Re: only 2 dynamic IPs are allocated even the ip pool has many IPs
Koka Krishna wrote:> I am using the freeradius 2.2.0 on ubuntu.
> When I try to use the dynamic IP pool allocation, RADIUS server is
> allocating only 2 IPs . afterwards those 2 IPs repeated for other
> subscribers as well. So that I am not able to create more than 2 sessions.
> May I know how to resolve this issue?
Read raddb/modules/ippool. Look for the "key" attribute. Both the
problem and the solution are documented there.
i.e. if you're using a module, it helps to read the module configuration.
> ippool main_pool {
So... you posted the stock module configuration to the list. Why?
Did you think we don't have a copy of it?
And you didn't bother reading it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Understanding the IP Pool module
Бен Томпсон wrote: > One thing I still don't understand though is how best to use ippool > for DHCP. As Phil said, don't. Use the SQL IP pool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Understanding the IP Pool module
On 02/13/2013 07:23 AM, Бен Томпсон wrote: One thing I still don't understand though is how best to use ippool for DHCP. I don't understand where and how I should call the module during a DHCP transaction. For example I can call it during DHCP-Discover, but it seems that if I call it again during DHCP-Request I might get different address even when the key is the same. I will continue to to study the code to see why this happens and if I figure it out I will report back with my findings. With difficulty, in short. The ippool module is old, and predates the DHCP functionality. You would need to "fake up" some RADIUS attributes in the DHCP packet, then ensure that ippool is called in a manner that hands out IPs correctly. This may prove to be impossible. There is an example of doing this with the sqlippool module, which is rather better suited to this; by customising the queries you can ensure that different IPs in DISCOVER/REQUEST are not a problem. See the GIT repo for details: https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/policy.d/dhcp https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/dhcp_sqlippool - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Understanding the IP Pool module
Thanks Alan 2013/2/12 Alan DeKok : > Бен Томпсон wrote: >> I am hoping to use rlm_ippool and I would like to understand a bit >> about how it works. Firstly I want to understand the format of the >> database. > > The best approach is to look at the documentation, followed by the code. I have had a look at the code and have been able to work out a few things. I will write my findings here, both for my own reference and for others who might ask the same questions in the future. Regarding the "active" flag: as I understand it so far, this is basically supposed to indicate whether a session (e.g. PPP,) is currently up and using this address. The theory being that the flag is set to 1 when the IP is dished out during RADIUS post-auth, and it is set to 0 when the accounting stop is recieved. I also figured out that "cli" flag is the Calling-Station-Id and this is used as an identifier in Multilink PPP sessions. It would appear that in the old days of bundling together conections with dial up modems (to get more bandwidth) it was necessary to issue the same address in mutliple authentication requests. One thing I still don't understand though is how best to use ippool for DHCP. I don't understand where and how I should call the module during a DHCP transaction. For example I can call it during DHCP-Discover, but it seems that if I call it again during DHCP-Request I might get different address even when the key is the same. I will continue to to study the code to see why this happens and if I figure it out I will report back with my findings. If anyone else knows the answers, I would be grateful hear from them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Understanding the IP Pool module
Бен Томпсон wrote: > I am hoping to use rlm_ippool and I would like to understand a bit > about how it works. Firstly I want to understand the format of the > database. The best approach is to look at the documentation, followed by the code. > Could anyone explain to me what the columns "cli" and "num" are used for? I haven't looked at it myself. All I know is that it works. > Does this mean that the ippool module sets "active" to 0 when it sees > an accounting Stop from the same "Key"? No idea. Look at the code. > Also, I noticed that this module can be used for DHCP which obviously > does not have an accounting section. Does this mean that IP addresses > can never be deallocated from the pool? No. The addresses should have a lifetime. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Understanding the IP Pool module
Hello Everyone I am hoping to use rlm_ippool and I would like to understand a bit about how it works. Firstly I want to understand the format of the database. I can see from the output of rlm_ippool_tool that there are five columns :- Key | IP Address | Active | CLI | Num It is obvious what the first two are, and I am not sure about the last three, but I guess that "active" means that this address is in use. Could anyone explain to me what the columns "cli" and "num" are used for? I noticed that this module is called from the post-auth and accounting sections, and in the accounting section of sites-available/default there is the following comment :- # Return an address to the IP Pool when we see a stop record. Does this mean that the ippool module sets "active" to 0 when it sees an accounting Stop from the same "Key"? Also, I noticed that this module can be used for DHCP which obviously does not have an accounting section. Does this mean that IP addresses can never be deallocated from the pool? Thanks in advance for any help. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql ip pool guide or documentation
heh ok .. the module was right in front of my eyes and i did not see it. i found the sql schema for ippool also. thanks ! S. On Fri, Oct 19, 2012 at 1:24 PM, Phil Mayers wrote: > Sebastien Boucher wrote: > > >hello, > > > >Sorry for asking a question that was probably asked and answered before > >but > >i could not find anything. > > > >Can anyone direct me to a guide or some sort of documentation on how to > >configure ip pool for freeradius using a mysql database ? > > > >thank you for your help. > > > >Sebastien. > > > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > The SQL schema comes with the server. Just put IPs into the pool using SQL > and put the module into the config. > > What specifically do you need advice on? > -- > Sent from my phone. Please excuse brevity and typos. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql ip pool guide or documentation
Sebastien Boucher wrote: >hello, > >Sorry for asking a question that was probably asked and answered before >but >i could not find anything. > >Can anyone direct me to a guide or some sort of documentation on how to >configure ip pool for freeradius using a mysql database ? > >thank you for your help. > >Sebastien. > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html The SQL schema comes with the server. Just put IPs into the pool using SQL and put the module into the config. What specifically do you need advice on? -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql ip pool guide or documentation
hello, Sorry for asking a question that was probably asked and answered before but i could not find anything. Can anyone direct me to a guide or some sort of documentation on how to configure ip pool for freeradius using a mysql database ? thank you for your help. Sebastien. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to add two ip pool
On Thu, Sep 13, 2012 at 7:25 PM, ranjan kumar wrote:
> Hi All,
>
> I am trying to add two default entries in users file for two ip pool.
Why?
Most likely you're trying to solve a problem the wrong way.
What EXACTLY do you want to do? Allocate IPs from two range of
noncontiguous IP address? or what?
> can it is possible to add two entries of default in users file ? If yes then
Yes, as long as they don't conflict each other.
> Please help me its very critical.
(sigh)
No, it's not.
If it's THAT critical, you would've either:
(1) get support from someone who knows what they're doing, or
(2) learn how to do it yourself, and ONLY implement what you've tested
You've done neither, so IMO it's not critical enough for you.
>
> I have configured two ippool which looks like:
> ===
> In Users file:
>
> DEFAULT Auth-Type := aag, Service-Type == Framed-User, Framed-Protocol == 7,
> Pool-Name := myippool
> DEFAULT Auth-Type := aag, Service-Type == Framed-User, Framed-Protocol == 7,
> Pool-Name := my_sec_ippool
I'm pretty sure that roughly means the second entry would never be
used. Did you read the docs (e.g. "man 5 users")?
Especially, look for "Fall-Through" and "operators".
> In radiusd.conf
>
> ippool myippool {
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> ippool my_sec_ippool {
> session-db = ${raddbdir}/db.ippool1
> ip-index = ${raddbdir}/db.ipindex1
Did you read my earlier reply?
> When i am executing ./radiusd -X always getting IPs for only one ggsn.
At this point I usually ask "and the full output of debug log is ?",
... but in this case it'd probably be useless since it looks like
you're trying to solve your problems the wrong way.
Again, What EXACTLY do you want to do?
>
> Please help me its very critical.
No, it's not. And saying it over and over again won't get you faster
response. Instead, it will only annoy others, and discourage them from
trying to help you.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in configuring multiple IP pool
On Thu, Sep 13, 2012 at 4:55 PM, ranjan kumar wrote:
>
> Hi,
>
> I have created two ip pool in radiusd.conf which looks like below:
>
> ===
> In radiusd.conf
>
> ippool myippool {
Which version is this?
IIRC in 2.x ippool configuration is in raddb/modules/ipool.
