freeradius and have discovered
that when a user needs to "Change password on next logon" the cisco vpn
client does not prompt for a password change. Prior to moving to Freeradius
the password change prompt comes up allowing the user to change their
password. On the concentrator I do have "Radius with Expiry" configured and
have switched back and forth between the IAS Server and the Freeradius
server to ensure it was something particular to the authentication servers
not the concentrator.
I notice the following in debug:
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
expand: --username=%{mschap:User-Name} -> --username=test
mschap2: 83
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=04e843995bfbdbca
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=a378afdf127434783890d2e2e4f9d5bd97976a00d2c51fa4
Exec-Program output: Must change password (0xc224)
Exec-Program-Wait: plaintext: Must change password (0xc224)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I have been looking on Google for windows domain password expiry +
freeradius amongst other search strings all to no avail. Can anyone tell me
what I'm doing wrong?
Thanks.
--
View this message in context:
http://www.nabble.com/Cisco-VPN-Radius-with-expiry---Windows-domain-password-expiration-tp19907575p19907575.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: expiration or session-timeot
Thank you Ivan, it works as you said. As i read in documentation Expiration attribute have accept date values and as in mysql i decide that it is only date. May be it is good if this is fixed in documentation. And i don't know how this can be done Thanks Bozhan Boiadzhiev > Оригинално писмо >От: "Ivan Kalik" >Относно: Re: Re: expiration or session-timeot >До: "FreeRadius users mailing list" >Изпратено на: Четвъртък, 2008, Август 21 00:02:21 EEST >>As i understand Expiration attribute can get only date values. > >No, date and time: > >August 20 2008 13:45:00 > >Ivan Kalik >Kalik Informatika ISP > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: expiration or session-timeot
>As i understand Expiration attribute can get only date values. No, date and time: August 20 2008 13:45:00 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: expiration or session-timeot
ok thanks one more thing. is it possible to set timestamps instead date as Expiration attribute. I need this for example if i want to give a given customer access to internet for one day. As i understand Expiration attribute can get only date values. Can i set timestamp and radius to send Session-Timeout to NAS at that time, for example instead on 00:00 on given date on 13;45 on that date? > Оригинално писмо >От: "Ivan Kalik" >Относно: Re: expiration or session-timeot >До: "FreeRadius users mailing list" >Изпратено на: Сряда, 2008, Август 20 16:52:18 EEST >It calculates maximal session time and sends it to NAS as >Session-Timeout. If your NAS supports Session-Timeout attribute (and >most do) user will be signed off by the NAS if he is still logged on at >the expiration time. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 20/8/2008, "Bozhan Boiadzhiev" pi?e: > >>Hi, >>here is something i can't understand. >>If i set some user Expiration attribute for example 23.08.2008, >>and this user is connected to my NAS, how NAS will stop that user. >>Better explanation. >>I have setup mikrotik hotspot with radius authorization. >>Authorization works. User have access with given username and password, >>but i want to give user access to service for example for 7 days. >>Expiration attribute give me ability to set date when account expires. >>What happen on that give date. How radius will "tell" NAS to >>"unsubscribe"(cancel) >>access of that user. >> >>Thanks >> >>ps. >>sorry for bad english :( >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration or session-timeot
It calculates maximal session time and sends it to NAS as Session-Timeout. If your NAS supports Session-Timeout attribute (and most do) user will be signed off by the NAS if he is still logged on at the expiration time. Ivan Kalik Kalik Informatika ISP Dana 20/8/2008, "Bozhan Boiadzhiev" <[EMAIL PROTECTED]> piše: >Hi, >here is something i can't understand. >If i set some user Expiration attribute for example 23.08.2008, >and this user is connected to my NAS, how NAS will stop that user. >Better explanation. >I have setup mikrotik hotspot with radius authorization. >Authorization works. User have access with given username and password, >but i want to give user access to service for example for 7 days. >Expiration attribute give me ability to set date when account expires. >What happen on that give date. How radius will "tell" NAS to >"unsubscribe"(cancel) >access of that user. > >Thanks > >ps. >sorry for bad english :( >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration or session-timeot
Hi, here is something i can't understand. If i set some user Expiration attribute for example 23.08.2008, and this user is connected to my NAS, how NAS will stop that user. Better explanation. I have setup mikrotik hotspot with radius authorization. Authorization works. User have access with given username and password, but i want to give user access to service for example for 7 days. Expiration attribute give me ability to set date when account expires. What happen on that give date. How radius will "tell" NAS to "unsubscribe"(cancel) access of that user. Thanks ps. sorry for bad english :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS Expiration attribute and unix-time stamp
Hello Everyone. I am new to *nix in general, and so when I ran across unix-time for the first time, I took the time to read up on it. I have created a wifi captured portal system using freeRADIUS, Mysql and Open BlueDragon, but I am having a problem with the Expiration attribute in freeRADIUS. Admittedly, the problem is probably DEU (defective end-user), so I am hoping someone here can help me out. Do I have to use the Unix-time for the Expiration attribute, or do I have a more human-readable option? I tried various standard database and programming timestamp values, but freeRADIUS always returns a "can't parse date" error whenever I use anything but unix-time. If I must use unix time, which I understand is GMT zulu, should I pass my expiration dates to the database in GMT zulu as well? Is freeRADIUS taking my (Pacific Time) offset into account which is set on the server? I took the time to write some time conversion code in CFML, so I am ready to go as soon as I can figure out what the freeRADIUS server expects of me. I spent a lot of time the last couple days looking around online, and subsuquently learned quite a bit more on this subject, but never found a solution to my problem. OS: Ubuntu Server 8.04 freeRADIUS version: 1.1.7-1build4 (the version apt installs for Hardy) mySQL: 5.0.51a-3ubuntu5 Thanks in advance, and have a great Sunday night. - mt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user expiration problem
http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Dana 1/7/2008, "Umar" <[EMAIL PROTECTED]> piše: > >Dear Alan! > >I already did it but its not working. > >Regards, > >Umar > > >Alan DeKok-4 wrote: >> >> Umar wrote: >>> Hi ... >>> >>> im just wondering if my configuration is correct. I tried to disable a >>> user >>> through Expiration attribute but its not working. >>> I am using 2.0.5 FreeRadius. >>> >>> here is the mysql output. >>> >>> | id | username | attribute | op | value | >>> ++--+---++-+ >>> | 1 | test | User-Password | == | test | >> >> Change this to Cleartext-Password := >> >> >>> | 2 | test | Expiration| := | 22 Jan 2006 >> >> That should work. >> >> Are you using the default configuration? >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > >-- >View this message in context: >http://www.nabble.com/user-expiration-problem-tp18193568p18208736.html >Sent from the FreeRadius - User mailing list archive at Nabble.com. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user expiration problem
Dear Alan! I already did it but its not working. Regards, Umar Alan DeKok-4 wrote: > > Umar wrote: >> Hi ... >> >> im just wondering if my configuration is correct. I tried to disable a >> user >> through Expiration attribute but its not working. >> I am using 2.0.5 FreeRadius. >> >> here is the mysql output. >> >> | id | username | attribute | op | value | >> ++--+---++-+ >> | 1 | test | User-Password | == | test | > > Change this to Cleartext-Password := > > >> | 2 | test | Expiration| := | 22 Jan 2006 > > That should work. > > Are you using the default configuration? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/user-expiration-problem-tp18193568p18208736.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user expiration problem
Thanks Rahul I will test it rahul wrote: With MT it works fine following is the format i am using test | Expiration | := | 17 July 2008 Marinko Tarlac wrote: I tried with Mikrotik but it doesn't work if it is Cleartext-Password. User-Password is OK and operator must be :=. Also, MT wants expiration in next format id | username | attribute | op | value 1 | test | Expiration | == | December 31 2035 00:00:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user expiration problem
With MT it works fine following is the format i am using test | Expiration | := | 17 July 2008 Marinko Tarlac wrote: I tried with Mikrotik but it doesn't work if it is Cleartext-Password. User-Password is OK and operator must be :=. Also, MT wants expiration in next format id | username | attribute | op | value 1 | test | Expiration | == | December 31 2035 00:00:00 On Mon, Jun 30, 2008 at 1:37 PM, Alan DeKok <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Umar wrote: > Hi ... > > im just wondering if my configuration is correct. I tried to disable a user > through Expiration attribute but its not working. > I am using 2.0.5 FreeRadius. > > here is the mysql output. > > | id | username | attribute | op | value | > ++--+---++-+ > | 1 | test | User-Password | == | test | Change this to Cleartext-Password := > | 2 | test | Expiration| := | 22 Jan 2006 That should work. Are you using the default configuration? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user expiration problem