If you're still using 1.1.x, then my best advice is good luck, or ask
whoever maintained your server (e.g. just in case you have some kind
of software support for your radius/OS)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How fast can IP Pool SQL be? :) *a Shocker*
very bad? Standard schema with standard queries? I assumed the stable code would be released with the best possible SQL indexes on the schema etc? It is released with safe defaults, that work in common cases i.e. using "select ... for update" to prevent duplicate IP assignment. Hundreds or thousands of IPs per second is not a common requirement. You need to put work in for this. If you've achieved this, and want it in the server, open source it and contribute a patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How fast can IP Pool SQL be? :) *a Shocker*
Christiaan Rademan wrote: > So what I am actually trying to determine here is whether I stumbled > across a great solution or something meaningless that worked around a > problem with my specific configuration. If you want us to review what you've done, then describe what you've done. > If I did come across something nice, I would really try make an effort > to clean it up. Maybe get others to help work on it.. > > I probably wont be able to release the code, but I know it works, I > could probably give you the queries, that should give you a clue as how. You're not going to release the code? Then go away. This list is the place to talk about FreeRADIUS. Asking us to review your commercial work is not appropriate. > So before I get all excited here, I would like to know from you, is 25/s > very bad? Standard schema with standard queries? I assumed the stable > code would be released with the best possible SQL indexes on the schema > etc? It's all a mystery. You're running a RADIUS system for 2 million people. You have a budget. You figure it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How fast can IP Pool SQL be? :) *a Shocker*
Greetings, I was aware of it not working, but was told to continue. Used radperf to test performance. Okay, fair enough, mysql is fast ;-) But how fast is it really with the queries SQLIPPool runs by default? What should i be expecting? I am trying to find out whether recreating the wheel was all such a great idea. Yes I recoded my own version of SQLIPPool, its running a whole lot faster than the one with standard queries. 25/s to 5000/s, same hardware, same database. I tried to optimise the queries with the original IP Pool but it never really didn't help much. So what I am actually trying to determine here is whether I stumbled across a great solution or something meaningless that worked around a problem with my specific configuration. How should I test it? Is the standard template and schema suppose to-do the job? If so, would you say out of experience that I should get more than 25 IP pool assignments per second on the hardware I stated earlier in this thread. If I did come across something nice, I would really try make an effort to clean it up. Maybe get others to help work on it.. I probably wont be able to release the code, but I know it works, I could probably give you the queries, that should give you a clue as how. The way I am doing the queries it wont work within ippool.conf structure. I am aware of only one problem tested under heavy load for my way of doing things... If a single user logs with the same username logs into the box more than once per second, their is a very slight possibility he could get handed the same IP. Only if the same user logs in. Which would never happen in a mobile operator. since all the users are msisdn. So before I get all excited here, I would like to know from you, is 25/s very bad? Standard schema with standard queries? I assumed the stable code would be released with the best possible SQL indexes on the schema etc? On 22/04/2012 11:35, Fajar A. Nugraha wrote: On Sun, Apr 22, 2012 at 1:08 PM, Timmy wrote: On 2012-04-22 02:53 AM, Christiaan Rademan wrote: Greetings everyone, I previously had a post concerning authenticate over 2 million+ mobile subscriber users on FreeRadius. We did performance testing yet, failed but due to pressure from client we went a head with the migration. Well, fail to plan, plan to fail. You can use radperf/radclient for the test. The migration failed at this point, since the Radius Server could not hand out more than 25 IP addresses per second. Obviously this was due to slow database server / resources. FreeRadius was happy to hand out logins once the pool assignment was done on the GGSN. I'd say it's because of the design for allocate-find query, not because the db itself is slow. So I am wondering, I found a solution to the problem and we are now handing out IP addresses easily.. 5000+ accept-accept responses per second with framedipaddress included from a pool within SQL. Do you mean "I found a solution" or "I'm looking for a solution"? Quad Zeon, 4 core, 8 threads, 16gig ram runnning Ubuntu Linux. Is it possible to hand out that many ip addresses per second? :) Sure. The box is also running both the radiusd and mysql process using a standard storage engine. Not using NDB or anything special. Is this really an impossible task? No. But then again, it kinda contradict your "I found a solution" stamement. If you found the solution, you won't have to ask, would you? Maybe I can find out from our company if I may release the code we using to make this work. I would really like to help improve the SQLIPPool module. Since the version we were using could only do 25/s now we are over 5000/s. If you can, please contribute. Migrate to IBM DB2. There is a source of DB2 driver inside freeradius source. I doubt that would work. IIRC the problem is that the default sql query use impiicit locks (i.e. SELECT ... FOR UPDATE) to make sure the allocated IP addresses are absolutely unique. In my case I traded uniqueness for performance by using randomization instead (which, most of the time, succesfully allocate unique IP addresses to clients). Then again, I could be wrong. If you HAVE perform a real test, and are able to hand out several hundreds IP/sec using the default query by ONLY changing the db, let me know. -- Christiaan Rademan - JNCIE #661 Mobile: +27 83 419 2078 E-mail: christiaan.rade...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How fast can IP Pool SQL be? :) *a Shocker*
On Sun, Apr 22, 2012 at 1:08 PM, Timmy wrote: > On 2012-04-22 02:53 AM, Christiaan Rademan wrote: >> >> Greetings everyone, >> >> I previously had a post concerning authenticate over 2 million+ mobile >> subscriber users on FreeRadius. We did performance testing yet, failed but >> due to pressure from client we went a head with the migration. Well, fail to plan, plan to fail. You can use radperf/radclient for the test. >> The migration >> failed at this point, since the Radius Server could not hand out more than >> 25 IP addresses per second. Obviously this was due to slow database server / >> resources. FreeRadius was happy to hand out logins once the pool assignment >> was done on the GGSN. >> I'd say it's because of the design for allocate-find query, not because the db itself is slow. >> So I am wondering, I found a solution to the problem and we are now >> handing out IP addresses easily.. 5000+ accept-accept responses per second >> with framedipaddress included from a pool within SQL. >> Do you mean "I found a solution" or "I'm looking for a solution"? >> Quad Zeon, 4 core, 8 threads, 16gig ram runnning Ubuntu Linux. Is it >> possible to hand out that many ip addresses per second? :) Sure. >> The box is also >> running both the radiusd and mysql process using a standard storage engine. >> Not using NDB or anything special. Is this really an impossible task? No. But then again, it kinda contradict your "I found a solution" stamement. If you found the solution, you won't have to ask, would you? >> Maybe >> I can find out from our company if I may release the code we using to make >> this work. >> >> I would really like to help improve the SQLIPPool module. Since the >> version we were using could only do 25/s now we are over 5000/s. If you can, please contribute. >> >> > > Migrate to IBM DB2. There is a source of DB2 driver inside freeradius > source. I doubt that would work. IIRC the problem is that the default sql query use impiicit locks (i.e. SELECT ... FOR UPDATE) to make sure the allocated IP addresses are absolutely unique. In my case I traded uniqueness for performance by using randomization instead (which, most of the time, succesfully allocate unique IP addresses to clients). Then again, I could be wrong. If you HAVE perform a real test, and are able to hand out several hundreds IP/sec using the default query by ONLY changing the db, let me know. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How fast can IP Pool SQL be? :) *a Shocker*
On 2012-04-22 02:53 AM, Christiaan Rademan wrote: Greetings everyone, I previously had a post concerning authenticate over 2 million+ mobile subscriber users on FreeRadius. We did performance testing yet, failed but due to pressure from client we went a head with the migration. The migration failed at this point, since the Radius Server could not hand out more than 25 IP addresses per second. Obviously this was due to slow database server / resources. FreeRadius was happy to hand out logins once the pool assignment was done on the GGSN. So I am wondering, I found a solution to the problem and we are now handing out IP addresses easily.. 5000+ accept-accept responses per second with framedipaddress included from a pool within SQL. Quad Zeon, 4 core, 8 threads, 16gig ram runnning Ubuntu Linux. Is it possible to hand out that many ip addresses per second? :) The box is also running both the radiusd and mysql process using a standard storage engine. Not using NDB or anything special. Is this really an impossible task? Maybe I can find out from our company if I may release the code we using to make this work. I would really like to help improve the SQLIPPool module. Since the version we were using could only do 25/s now we are over 5000/s. Migrate to IBM DB2. There is a source of DB2 driver inside freeradius source. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How fast can IP Pool SQL be? :) *a Shocker*
Greetings everyone, I previously had a post concerning authenticate over 2 million+ mobile subscriber users on FreeRadius. We did performance testing yet, failed but due to pressure from client we went a head with the migration. The migration failed at this point, since the Radius Server could not hand out more than 25 IP addresses per second. Obviously this was due to slow database server / resources. FreeRadius was happy to hand out logins once the pool assignment was done on the GGSN. So I am wondering, I found a solution to the problem and we are now handing out IP addresses easily.. 5000+ accept-accept responses per second with framedipaddress included from a pool within SQL. Quad Zeon, 4 core, 8 threads, 16gig ram runnning Ubuntu Linux. Is it possible to hand out that many ip addresses per second? :) The box is also running both the radiusd and mysql process using a standard storage engine. Not using NDB or anything special. Is this really an impossible task? Maybe I can find out from our company if I may release the code we using to make this work. I would really like to help improve the SQLIPPool module. Since the version we were using could only do 25/s now we are over 5000/s. -- Christiaan Rademan - JNCIE #661 Mobile: +27 83 419 2078 E-mail: christiaan.rade...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Problems using SQL IP Pool
Fajar, I found the problem... It's Acct-Interim-Time that is not set for some groups and I can't find why... I am solving the problem now... Thank you for your help! -- > -Mensagem original- > De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org > [mailto:freeradius-users- > bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Fajar A. > Nugraha > Enviada em: segunda-feira, 30 de janeiro de 2012 09:53 > Para: FreeRadius users mailing list > Cc: Agner Vainer [ CNett ] > Assunto: Re: Problems using SQL IP Pool > > On Mon, Jan 30, 2012 at 8:47 PM, Nataniel Klug > wrote: > >> And what does freeradius debug log say? > > > > [Nataniel Klug] This is a production server and I can't run it in > > debug mode > > (-X) and as it's not been a common problem it appear just once or > > twice during a day I can't be monitoring it all the time. Is there any > > other way to make the debug mode? > > Try "man radmin", look for "debug". That's assuming you setup control-socket > correctly (i.e. edit the file, symlink to sites-enabled, etc). > > Last time I check the output is slightly different (e.g. you can't see request > attributes), so if you can't make it work with that then your only option is to run > FR in debug mode. It's important because it can tell whether the attribute came > from sqlipool, or whether some other module overwrite it (e.g. files, sql), or > whether FR is sending the correct ip address, but the client simply ignores it. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using SQL IP Pool
On Mon, Jan 30, 2012 at 8:47 PM, Nataniel Klug wrote: >> And what does freeradius debug log say? > > [Nataniel Klug] This is a production server and I can't run it in debug mode > (-X) and as it's not been a common problem it appear just once or twice > during a day I can't be monitoring it all the time. Is there any other way > to make the debug mode? Try "man radmin", look for "debug". That's assuming you setup control-socket correctly (i.e. edit the file, symlink to sites-enabled, etc). Last time I check the output is slightly different (e.g. you can't see request attributes), so if you can't make it work with that then your only option is to run FR in debug mode. It's important because it can tell whether the attribute came from sqlipool, or whether some other module overwrite it (e.g. files, sql), or whether FR is sending the correct ip address, but the client simply ignores it. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Problems using SQL IP Pool
> And what does freeradius debug log say? > > -- > Fajar [Nataniel Klug] I've set my debug_level to 2 and now it's recording in radius.log. I will look into it when the problem appears. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Problems using SQL IP Pool
Hello Fajar,
Thank you for your reply. I will answer bellow:
> So you have ONLY one instance of sqlipool, backed by postgresql?