I tried with Mikrotik but it doesn't work if it is Cleartext-Password. User-Password is OK and operator must be :=. Also, MT wants expiration in next format id | username | attribute | op | value 1 | test | Expiration | == | December 31 2035 00:00:00 On Mon, Jun 30, 2008 at 1:37 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Umar wrote: > > Hi ... > > > > im just wondering if my configuration is correct. I tried to disable a > user > > through Expiration attribute but its not working. > > I am using 2.0.5 FreeRadius. > > > > here is the mysql output. > > > > | id | username | attribute | op | value | > > ++--+---++-+ > > | 1 | test | User-Password | == | test | > > Change this to Cleartext-Password := > > > > | 2 | test | Expiration| := | 22 Jan 2006 > > That should work. > > Are you using the default configuration? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user expiration problem
Umar wrote: > Hi ... > > im just wondering if my configuration is correct. I tried to disable a user > through Expiration attribute but its not working. > I am using 2.0.5 FreeRadius. > > here is the mysql output. > > | id | username | attribute | op | value | > ++--+---++-+ > | 1 | test | User-Password | == | test | Change this to Cleartext-Password := > | 2 | test | Expiration| := | 22 Jan 2006 That should work. Are you using the default configuration? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user expiration problem
Hi ... im just wondering if my configuration is correct. I tried to disable a user through Expiration attribute but its not working. I am using 2.0.5 FreeRadius. here is the mysql output. | id | username | attribute | op | value | ++--+---++-+ | 1 | test | User-Password | == | test | | 2 | test | Expiration| := | 22 Jan 2006 Is there any other changes required? Please Help Regards, Umar Draz -- View this message in context: http://www.nabble.com/user-expiration-problem-tp18193568p18193568.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Expiration Date
CoMeC wrote: > I wanted to ask if it is possible to set expiration date for a group, so > all users in this group won't get access after expiration date? Yes. Try it in the "users" file, first. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Expiration Date
Is your user inside that group. (usergroup table) CoMeC wrote: Hi, I was try to find an answer for my question, but without success.. I wanted to ask if it is possible to set expiration date for a group, so all users in this group won't get access after expiration date? "Expiration" works for single user (as a radcheck table attribute), but when I enter it in radgroupcheck, it doesn't work. Do I make a mistake anywhere, or it is just impossible? There are any other solutions? Please let me know, or send me any link, where I could get those info's. Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Group Expiration Date
Hello, Try adding WISPr-Session-Terminate-Time parameter to radgroupreply. It should work, normally it works with radreply no reason for not working with group reply i think. > Hi, > > I was try to find an answer for my question, but without success.. > > I wanted to ask if it is possible to set expiration date for a group, so > all users in this group won't get access after expiration date? > > "Expiration" works for single user (as a radcheck table attribute), but > when I enter it in radgroupcheck, it doesn't work. > > Do I make a mistake anywhere, or it is just impossible? > There are any other solutions? > > Please let me know, or send me any link, where I could get those info's. > > Best regards, > > CoMeC > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group Expiration Date
Hi, I was try to find an answer for my question, but without success.. I wanted to ask if it is possible to set expiration date for a group, so all users in this group won't get access after expiration date? "Expiration" works for single user (as a radcheck table attribute), but when I enter it in radgroupcheck, it doesn't work. Do I make a mistake anywhere, or it is just impossible? There are any other solutions? Please let me know, or send me any link, where I could get those info's. Best regards, CoMeC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
Mandi! Ivan Kalik In chel di` si favelave... > >Literally? Or it is some sort of example? Eg i have to write: > > Expiration := "May 10 2008 21:00:00" > Like that. Works, but a minor drawback and i don't know if it is a radius or a supplicant problem (windows xpsp2 with wpa2 patch added). If i set on supplicant the wrong password, connection are easily rejected and radius traffic stopped. If i set an Expiration early than 'now', connection are rejected (i can see clearly 'Password-Expired' on logs) but supplican retry and retry indefinitely... i've waited 5 minutes and was still trying. Boh, it is not a big trouble, only a little curiosity. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
On Tue, Apr 29, 2008 at 12:09 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: > >Literally? Or it is some sort of example? Eg i have to write: > > > > Expiration := "May 10 2008 21:00:00" > > Like that. > > Ivan Kalik > Kalik Informatika ISP > Hmm interesting, I did not know you could add an hour too, tnx ;-) Kind regards, Y. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
>Literally? Or it is some sort of example? Eg i have to write: > > Expiration := "May 10 2008 21:00:00" Like that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
Mandi! Ivan Kalik
In chel di` si favelave...