>
> If you don't use mysql for sqlpipool then it's not relevant for this
discussion.
> Focus on what you use for sqlippool
[Nataniel Klug] It's true, I just use PostgreSQL for ippool:
- /etc/raddb/sql.conf -
sql sqlps {
database = "postgresql"
driver = "rlm_sql_${database}"
server = "186.251.144.XX"
port = 5432
login = "radius"
password = "XX"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 30
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
sql sqlmy {
database = "mysql"
driver = "rlm_sql_${database}"
server = "186.251.144.XX"
port = 3306
login = "radius"
password = "XX"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 60
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = no
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
- /etc/raddb/sqlippool.conf -
sqlippool {
sql-instance-name = "sqlps"
ippool_table = "radippool"
lease-duration = 720
pool-key = "%{NAS-Identifier}-%{NAS-Port}"
$INCLUDE sql/postgresql/ippool.conf
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
}
> And what does freeradius debug log say?
>
> --
> Fajar
[Nataniel Klug] This is a production server and I can't run it in debug mode
(-X) and as it's not been a common problem it appear just once or twice
during a day I can't be monitoring it all the time. Is there any other way
to make the debug mode?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using SQL IP Pool
On Mon, Jan 30, 2012 at 7:43 PM, Nataniel Klug wrote: > I’ve been using Freeradius for a long time and about 5 months > ago I made a change in my default layout so I could use Freeradius SQL-IPPool > running over PostgreSQL. So you have ONLY one instance of sqlipool, backed by postgresql? > I am using MySQL and PostgreSQL for a reason: somehow the > software I use to bill my customers can only work with MySQL radacct table > and it was not able to read the radacct from PostgreSQL. So I am running > accounting over MySQL and Authentication/Authorization over PostgreSQL (I > will post the configuration files in the end of this message). If you don't use mysql for sqlpipool then it's not relevant for this discussion. Focus on what you use for sqlippool > > > > So, returning to the problem, this is what is happening: > > > > http://www.cnett.com.br/nata/imagens/Capturar.JPG > > > > There is two clients using the SAME IP which is a problem. > Looking into my Freeradius log file I could not find when “cjunior” got the > IP I have JUST “taise” allocation: And what does freeradius debug log say? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
hey thanks! got it working using that configuration below. It also worked when
placed in instantiate block.
From: Arran Cudbard-Bell
To: FreeRadius users mailing list
Cc: Det Det
Sent: Tuesday, October 4, 2011 6:24 PM
Subject: Re: SQL IP Pool Not Accepting Redundant SQL
>
>You can't, 'redundant_sql' is not an sql-instance. You need to create two
>instances of sqlippool, then wrap them in a redundant block...
If you're using FR >= 2.1.11 or 3.*
Overload the sqlippool module
policy.conf
policy {
sqlippool {
redundant {
sqlippool1
sqlippool2
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
>
> You can't, 'redundant_sql' is not an sql-instance. You need to create two
> instances of sqlippool, then wrap them in a redundant block...
If you're using FR >= 2.1.11 or 3.*
Overload the sqlippool module
policy.conf
policy {
sqlippool {
redundant {
sqlippool1
sqlippool2
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
On 4 Oct 2011, at 12:08, Det Det wrote:
> Hi,
>
> How to make sqlippool accept redundant SQL as below?
>
> sqlippool {
> sql-instance-name = "redundant_sql"
> ippool_table = "radippool"
> ...
> }
>
> radiusd.conf
> ...
> redundant redundant_sql {
> sql1
> sql2
> }
> ...
>
> if I use sql-instance-name = "sql1" or sql-instance-name = "sql2", it works.
> But then, I'd like to do redundancy.
>
>
> sql-instance-name = "sql1 sql2" or sql-instance-name = "sql1, sql2" also does
> not work.
>
> -
You can't, 'redundant_sql' is not an sql-instance. You need to create two
instances of sqlippool, then wrap them in a redundant block...
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Not Accepting Redundant SQL
Hi,
How to make sqlippool accept redundant SQL as below?
sqlippool {
sql-instance-name = "redundant_sql"
ippool_table = "radippool"
...
}
radiusd.conf
...
redundant redundant_sql {
sql1
sql2
}
...
if I use sql-instance-name = "sql1" or sql-instance-name = "sql2", it works.
But then, I'd like to do redundancy.
sql-instance-name = "sql1 sql2" or sql-instance-name = "sql1, sql2" also does
not work.
Thanks!
Det
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Control Attribute Placement
On Wed, Sep 7, 2011 at 2:45 PM, Det Det wrote: > Hi, > For the sqlippool, http://wiki.freeradius.org/Rlm_sqlippool, which table > should the below control attribute be placed on? It says, it is not a reply > attribute, does it then go to radcheck/radgroupcheck table? > > > DEFAULT Pool-Name := main_pool Pool-Name should be in radcheck/radgroupcheck. Or, if you use the same pool for everyone, you can still put it on users file with DEFAULT as username (per the example). > Fall-Through = Yes Depending on your configuration, it's possible you may not need Fall-Through at all. If you DO use it, it should be on radreply/radgroupreply (if using SQL) or on reply items line (when using files). If you're using SQL don't forget to read doc/rlm_sql to see how to use multiple sql groups (which needs different priorities for each group and Fall-Through in radgroupreply) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Control Attribute Placement
Hi, For the sqlippool, http://wiki.freeradius.org/Rlm_sqlippool, which table should the below control attribute be placed on? It says, it is not a reply attribute, does it then go to radcheck/radgroupcheck table? DEFAULT Pool-Name := main_pool Fall-Through = Yes thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius GGSN->Postgresql Based upon a SELECT it will trigger a specific IP Pool
On 24/05/11 13:44, Pedro Costa wrote:
Hi,
I'm new to Freeradius and i am trying to figure a way to use Freeradius
to Authenticate a user through a CISCO GGSN in where the GGSN will send
the IMSI to the Freeradius and the Freeradius will connect to a
Postgresql DB doing a SELECT on 2 tables and will receive a Language
that the IMSI/User has stored in the database, the Freeradius will then
use the language (ex.: French or German) and choose the specific IP Pool
for that Language.
I'm currently trying to connect to Postgresql but i'm having doubt on
how can i acheive this purpose of selecting a ip pool based upon the
output of the SELECT command performed on the DB.
Yes. You can execute a SQL query from "unlang", and use this to set the
Pool-Name attribute; then use the sqlippool or other module to allocate
IPs from the pool.
e.g.
authorize {
...
update control {
Tmp-String-0 := "%{sql:select language from ... where ...}"
}
if (control:Tmp-String-0 == "english") {
update control {
Pool-Name := English-IP-Pool
}
}
else {
update control {
Pool-Name := French-IP-Pool
}
}
...
}
post-auth {
...