Sorry, but...
> Expiration := date_format_like"May 10 2008 21:00:00"
Literally? Or it is some sort of example? Eg i have to write:
Expiration := "May 10 2008 21:00:00"
or literally:
Expiration := date_format_like"May 10 2008 21:00:00"
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration?
> Open your users file with your favorite editor and put a line like > this: > > username1 Cleartext-Password := "user-password1", > MS-CHAP-Use-NTLM-Auth := 0 > > >Perfectly, also this works. But i'm lazy as many system administrators, >and i know that probably i will forgot to have account like this. > > >Googling around i've found the Expiration radius tag that seems suit my >needs, but i've found no example around, nor an expalnation if can be >used and how on 'users' file. > > >Speaking clearly: can i define in 'users' file some users with an >explicit 'expiration date'? >Someone can explain me how? > Yes. username1 Cleartext-Password := "user-password1", MS-CHAP-Use-NTLM-Auth := 0, Expiration := date_format_like"May 10 2008 21:00:00" Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration?
Using:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
as a base, i've setup freeradius to authenticate against my domain
(samba, not AD, but little difference).
In this way users can access my wireless network, using their domain
account with password expiration and so on. Perfect.
But could be that i will need some 'guest access': for, ahem, guests,
or for speakers at a conference, ...
Creating and deleting domain accounts only for that it is not my
preferred choice.
The same HOWTO above say:
Configuration of users
The configuration of this file is not necesary to get work the
freeradius against the Active Directory, it is only necessary for
advanced usage of FreeRADIUS.
One of this advanced features, (among others) is the case when we want
to have some local users that does not rely on the Active Directory
that is working, but in the local file of users under
${sysconfdir}/raddb directory, an with the same authentication schema
of PEAP.
Open your users file with your favorite editor and put a line like
this:
username1 Cleartext-Password := "user-password1",
MS-CHAP-Use-NTLM-Auth := 0
Perfectly, also this works. But i'm lazy as many system administrators,
and i know that probably i will forgot to have account like this.
Googling around i've found the Expiration radius tag that seems suit my
needs, but i've found no example around, nor an expalnation if can be
used and how on 'users' file.
Speaking clearly: can i define in 'users' file some users with an
explicit 'expiration date'?
Someone can explain me how?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
Well here is how I did it. I have one table (users) and inside that table I have a field for expiration in -MM-DD format. When I check option to control this date, I transfer this date in radcheck table but before that I convert it in format we spoke about. Here is query how to do it. SELECT DATE_FORMAT( `ex_date` , '%M %d %Y %H:%i:%s' ) AS ex_date FROM users WHERE user='some_user'; Tim White wrote: The format isn't easily sortable or useable in a SQL compare operation. It also requires slightly more work to generate. The simple format of "-MM-DD HH:MM:SS" makes more sense to me. It is easily human readable, and is also easily machine readable, isn't locale or language dependent. Basically, it means that to do any operations on the table regarding the Expiration date, where I only want dates between a range, I have to get all dates, and sort them outside of SQL. I'm not sure if print.c is the right place for this, but I've not had a chance to look at the code. Tim Marinko Tarlac wrote: Well what problem do you have with this format? Best regards On Tue, Feb 26, 2008 at 10:21 AM, <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Hi, > Tim White wrote: > > Bummer. Does anyone know how to get a format that doesn't use Words > > (month Name)? > > Edit src/lib/print.c to print dates in a different format. Or, make a > suggestion for the format you like... hmm, a feature request? what variable in the config though? print_time ? print_time = human print_time = UTC print_time = unix ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
The format isn't easily sortable or useable in a SQL compare operation. It also requires slightly more work to generate. The simple format of "-MM-DD HH:MM:SS" makes more sense to me. It is easily human readable, and is also easily machine readable, isn't locale or language dependent. Basically, it means that to do any operations on the table regarding the Expiration date, where I only want dates between a range, I have to get all dates, and sort them outside of SQL. I'm not sure if print.c is the right place for this, but I've not had a chance to look at the code. Tim Marinko Tarlac wrote: Well what problem do you have with this format? Best regards On Tue, Feb 26, 2008 at 10:21 AM, <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Hi, > Tim White wrote: > > Bummer. Does anyone know how to get a format that doesn't use Words > > (month Name)? > > Edit src/lib/print.c to print dates in a different format. Or, make a > suggestion for the format you like... hmm, a feature request? what variable in the config though? print_time ? print_time = human print_time = UTC print_time = unix ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
Well what problem do you have with this format? Best regards On Tue, Feb 26, 2008 at 10:21 AM, <[EMAIL PROTECTED]> wrote: > Hi, > > Tim White wrote: > > > Bummer. Does anyone know how to get a format that doesn't use Words > > > (month Name)? > > > > Edit src/lib/print.c to print dates in a different format. Or, make a > > suggestion for the format you like... > > hmm, a feature request? what variable in the config though? > print_time ? > > print_time = human > print_time = UTC > print_time = unix ? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
Hi, > Tim White wrote: > > Bummer. Does anyone know how to get a format that doesn't use Words > > (month Name)? > > Edit src/lib/print.c to print dates in a different format. Or, make a > suggestion for the format you like... hmm, a feature request? what variable in the config though? print_time ? print_time = human print_time = UTC print_time = unix ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
Tim White wrote: > Bummer. Does anyone know how to get a format that doesn't use Words > (month Name)? Edit src/lib/print.c to print dates in a different format. Or, make a suggestion for the format you like... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
I tried with classic format -MM-DD but it doesn't work. Tim White wrote: Ivan Kalik wrote: The one you have there in the text. Bummer. Does anyone know how to get a format that doesn't use Words (month Name)? Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
Ivan Kalik wrote: The one you have there in the text. Bummer. Does anyone know how to get a format that doesn't use Words (month Name)? Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
The one you have there in the text. Ivan Kalik Kalik Informatika ISP Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše: >So you maintain to instances of this value? >Once in radcheck, and once in an external table? The first instance, in >radcheck, what format do you have that in? > > >Thanks > >Tim > >Ivan Kalik wrote: >> We don't do these checks on radius database at all. We have a billing >> database with users details which has value of this attribute in >> datetime format and checks are done there. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše: >> >> >>> I'm attempting to use Expiration to expire user accounts after a set >>> time period. What format does the Date/Time (Value field) have to be? >>> From what I can see it's in the format of "Monthname Day Year >>> Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears >>> that in this format you can't use normal SQL datetime operators to see >>> if it's expired (for example, to run a SQL query to remove all expired >>> accounts). >>> >>> Can someone who has it working please let me know what format they use >>> for Expiration value, and how they can use MySQL comparison operators >>> with it? >>> >>> (Ether 2.0.2 or 1.1.7). >>> >>> Thanks >>> >>> Tim >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/usershtml >>> >>> >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