sqlippool
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius GGSN->Postgresql Based upon a SELECT it will trigger a specific IP Pool
Hi, I'm new to Freeradius and i am trying to figure a way to use Freeradius to Authenticate a user through a CISCO GGSN in where the GGSN will send the IMSI to the Freeradius and the Freeradius will connect to a Postgresql DB doing a SELECT on 2 tables and will receive a Language that the IMSI/User has stored in the database, the Freeradius will then use the language (ex.: French or German) and choose the specific IP Pool for that Language. I'm currently trying to connect to Postgresql but i'm having doubt on how can i acheive this purpose of selecting a ip pool based upon the output of the SELECT command performed on the DB. What is the best and/or simplest way to achieve this? Is it through Perl? Or can the Freeradius connect straight to the Postgres DB and receive the Select output and be able to use the respective IP Pool, if so how can i achieve this? Hope someone can help, Best Regards, P.M.R.C. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool for Ethernet
Groebl, Laurence (Laurence) wrote: > Hello Alan, > > Yes, according to the documentation of the Juniper Gateway, the gateway > should be able to understand the Radius attribute 8 "Framed-IP-Address" in > the Access-Accept message, but it seems that it also need the attribute 88 " > Framed-Pool". > > This is described in "Concepts & Examples ScreenOS Reference Guide, User > Authentication document", chapter "Framed Pool and Framed IP Address" page > 26, > http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_UserAuth.pdf > > And then the Gateway should be able to send this address in the IKEv2 > configuration payload to the IPsec client (this ikev2 interface is already > working with local address assignment in the gateway, we tested it). So... send those attributes back in an Access-Accept. You don't need to configure IP Pools to return a bogus Framed-IP-Address. If that works, *then* you should consider configuring IP pools. Until then, you're 2-3 steps ahead of yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool for Ethernet
Hi we indeed already tried sending only the Framed-IP-Address in the Access-Accept and it didn't work, the Gateway didn't assign this address to the IPsec client, but a default IP address. I also didn't understand why the Framed-Pool attribute is a must in the Gateway, Juniper supports only the following cases (extract from the Screen OS documentation): Case 1: Framed-Pool attribute and the Framed-IP-Address attribute are both included in the Access-Accept message. => The Framed-Pool attribute is always ignored by the RADIUS server unless the framed-IP-Address value is 0xFFFE (255.255.255.254). Then, the device allocates an address from the Framed-Pool attribute sent by the RADIUS server Case 2: Framed-Pool attribute and the Framed-IP-Address attribute are both absent from the Access-Accept message. => The device does not assign an IP address to the end user. Case 3: Framed-IP-Address attribute is included in the Access-Accept message and it has a value of 0xFFFE (255.255.255.254). BUT Framed-Pool attribute is absent. => The device allocates an IP address from the default IP address pool that is configured for that virtual system. Case 4 : The pool sent out in the Framed-Pool attribute is not configured, or it does not have any IP addresses. An error messages are generated and the negotiation is terminated. Best regards, Laurence -Original Message- From: freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Dienstag, 1. März 2011 11:56 To: freeradius-users@lists.freeradius.org Subject: Re: IP Pool for Ethernet On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote: > Hello Alan, > > Yes, according to the documentation of the Juniper Gateway, the > gateway should be able to understand the Radius attribute 8 > "Framed-IP-Address" in the Access-Accept message, but it seems that > it also need the attribute 88 " Framed-Pool". That doesn't make sense. You can't send it a specific IP, and an attribute telling it to pick an IP from a local pool, and expect any sensible behaviour. Have you tried just sending the Framed-IP-Address? Also, your subject line is wrong - this is nothing to do with "Ethernet" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool for Ethernet
On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote: Hello Alan, Yes, according to the documentation of the Juniper Gateway, the gateway should be able to understand the Radius attribute 8 "Framed-IP-Address" in the Access-Accept message, but it seems that it also need the attribute 88 " Framed-Pool". That doesn't make sense. You can't send it a specific IP, and an attribute telling it to pick an IP from a local pool, and expect any sensible behaviour. Have you tried just sending the Framed-IP-Address? Also, your subject line is wrong - this is nothing to do with "Ethernet" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool for Ethernet
Hello Alan, Yes, according to the documentation of the Juniper Gateway, the gateway should be able to understand the Radius attribute 8 "Framed-IP-Address" in the Access-Accept message, but it seems that it also need the attribute 88 " Framed-Pool". This is described in "Concepts & Examples ScreenOS Reference Guide, User Authentication document", chapter "Framed Pool and Framed IP Address" page 26, http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_UserAuth.pdf And then the Gateway should be able to send this address in the IKEv2 configuration payload to the IPsec client (this ikev2 interface is already working with local address assignment in the gateway, we tested it). Best regards, Laurence -Original Message- From: freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Dienstag, 1. März 2011 10:00 To: FreeRadius users mailing list Subject: Re: IP Pool for Ethernet Groebl, Laurence (Laurence) wrote: > However I'd like the RADIUS server to assign this IP address and send it > within the Access-Accept in the Framed-IP-Address attribute (to avoid > configuring the IPsec Gateway with the tunnel address). Does the gateway *understand* what it means to have an address in the Access-Accept? If the documentation doesn't say it will work, then it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool for Ethernet
Groebl, Laurence (Laurence) wrote: > However I’d like the RADIUS server to assign this IP address and send it > within the Access-Accept in the Framed-IP-Address attribute (to avoid > configuring the IPsec Gateway with the tunnel address). Does the gateway *understand* what it means to have an address in the Access-Accept? If the documentation doesn't say it will work, then it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool for Ethernet
Hello, I aim at setting up an IPsec tunnel between an IPsec client and an IPsec Gateway using IKEv2 and EAP-TLS for authentication. I am using freeradius as RADIUS server, and the authentication is working well. Currently the Gateway is assigning an IP address from a specific pool to the IKEv2 client. However I'd like the RADIUS server to assign this IP address and send it within the Access-Accept in the Framed-IP-Address attribute (to avoid configuring the IPsec Gateway with the tunnel address). I saw that FreeRADIUS has several IP Pool modules which have the ability to assign dynamic IP address to RADIUS sessions types where the NAS has control over the the users IP, however not for Ethernet. Is there a way (e.g. using DHCP) to assign an IP address to the Ipsec client and send it the Access-Accept in the Framed-IP-Address attribute? Best regards, Laurence - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address cant override NAS ip pool
Tevfik Ceydeliler wrote: Because still I don't know why but When I dont use pool, and I use onle framed-ip-address and mask, user can get Access-Accept but cant get IP address and mask. Agai I don't know why but radius can't send to user Framed-IP-Address and Netmask. I sniff the client side and I see that there is no 8 and 9 AVP. Tevfik Ceydeliler ?? "Tevfik Ceydeliler" writes: ##Users conf: Tevfikceydeliler Proxy-To-Realm := SecOvid, Pool-Name := "STATICPOOL" Service-Type := Framed-User, Framed-Protocol == PPP, Framed-MTU = 576, Framed-IP-Address = 172.16.64.120, -> IP Address that I want So, why do you set Pool-Name if you don't want to allocate an address from a pool? Just drop it on the users with a static IP. See also the documentation in modules/ippool. Bj?rn Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html change from Framed-IP-Address = 172.16.64.120 to Framed-IP-Address := 172.16.64.120 -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address cant override NAS ip pool
Because still I don't know why but When I dont use pool, and I use onle framed-ip-address and mask, user can get Access-Accept but cant get IP address and mask. Agai I don't know why but radius can't send to user Framed-IP-Address and Netmask. I sniff the client side and I see that there is no 8 and 9 AVP. Tevfik Ceydeliler "Tevfik Ceydeliler" writes: > ##Users conf: > Tevfikceydeliler Proxy-To-Realm := SecOvid, Pool-Name := "STATICPOOL" > Service-Type := Framed-User, > Framed-Protocol == PPP, > Framed-MTU = 576, > Framed-IP-Address = 172.16.64.120, -> IP Address > that I want So, why do you set Pool-Name if you don't want to allocate an address from a pool? Just drop it on the users with a static IP. See also the documentation in modules/ippool. Bj?rn Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address cant override NAS ip pool
"Tevfik Ceydeliler" writes: > ##Users conf: > Tevfikceydeliler Proxy-To-Realm := SecOvid, Pool-Name := "STATICPOOL" > Service-Type := Framed-User, > Framed-Protocol == PPP, > Framed-MTU = 576, > Framed-IP-Address = 172.16.64.120, -> IP Address > that I want So, why do you set Pool-Name if you don't want to allocate an address from a pool? Just drop it on the users with a static IP. See also the documentation in modules/ippool. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address cant override NAS ip pool
Hi list,
Still I try to assign statci Ip for my users. And still I can't achive.
I try to use all ways .
Now I try to assign particularIP to my users from pool. But it is not
satisfied.
I read some mail and modify suggested confiuration according to my
tolopogy.
Do I have to add some additional configuration?
P.S. SecOvid is Kobil SecOvid OTP server which IP address is 10.1.1.51,
10.1.2.123 Freeradius Server, 10.65.8.100 ismy laptop with NTRadPing
##Users conf:
TevfikceydelilerProxy-To-Realm := SecOvid, Pool-Name :=
"STATICPOOL"
Service-Type := Framed-User,
Framed-Protocol == PPP,
Framed-MTU = 576,
Framed-IP-Address = 172.16.64.120, -> IP
Address that I want
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobson-TCP-IP
##ippool conf:
ippool STATICPOOL {
range-start = 172.30.64.100
range-stop = 172.30.64.150
netmask = 255.255.240.0
cache-size = 51
session-db = ${db_dir}/db.ippool_static
ip-index = ${db_dir}/db.ipindex_static
override = no
maximum-timeout = 0
}
##Freeradius -X output:
rad_recv: Access-Request packet from host 10.65.8.100 port 64616, id=15,
length=56
User-Name = "tevfikceydeliler"
User-Password = "172925283501" --->produce by OTP
+- entering group authorize {...}
++[preprocess] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/10.65.8.100/detail-20100122
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.65.8.100/detail-20100122
expand: %t -> Fri Jan 22 21:12:00 2010
++[detail] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tevfikceydeliler", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry tevfikceydeliler at line 102
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
+- entering group pre-proxy {...}
++[files] returns noop
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/10.65.8.100/detail-20100122
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.65.8.100/detail-20100122
expand: %t -> Fri Jan 22 21:12:00 2010
++[detail] returns ok
Sending Access-Request of id 22 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172925283501"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x3135
Proxying request 0 to home server 10.1.1.51 port 1812
Sending Access-Request of id 22 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172925283501"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x3135
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.1.1.51 port 1812, id=22,
length=24
Proxy-State = 0x3135
+- entering group post-proxy {...}
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/10.65.8.100/detail-20100122
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.65.8.100/detail-20100122
expand: %t -> Fri Jan 22 21:12:00 2010
++[detail] returns ok
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
++[TESTPOOL] returns noop
expand: %{NAS-IP-Address} %{NAS-Port} -> 10.65.8.100
[STATICPOOL] MD5 on 'key' directive maps to:
b6201c0efddb958ed955eb3c8b0d920a
[STATICPOOL] Searching for an entry for key:
'b6201c0efddb958ed955eb3c8b0d920a'
rlm_ippool: Allocating ip to key: 'b6201c0efddb958ed955eb3c8b0d920a'
[STATICPOOL] num: 1
[STATICPOOL] Allocated ip 172.30.64.144 to client key:
b6201c0efddb958ed955eb3c8b0d920a
++[STATICPOOL] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/10.65.8.100/detail-20100122
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.65.8.100/detail-20100122
expand: %t -> Fri Jan 22 21:12:00 2010
++[detail] returns ok
++[exec] returns noop
Sending Access-Accept of id 15 to 10.65.8.100 port 64616
Framed-IP-Address = 172.30.64.144 --->>From pool but not
that I want.
Framed-IP-Netmask = 255.255.240.0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 15 with timestamp +25
Ready to process requests.
##radsniff output:
Packet number 1 has j
Re: Cisco NAS and server side ip pool management
aaa new-model aaa authentication login default local aaa authentication ppp default group radius local aaa accounting network default start-stop group radius aaa authorization network default group radius radius-server host auth-port acct-port non-standard key A local ip pool is not used, if your radius sends a FRAMED_IP-ADRESS. There is no difference if it is configured or not. Radius wins. -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax:+49 (0) 30 68905-2940 Mail: thoralf.frei...@biotronik.com From: Sebastian Krieger To: freeradius-users@lists.freeradius.org Date: 13.02.09 16:56 Subject: Cisco NAS and server side ip pool management Sent by: freeradius-users-bounces+thoralf.freitag=biotronik@lists.freeradius.org Hi, for many hours now I am trying to configure a Cisco router as a NAS to authenticate dialup users against freeradius and provide the ip address dynamically from a server based ip pool. The authentication part works fine and the ip address also gets selected from the pool and sent as Framed-IP-Address back to the NAS. The only thing is that the ip address seems not to be catched up by the NAS and provided to the dialup user. I test the dialup connection from a Windows XP machine with an ISDN card and there it always ends in an error message that the NAS didn't provide the IP information. It is absolutely no problem to use a static ip pool on the Cisco router instead of a server based ip pool management. Can someone please send me a working configuration example for a Cisco IOS based NAS? Thanks Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco NAS and server side ip pool management
Hi, for many hours now I am trying to configure a Cisco router as a NAS to authenticate dialup users against freeradius and provide the ip address dynamically from a server based ip pool. The authentication part works fine and the ip address also gets selected from the pool and sent as Framed-IP-Address back to the NAS. The only thing is that the ip address seems not to be catched up by the NAS and provided to the dialup user. I test the dialup connection from a Windows XP machine with an ISDN card and there it always ends in an error message that the NAS didn't provide the IP information. It is absolutely no problem to use a static ip pool on the Cisco router instead of a server based ip pool management. Can someone please send me a working configuration example for a Cisco IOS based NAS? Thanks Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
Maybe you can define your pools similiar like this (not tested) DEFAULT Called-Station-Id == ", Pool-Name :="pool_1" Fall-Through = Yes DEFAULT Called-Station-Id == ", Pool-Name :="pool_2" Fall-Through = Yes Ciao TF From: sugiarto tjahyono <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: 26.11.08 10:30 Subject: ip pool Sent by: [EMAIL PROTECTED] Dear all, I have a few problem. i use ip pool and it's works fine if i define ip pool in mysql. 779084,"test","password","=","test123" 779085,"test","Pool-Name",":=","main_pool1" 779086,"test","Called-Station-Id","=","hostpot1" The problem happened if i have 2 access point in the same area and IP the different is only at called-station-id. what should i set in radius if any user can go to AP 1 with Called-Station-Id 1 or AP 2 with Called-Station-Id 2. if user logged in AP1 they will get main_pool1 and if user logged in AP2 they will get main_pool2 sorry for my bad language:) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool
Dear all, I have a few problem. i use ip pool and it's works fine if i define ip pool in mysql. 779084,"test","password","=","test123" 779085,"test","Pool-Name",":=","main_pool1" 779086,"test","Called-Station-Id","=","hostpot1" The problem happened if i have 2 access point in the same area and IP the different is only at called-station-id. what should i set in radius if any user can go to AP 1 with Called-Station-Id 1 or AP 2 with Called-Station-Id 2. if user logged in AP1 they will get main_pool1 and if user logged in AP2 they will get main_pool2 sorry for my bad language:) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Users file: DEFAULT NAS-IP-Address == a.b.c.d, Pool-Name := thatNASpool Ivan Kalik Kalik Informatika ISP Dana 29/5/2008, "Giovanni Lovato" <[EMAIL PROTECTED]> piše: >Alan DeKok wrote: >> Giovanni Lovato wrote: >>> I would like to assign IP addresses from pools based on which NAS the >>> request comes from. Can I achieve this? Users are stored in LDAP and NAS >>> on SQL. >> >> See the sqlippool module. > >What key on sqippool table should I set to make FR choose a pool based >on NAS-IP-Address? > The scenario is: > 1. a NAS requires access for a user; > 2. if FR doesn't find a Framed-IP-Address on user attributes, it should >assign an IP from a pool depending which NAS the request comes from. > I tried to set `nasipaddress' key on sqippool table but FR seems ignore >it... > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Giovanni Lovato wrote: > What key on sqippool table should I set to make FR choose a pool based > on NAS-IP-Address? Read the sqlippool.conf file? This IS documented. > The scenario is: > 1. a NAS requires access for a user; > 2. if FR doesn't find a Framed-IP-Address on user attributes, it should > assign an IP from a pool depending which NAS the request comes from. > I tried to set `nasipaddress' key on sqippool table but FR seems ignore > it... Read the FAQ for "it doesn't work". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Alan DeKok wrote: > Giovanni Lovato wrote: >> I would like to assign IP addresses from pools based on which NAS the >> request comes from. Can I achieve this? Users are stored in LDAP and NAS >> on SQL. > > See the sqlippool module. What key on sqippool table should I set to make FR choose a pool based on NAS-IP-Address? The scenario is: 1. a NAS requires access for a user; 2. if FR doesn't find a Framed-IP-Address on user attributes, it should assign an IP from a pool depending which NAS the request comes from. I tried to set `nasipaddress' key on sqippool table but FR seems ignore it... smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign Ip-Pool based on NAS-Ip-Address
Giovanni Lovato wrote: > I would like to assign IP addresses from pools based on which NAS the > request comes from. Can I achieve this? Users are stored in LDAP and NAS > on SQL. See the sqlippool module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign Ip-Pool based on NAS-Ip-Address
I would like to assign IP addresses from pools based on which NAS the request comes from. Can I achieve this? Users are stored in LDAP and NAS on SQL. smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
Leander S. wrote:
> this is how my radius.conf looks like in the IPPOOL section:
The SQL IPpool module in 1.1.7 is broken. Don't use it.
> ##
>
> ##
>
>
>ippool main_pool {
>
># range-start,range-stop: The start and end ip
> # addresses for the ip pool
> # range-start = 192.168.1.1
> # range-stop = 192.168.3.254
>
># netmask: The network mask used for the ip's
> # netmask = 255.255.255.0
>
># cache-size: The gdbm cache size for the db
># files. Should be equal to the number of ip's
># available in the ip pool
> # cache-size = 800
>
># session-db: The main db file used to allocate ip's to
> clients
> # session-db = ${raddbdir}/db.ippool
>
># ip-index: Helper db index file used in multilink
> # ip-index = ${raddbdir}/db.ipindex
>
># override: Will this ippool override a Framed-IP-Address
> already set
> # override = no
>
># maximum-timeout: If not zero specifies the maximum time
> in seconds an
># entry may be active. Default: 0
> # maximum-timeout = 0
>}
>
> #$INCLUDE ${confdir}/sqlippool.conf
>
>$INCLUDE ${confdir}/postgresqlippool.conf
>
> #OTP token support. Not included by default.
> #$INCLUDE ${confdir}/otp.conf
>
> ##
>
> ######
>
>
>
>
>
>
> and this is my postgresqlippool.conf which I'm using - it's left original.
>
>
>
>
>
>
> ## Configuration for the SQL based IP Pool module (rlm_sqlippool)
> ##
> ## The database schemas are available at:
> ##
> ## doc/examples/*.sql
> ##
> ## $Id: postgresqlippool.conf,v 1.1.2.1 2007/07/16 06:35:22 pnixon Exp $
>
> sqlippool sqlippool {
>
>
> ## SQL instance to use (from postgresql.conf) ##
>
> sql-instance-name = "sql"
>
> ## SQL table to use for ippool range and lease info
> ippool_table = "radippool"
>
> ## IP lease duration. (Leases expire even if Acct Stop packet is lost)
> lease-duration = 3600
>
> ## Attribute which should be considered unique per NAS
> ## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
> ## Using Calling-Station-Id works for NAS that send fixed NAS-Port
> ## ONLY change this if you know what you are doing!
> pool-key = "%{NAS-Port}"
> #pool-key = "%{Calling-Station-Id}"
>
>
> ###
> ## PostgreSQL specific queries. ##
> ###
>
> ## This query allocates an IP address from the Pool
> ## The ORDER BY clause of this query tries to allocate the same IP-address
> ## to the user that they had last session...
> allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
> WHERE pool_name = '%{check:Pool-Name}' AND expiry_time <
> 'now'::timestamp(0) \
> ORDER BY (username <> '%{SQL-User-Name}'), \
> (callingstationid <> '%{Calling-Station-Id}'), expiry_time \
> LIMIT 1 \
> FOR UPDATE"
>
> ## If you prefer to allocate a random IP address every time, use this
> query instead
> #allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
> # WHERE pool_name = '%{check:Pool-Name}' AND expiry_time <
> 'now'::timestamp(0) \
> # ORDER BY RANDOM() \
> # LIMIT 1 \
> # FOR UPDATE"
>
>
> ## This query marks the IP address handed out by "allocate-find" as used
> ## for the period of "lease-duration" after which time it may be reused.
> allocate-update = "UPDATE ${ippool_table} \
> SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
> callingstationid = '%{Calling-Station-Id}', username =
> '%{SQL-User-Name}', \
> expiry_time = 'now'::timestamp(0) + '${lease-duration} second'::interval \
> WHERE framedipaddress = '%I'"
>
>
> ## This query frees the IP address assigned to "pool-key" w
Re: Trouble "SQL Based IP Pool"
>^^ It's not ippool.sql - we're talking about the RADIPPOOL table - No I >haven't changed this - go and check it by >yourself:/freeradius-1.1.7/freeradius-1.1.7/doc/examples/postgresql >And besides that I'm not using "ippool.sql" but instead of I'm using >"postgresqlippool.conf" because I'm using PostgreSQL as DB Server. You are correct. Schema in 1.1.7 is broken and will not work as documented. I have attached postgre ippool.sql schema from 2.0.4. That will correct the input errors. It's also indexed so it should work faster. >Didn't you read what I wrote? ; ) It won't work , because there are >fields which can't be NULL ... for example "pool_key" and so on >> .. >proper shema won't work. This one should. >> >>> ^^ 2. What is expiry_time good for if there is already an >>> lease-duration = 3600 configured in the postgresqlippool.conf? And why >>> do I get forced to use unix timestamp instead of using a simple time in >>> secounds when it'll be expired? >>> >> >> Seconds from when? You do need a timestamp for lease start then. >> >^^ ah, ok that makes sence ; ) but untill now I'm only able to tell the >DB a fix Timestamp like 2008-12-31 11:15:00 but how do I change that the >server is picking up the actual time everytime somebody gets an IP. >Might there be a special variable for our case? start-update query should do that. Ivan Kalik Kalik Informatika ISP -- -- Table structure for table 'radippool' -- CREATE TABLE radippool ( id BIGSERIAL PRIMARY KEY, pool_name varchar(64) NOT NULL, FramedIPAddress INET NOT NULL, NASIPAddressVARCHAR(16) NOT NULL default '', pool_keyVARCHAR(64) NOT NULL default 0, CalledStationId VARCHAR(64), CallingStationIdtext NOT NULL default ''::text, expiry_time TIMESTAMP(0) without time zone NOT NULL default 'now'::timestamp(0), usernametext DEFAULT ''::text ); CREATE INDEX radippool_poolname_expire ON radippool USING btree (pool_name, expiry_time); CREATE INDEX radippool_framedipaddress ON radippool USING btree (framedipaddress); CREATE INDEX radippool_nasip_poolkey_ipaddress ON radippool USING btree (nasipaddress, pool_key, framedipaddress); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
this is how my radius.conf looks like in the IPPOOL section:
##
##
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
# range-start = 192.168.1.1
# range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
# netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
# cache-size = 800
# session-db: The main db file used to allocate ip's to
clients
# session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
# ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a
Framed-IP-Address already set
# override = no
# maximum-timeout: If not zero specifies the maximum
time in seconds an
# entry may be active. Default: 0
# maximum-timeout = 0
}
#$INCLUDE ${confdir}/sqlippool.conf
$INCLUDE ${confdir}/postgresqlippool.conf
#OTP token support. Not included by default.
#$INCLUDE ${confdir}/otp.conf
##
##
and this is my postgresqlippool.conf which I'm using - it's left original.
## Configuration for the SQL based IP Pool module (rlm_sqlippool)
##
## The database schemas are available at:
##
## doc/examples/*.sql
##
## $Id: postgresqlippool.conf,v 1.1.2.1 2007/07/16 06:35:22 pnixon Exp $
sqlippool sqlippool {
## SQL instance to use (from postgresql.conf) ##
sql-instance-name = "sql"
## SQL table to use for ippool range and lease info
ippool_table = "radippool"
## IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease-duration = 3600
## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
pool-key = "%{NAS-Port}"
#pool-key = "%{Calling-Station-Id}"
###
## PostgreSQL specific queries. ##
###
## This query allocates an IP address from the Pool
## The ORDER BY clause of this query tries to allocate the same IP-address
## to the user that they had last session...
allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
WHERE pool_name = '%{check:Pool-Name}' AND expiry_time <
'now'::timestamp(0) \
ORDER BY (username <> '%{SQL-User-Name}'), \
(callingstationid <> '%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE"
## If you prefer to allocate a random IP address every time, use this
query instead
#allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
# WHERE pool_name = '%{check:Pool-Name}' AND expiry_time <
'now'::timestamp(0) \
# ORDER BY RANDOM() \
# LIMIT 1 \
# FOR UPDATE"
## This query marks the IP address handed out by "allocate-find" as used
## for the period of "lease-duration" after which time it may be reused.
allocate-update = "UPDATE ${ippool_table} \
SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
callingstationid = '%{Calling-Station-Id}', username =
'%{SQL-User-Name}', \
expiry_time = 'now'::timestamp(0) + '${lease-duration} second'::interval \
WHERE framedipaddress = '%I'"
## This query frees the IP address assigned to "pool-key" when a new
request
## comes in for the same "pool-key". This means that either you are losing
## accounting Stop records or you use Calling-Station-Id instead of
NAS-Port
## as your "pool-key" and your users are able to reconnect before your NAS
## has timed out their previous session. (Generally on wireless networks)
## (Note: If your pool-key is set to Calling-Station-Id and not NAS-Port
## then you may wish to delete the "AND nasipaddress = '%{Nas-IP-Address}'
## from the WHERE clause)
allocate-clear = "UPDATE ${ippool_table} \
SET nasipaddress = '', pool_key = 0, callingstationid = '', \
expiry_time = 'now'::timestam
Re: Trouble "SQL Based IP Pool"
Ivan Kalik schrieb:
>From your previous post:
PostgreSQL:
CREATE TABLE radippool (
id BIGSERIAL PRIMARY KEY,
pool_name text NOT NULL,
FramedIPAddress INET,
NASIPAddresstext NOT NULL,
CalledStationId VARCHAR(64),
CallingStationIdtext DEFAULT ''::text NOT NULL,
expiry_time TIMESTAMP(0) without time zone NOT NULL,
usernametext DEFAULT ''::text,
pool_keyVARCHAR(30) NOT NULL
);
#
This is not the schema from ippool.sql. You have made changes and broke
the queries. Use the schema provided with the server.
^^ It's not ippool.sql - we're talking about the RADIPPOOL table - No I
haven't changed this - go and check it by
yourself:/freeradius-1.1.7/freeradius-1.1.7/doc/examples/postgresql
And besides that I'm not using "ippool.sql" but instead of I'm using
"postgresqlippool.conf" because I'm using PostgreSQL as DB Server.
This is my actual output for a user who has attribute: "Pool-Name = mypool"
root ~ # radtest leander 123456 10.1.10.80:1812 2 schaefer
Sending Access-Request of id 79 to 10.1.10.80 port 1812
User-Name = "leander"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 10.1.10.80:1812, id=79, length=122
Framed-Protocol = PPP
Framed-MTU = 1492
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 86400
Framed-IP-Address = 255.255.255.254
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
root ~ #
^^ Btw. Why is my NAS-IP-Address = 255.255.255.255 ? I didn't write that
in clients.conf? Where might I change that?
You can't configure NAS-IP-Address in radtest. If you want to send
different NAS-IP-Address use radclient.
Well actually I think I don't need to change that .. I was just wondering why
NAS's IP address is 255.255.255.255
just once again .. because I can't get rid of the guess that my
mistake is in the data I typed into the DB table:
INSERT INTO radippool (pool_name, framedipaddress, nasipaddress,
expiry_time, pool_key) VALUES ('mypool', '192.168.5.1', '10.1.10.80',
'2008-12-31 00:00:00', '0');
Don't. Type what's documented. If you use proper schema it will work.
Didn't you read what I wrote? ; ) It won't work , because there are
fields which can't be NULL ... for example "pool_key" and so on
^^ 1. What is pool_key standing for? Why do _I_ have to write that in
manually?
No you don't. You are just breking thing further. Again, use proper
schema.
^^
proper shema won't work.
^^ 2. What is expiry_time good for if there is already an
lease-duration = 3600 configured in the postgresqlippool.conf? And why
do I get forced to use unix timestamp instead of using a simple time in
secounds when it'll be expired?
Seconds from when? You do need a timestamp for lease start then.
^^ ah, ok that makes sence ; ) but untill now I'm only able to tell the
DB a fix Timestamp like 2008-12-31 11:15:00 but how do I change that the
server is picking up the actual time everytime somebody gets an IP.