So you maintain to instances of this value? Once in radcheck, and once in an external table? The first instance, in radcheck, what format do you have that in? Thanks Tim Ivan Kalik wrote: We don't do these checks on radius database at all. We have a billing database with users details which has value of this attribute in datetime format and checks are done there. Ivan Kalik Kalik Informatika ISP Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše: I'm attempting to use Expiration to expire user accounts after a set time period. What format does the Date/Time (Value field) have to be? From what I can see it's in the format of "Monthname Day Year Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears that in this format you can't use normal SQL datetime operators to see if it's expired (for example, to run a SQL query to remove all expired accounts). Can someone who has it working please let me know what format they use for Expiration value, and how they can use MySQL comparison operators with it? (Ether 2.0.2 or 1.1.7). Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Value
We don't do these checks on radius database at all. We have a billing database with users details which has value of this attribute in datetime format and checks are done there. Ivan Kalik Kalik Informatika ISP Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše: >I'm attempting to use Expiration to expire user accounts after a set >time period. What format does the Date/Time (Value field) have to be? > From what I can see it's in the format of "Monthname Day Year >Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears >that in this format you can't use normal SQL datetime operators to see >if it's expired (for example, to run a SQL query to remove all expired >accounts). > >Can someone who has it working please let me know what format they use >for Expiration value, and how they can use MySQL comparison operators >with it? > >(Ether 2.0.2 or 1.1.7). > >Thanks > >Tim > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Value
I'm attempting to use Expiration to expire user accounts after a set time period. What format does the Date/Time (Value field) have to be? From what I can see it's in the format of "Monthname Day Year Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears that in this format you can't use normal SQL datetime operators to see if it's expired (for example, to run a SQL query to remove all expired accounts). Can someone who has it working please let me know what format they use for Expiration value, and how they can use MySQL comparison operators with it? (Ether 2.0.2 or 1.1.7). Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration attribute limitation - max year?
Marinko Tarlac wrote: > Hello I'm working on something and I can figure what is the max year for > expiration attribute? It's a 32-bit Unix timestamp, in seconds since 1970. 2039 *is* the maximum. > Here is the problem > > rlm_sql: Failed to create the pair: failed to parse time string > "December 31 2039 00:00:00" > > When I enter December 31 2035 00:00:00 as a year it works but 2039 > doesn't. Is there any way to avoid this limit? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration attribute limitation - max year?
Hello I'm working on something and I can figure what is the max year for expiration attribute? Here is the problem rlm_sql: Failed to create the pair: failed to parse time string "December 31 2039 00:00:00" When I enter December 31 2035 00:00:00 as a year it works but 2039 doesn't. Is there any way to avoid this limit? I know that 2035th year is a far from now but.. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration module?
How? By instructing you that you should actually read the existing entries in the configuration - perhaps what you want is already there? There are plenty of features that have been configured or disabled (commented out) by default. You just have to read through the configuration in order to find out. I am afraid that the common sense module doesn't come with Freeradius. You have to have that installed already ;-) Ivan Kalik Kalik Informatika ISP Dana 30/11/2007, "Evert" <[EMAIL PROTECTED]> piše: >[EMAIL PROTECTED] wrote: >> Expiration is included in the server core, default configuration and >> enabled by default. There is nothing you need to do in order to >> "implement" it. >> >>> Is the wiki outdated on this point? >> >> Point being? >> > >If it is, perhaps it should/could be updated? > > >Regards, > Evert > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration module?
[EMAIL PROTECTED] wrote: > Expiration is included in the server core, default configuration and > enabled by default. There is nothing you need to do in order to > "implement" it. > >> Is the wiki outdated on this point? > > Point being? > If it is, perhaps it should/could be updated? Regards, Evert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration module?
Expiration is included in the server core, default configuration and enabled by default. There is nothing you need to do in order to "implement" it. >Is the wiki outdated on this point? Point being? Ivan Kalik Kalik Informatika ISP Dana 29/11/2007, "Evert" <[EMAIL PROTECTED]> piše: >Hi all! > >I'm trying to implement expiration, as mentioned in the wiki at >http://wiki.freeradius.org/Radiusd.conf > >But all this gives me is: Failed to link to module 'rlm_expiration': >rlm_expiration.so: >cannot open shared object file: No such file or directory > > > > >Regards, > Evert > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration module?
Hi all! I'm trying to implement expiration, as mentioned in the wiki at http://wiki.freeradius.org/Radiusd.conf But all this gives me is: Failed to link to module 'rlm_expiration': rlm_expiration.so: cannot open shared object file: No such file or directory Is the wiki outdated on this point? Regards, Evert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