Might there be a special variable for our case?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
>From your previous post:
PostgreSQL:
CREATE TABLE radippool (
id BIGSERIAL PRIMARY KEY,
pool_name text NOT NULL,
FramedIPAddress INET,
NASIPAddresstext NOT NULL,
CalledStationId VARCHAR(64),
CallingStationIdtext DEFAULT ''::text NOT NULL,
expiry_time TIMESTAMP(0) without time zone NOT NULL,
usernametext DEFAULT ''::text,
pool_keyVARCHAR(30) NOT NULL
);
#
This is not the schema from ippool.sql. You have made changes and broke
the queries. Use the schema provided with the server.
>This is my actual output for a user who has attribute: "Pool-Name = mypool"
>
>root ~ # radtest leander 123456 10.1.10.80:1812 2 schaefer
>Sending Access-Request of id 79 to 10.1.10.80 port 1812
>User-Name = "leander"
>User-Password = "123456"
>NAS-IP-Address = 255.255.255.255
>NAS-Port = 2
>rad_recv: Access-Accept packet from host 10.1.10.80:1812, id=79, length=122
>Framed-Protocol = PPP
>Framed-MTU = 1492
>Framed-Compression = Van-Jacobson-TCP-IP
>Session-Timeout = 86400
>Framed-IP-Address = 255.255.255.254
>Service-Type = Framed-User
>Framed-IP-Netmask = 255.255.255.255
>root ~ #
>
>^^ Btw. Why is my NAS-IP-Address = 255.255.255.255 ? I didn't write that
>in clients.conf? Where might I change that?
You can't configure NAS-IP-Address in radtest. If you want to send
different NAS-IP-Address use radclient.
>
> just once again .. because I can't get rid of the guess that my
>mistake is in the data I typed into the DB table:
>
>INSERT INTO radippool (pool_name, framedipaddress, nasipaddress,
>expiry_time, pool_key) VALUES ('mypool', '192.168.5.1', '10.1.10.80',
>'2008-12-31 00:00:00', '0');
Don't. Type what's documented. If you use proper schema it will work.
>^^ 1. What is pool_key standing for? Why do _I_ have to write that in
>manually?
No you don't. You are just breking thing further. Again, use proper
schema.
>^^ 2. What is expiry_time good for if there is already an
>lease-duration = 3600 configured in the postgresqlippool.conf? And why
>do I get forced to use unix timestamp instead of using a simple time in
>secounds when it'll be expired?
Seconds from when? You do need a timestamp for lease start then.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
>I'm actually not using regular "users" conf file anymore because it's >SQL based and Dialup Admin is handling my SQL DB tables - so the >User-Password thing shouldn't be my problem I only pasted it here >because the rest of the attributes look like that in my Dialup Admin. Hm, asking for help and providing fake data - that's a novell approach. > >rlm_sqlippool: Framed-IP-Address already exists >modcall[post-auth]: module "sqlippool" returns noop for request 0 > If you have a static IP address configured in radreply or users file, sqlippool will not run. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
This is my actual output for a user who has attribute: "Pool-Name = mypool"
root ~ # radtest leander 123456 10.1.10.80:1812 2 schaefer
Sending Access-Request of id 79 to 10.1.10.80 port 1812
User-Name = "leander"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Accept packet from host 10.1.10.80:1812, id=79, length=122
Framed-Protocol = PPP
Framed-MTU = 1492
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 86400
Framed-IP-Address = 255.255.255.254
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
root ~ #
^^ Btw. Why is my NAS-IP-Address = 255.255.255.255 ? I didn't write that
in clients.conf? Where might I change that?
... just once again .. because I can't get rid of the guess that my
mistake is in the data I typed into the DB table:
INSERT INTO radippool (pool_name, framedipaddress, nasipaddress,
expiry_time, pool_key) VALUES ('mypool', '192.168.5.1', '10.1.10.80',
'2008-12-31 00:00:00', '0');
^^ 1. What is pool_key standing for? Why do _I_ have to write that in
manually?
^^ 2. What is expiry_time good for if there is already an
lease-duration = 3600 configured in the postgresqlippool.conf? And why
do I get forced to use unix timestamp instead of using a simple time in
secounds when it'll be expired?
Thank you
Regards,
Leander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
Ivan Kalik wrote: This is how my users conf does look like: ## testUser-Password == "123456" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, #Framed-IP-Netmask = 255.255.255.255, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1492, Framed-Compression = Van-Jacobsen-TCP-IP, Pool-Name = "mypool", ## ^^ WTF goes wrong here ??? ; )) 1. Pool-Name is a check not a reply item. It also uses := as an operator. This is documented. 2. Don't use User-Password as a password attribute in 1.1.7. What should you use? Read instructions in users file, readme, FAQ etc. Reading documentation provided with the server helps. A lot. Ivan Kalik Kalik Informatika ISP Hi Ivan, well, ... I'm not a complete noob : ) I did read the docs - but I might missunderstood something in it - that's why I'm here ; ) . ... I actually use Dialup Admin to handle users - and I also do have a running a working radius and PPPoE server thing ... accounting works ... everything works based on SQL ... so ... but right now I'm at a point where I want to expand it and want to make use of IP-Pools based on SQL. I'm actually not using regular "users" conf file anymore because it's SQL based and Dialup Admin is handling my SQL DB tables - so the User-Password thing shouldn't be my problem I only pasted it here because the rest of the attributes look like that in my Dialup Admin. I read to use := as operator - and I already tried - but without success. Same Error then before appears. rlm_sqlippool: Framed-IP-Address already exists modcall[post-auth]: module "sqlippool" returns noop for request 0 Thanks Regards, Leander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble "SQL Based IP Pool"
>This is how my users conf does look like: > >## >testUser-Password == "123456" >Service-Type = Framed-User, >Framed-Protocol = PPP, >Framed-IP-Address = 255.255.255.254, >#Framed-IP-Netmask = 255.255.255.255, >Framed-Routing = Broadcast-Listen, >Framed-Filter-Id = "std.ppp", >Framed-MTU = 1492, > Framed-Compression = Van-Jacobsen-TCP-IP, >Pool-Name = "mypool", >## >^^ WTF goes wrong here ??? ; )) 1. Pool-Name is a check not a reply item. It also uses := as an operator. This is documented. 2. Don't use User-Password as a password attribute in 1.1.7. What should you use? Read instructions in users file, readme, FAQ etc. Reading documentation provided with the server helps. A lot. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble "SQL Based IP Pool"
Can't get my "SQL Based IP Pool" running ; (
running FreeRADIUS Version 1.1.7 on FreeBSD 7.0 with
Postgresql-Server-8.3beta2.
I got everything working fine so far except SQL Based IP Pool -->
"/http://wiki.freeradius.org/Rlm_sqlippool/"; <-- ; )
PostgreSQL:
CREATE TABLE radippool (
id BIGSERIAL PRIMARY KEY,
pool_name text NOT NULL,
FramedIPAddress INET,
NASIPAddresstext NOT NULL,
CalledStationId VARCHAR(64),
CallingStationIdtext DEFAULT ''::text NOT NULL,
expiry_time TIMESTAMP(0) without time zone NOT NULL,
usernametext DEFAULT ''::text,
pool_keyVARCHAR(30) NOT NULL
);
#
If I now try to do the following step - like the HowTo describes I'll
get folowing result:
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.1');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.2');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.3');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.4');
.. my phpPgAdmin Webinterface is telling me following Error:
*SQL Error:*
ERROR: null value in column "nasipaddress" violates not-null constraint
*In the command:*
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.1');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.2');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.3');
INSERT INTO radippool (pool_name, framedipaddress) VALUES ('main_pool',
'192.168.0.4');
I do only have success if I execute the Postgres command changed like that:
INSERT INTO radippool (pool_name, framedipaddress, nasipaddress,
expiry_time, pool_key) VALUES ('mypool', '192.168.5.1', '10.1.10.80',
'2008-12-31 00:00:00', '0');
INSERT INTO radippool (pool_name, framedipaddress, nasipaddress,
expiry_time, pool_key) VALUES ('mypool', '192.168.5.2', '10.1.10.80',
'2008-12-31 00:00:00', '0');
^^ but I'm not happy with those Datas .. actualy I'm pretty unsure if
that's working stuff !! Besides that I tried to have a expire date like
86400 Seconds .. but didn't work. And Where is my Netmask in radippool
table?? ;) question over question ;)
any way .. still "radius -X" tells me:
modcall: leaving group CHAP (returns ok) for request 0
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_sqlippool: Framed-IP-Address already exists
modcall[post-auth]: module "sqlippool" returns noop for request 0
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'test'
++++
This is how my radiusd.conf looks like in the ippool section:
##
##
ippool main_pool {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
# range-start = 192.168.1.1
# range-stop = 192.168.3.254
# netmask: The network mask used for the ip's
# netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
# cache-size = 800
# session-db: The main db file used to allocate ip's to
clients
# session-db = ${raddbdir}/db.ippool
# ip-index: Helper db index file used in multilink
# ip-index = ${raddbdir}/db.ipindex
# override: Will this ippool override a
Framed-IP-Address already set
override = yes
# maximum-timeout: If not zero specifies the maximum
time in seconds an
# entry may be active. Default: 0
# maximum-timeout = 0
}
#$INCLUDE ${confdir}/sqlippool.conf
$INCLUDE ${confdir}/postgresqlippool.conf
#OTP token suppo
Re: can't get "SQL Based IP Pool" running
I'm sorry, this is my radippool table again ... I made an failure by
pasting it ;)
id bigint NOT NULLnextval('radippool_id_seq'::regclass)
[PrimaryKey]
pool_name text NOT NULL
framedipaddress inet
nasipaddress text NOT NULL
calledstationid character varying(64)
callingstationid text NOT NULL ''::text
expiry_time timestamp(0) without time zone NOT NULL
username text ''::text
pool_key character varying(30) NOT NULL
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can't get "SQL Based IP Pool" running
Hi,
I'm running *FreeRADIUS Version 1.1.7* on *FreeBSD 7.0* with
*Postgresql-Server-8.3beta2*.
I got everything working fine so far except *SQL Based IP Pool* -->
"/http://wiki.freeradius.org/Rlm_sqlippool/"; <-- ; )
I changed the config like the how to told me to - looks good so far
until I got to the step which told me to fill in data into the Database.
This is how the standard "*radippool*" table looks like:
Spalte DatentypNicht Null Vorgabe Constraints
AktionenKommentar
id
<http://10.1.10.80/phpPgAdmin/colproperties.php?subject=column&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=id&;>
bigint
NOT NULL
nextval('radippool_id_seq'::regclass) [pk]
<http://10.1.10.80/phpPgAdmin/constraints.php?server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&schema=public>
Durchsuchen
<http://10.1.10.80/phpPgAdmin/display.php?server=%3A5432%3Aallow&database=radius&schema=public&subject=column&return_url=tblproperties.php%3Fserver%3D%253A5432%253Aallow%26amp%3Bdatabase%3Dradius%26amp%3Bschema%3Dpublic%26amp%3Btable%3Dradippool&table=radippool&return_desc=Zur%26%23252%3Bck&query=SELECT+%22id%22%2C+count%28%2A%29+AS+%22count%22+FROM+%22radippool%22+GROUP+BY+%22id%22+ORDER+BY+%22id%22&column=id&;>
Ändern
<http://10.1.10.80/phpPgAdmin/colproperties.php?action=properties&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=id&;>
Löschen
<http://10.1.10.80/phpPgAdmin/tblproperties.php?action=confirm_drop&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=id&;>
pool_name
<http://10.1.10.80/phpPgAdmin/colproperties.php?subject=column&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=pool_name&;>
text
NOT NULL
Durchsuchen
<http://10.1.10.80/phpPgAdmin/display.php?server=%3A5432%3Aallow&database=radius&schema=public&subject=column&return_url=tblproperties.php%3Fserver%3D%253A5432%253Aallow%26amp%3Bdatabase%3Dradius%26amp%3Bschema%3Dpublic%26amp%3Btable%3Dradippool&table=radippool&return_desc=Zur%26%23252%3Bck&query=SELECT+%22pool_name%22%2C+count%28%2A%29+AS+%22count%22+FROM+%22radippool%22+GROUP+BY+%22pool_name%22+ORDER+BY+%22pool_name%22&column=pool_name&;>
Ändern
<http://10.1.10.80/phpPgAdmin/colproperties.php?action=properties&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=pool_name&;>
Löschen
<http://10.1.10.80/phpPgAdmin/tblproperties.php?action=confirm_drop&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=pool_name&;>
framedipaddress
<http://10.1.10.80/phpPgAdmin/colproperties.php?subject=column&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=framedipaddress&;>
inet
Durchsuchen
<http://10.1.10.80/phpPgAdmin/display.php?server=%3A5432%3Aallow&database=radius&schema=public&subject=column&return_url=tblproperties.php%3Fserver%3D%253A5432%253Aallow%26amp%3Bdatabase%3Dradius%26amp%3Bschema%3Dpublic%26amp%3Btable%3Dradippool&table=radippool&return_desc=Zur%26%23252%3Bck&query=SELECT+%22framedipaddress%22%2C+count%28%2A%29+AS+%22count%22+FROM+%22radippool%22+GROUP+BY+%22framedipaddress%22+ORDER+BY+%22framedipaddress%22&column=framedipaddress&;>
Ändern
<http://10.1.10.80/phpPgAdmin/colproperties.php?action=properties&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=framedipaddress&;>
Löschen
<http://10.1.10.80/phpPgAdmin/tblproperties.php?action=confirm_drop&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=framedipaddress&;>
nasipaddress
<http://10.1.10.80/phpPgAdmin/colproperties.php?subject=column&server=%3A5432%3Aallow&database=radius&schema=public&table=radippool&column=nasipaddress&;>
text
NOT NULL
Durchsuchen
<http://10.1.10.80/phpPgAdmin/display.php?server=%3A5432%3Aallow&database=radius&schema=public&subject=column&return_url=tblproperties.php%3Fserver%3D%253A5432%253Aallow%26amp%3Bdatabase%3Dradius%26amp%3Bschema%3Dpublic%26amp%3Btable%3Dradippool&table=radippool&return_desc=Zur%26%23252%3Bck&query=SELECT+%22nasipaddress%22%2C+count%28%2A%29+AS+%22count%22+FROM+%22radippool%22+GROUP+BY+%22nasipaddress%22+ORDER+BY+%22nasipaddress%22&column=nasipaddress&;>
Ändern
<http://10.1.10.80/phpPgAdmin/colproperties.php?action=properties&server=%3A5432%3Aallow&database=radius&sc
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> The only place I found reference to the IP Pool is in the site-enabled
> config file. So I added:
>
> if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") {
Sorry, that should be "proxy-reply", not "proxy_reply".
> There is an error in the debug when a user tries to login, but it seems to
> run the rule. But it still doesn't seem to assign from the IP pool.
Again, the debug output makes it clear what is happening:
...
> +- entering group post-auth
> ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254")
> WARNING: Unknown module "proxy_reply" in string expansion
Yup. That's a typo.
> "%{proxy_reply:Framed-IP-Address}"
> expand: %{proxy_reply:Framed-IP-Address} ->
i.e. nothing.
> ? Evaluating ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") ->
> FALSE
Nothing doesn't match the string "255.255.255.254".
Again, reading the debug output helps. There is no magic required to
see a WARNING, and conclude that maybe something is wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
The only place I found reference to the IP Pool is in the site-enabled
config file. So I added:
if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") {
main_pool
}
Since it should only assign from the pool if the Framed-IP-Address we get
back is 255.255.255.254, and not a statically assigned IP.
There is an error in the debug when a user tries to login, but it seems to
run the rule. But it still doesn't seem to assign from the IP pool.
Please could you take a look at the debug and comment/suggest?
rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=155,
length=77
User-Name = "[EMAIL PROTECTED]"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "dsl.realm.co.uk"
rlm_realm: Proxying request from user grahamdr to realm dsl.realm.co.uk
rlm_realm: Adding Realm = "dsl.realm.co.uk"
rlm_realm: Preparing to proxy authentication request to realm
"dsl.realm.co.uk"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 8
++[files] returns ok
expand: %{User-Name} -> [EMAIL PROTECTED]
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '[EMAIL PROTECTED]'
ORDER BY id
expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname
FROM usergroup WHERE username = '[EMAIL PROTECTED]'
ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User [EMAIL PROTECTED] not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
+- entering group pre-proxy
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m
%d -> /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m
%d expands to
/usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212
expand: %t -> Tue Feb 12 13:22:36 2008
++[pre_proxy_log] returns ok
Sending Access-Request of id 222 to 10.0.0.18 port 1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
Proxy-State = 0x313535
Proxying request 0 to home server 10.0.0.18 port 1645
Sending Access-Request of id 222 to 10.0.0.18 port 1645
User-Name = "[EMAIL PROTECTED]"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
Realm = "dsl.realm.co.uk"
Realm = "dsl.realm.co.uk"
Proxy-State = 0x313535
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.0.0.18 port 1645, id=222,
length=107
Class =
0x5342522d434c20444e3d2232303533363041543d22323030222055533d2053493d
22323838312200
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254 << this should match the rule.
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x313535
+- entering group post-proxy
expand: %{Realm} -> dsl.realm.co.uk
attr_filter: Matched entry DEFAULT at line 103
++[attr_filter.post-proxy] returns updated
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
users: Matched entry DEFAULT at line 8
++[files] returns ok
expand: %{User-Name} -> [EMAIL PROTECTED]
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}&#
RE: Different IP Pool per proxied realm
The only other place the main ip pool is mentioned is in the site-enabled
file.
Within post-auth.
post-auth {
main_pool
sql
Post-Auth-Type REJECT {
attr_filter.access_reject
sql
}
}
I'll try and see if I can work it out by "man unlang" if not then I maybe
posting back.
Sorry...
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 12:41
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
>
> I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get
allocated *somewhere* via a reference to the "main_pool" module. You
must have edited the configuration files to do this, because it is *not*
enabled in the default configuration.
> I've tried adding the statement before and inside this but even static
> assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for
*processing* packets. It does not apply to module configurations.
See the default configuration files for examples of how to use "if()".
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > > I currently have this in radiusd.conf. That is NOT the only reference to the "ippool" module. The IP's get allocated *somewhere* via a reference to the "main_pool" module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration. > I've tried adding the statement before and inside this but even static > assigned users get an address from the pool. Umm... please go read "man unlang". It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use "if()". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
I currently have this in radiusd.conf.
ippool main_pool {
range-start = 10.0.0.1
range-stop = 10.0.0.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${sysconfdir}/raddb/db.ippool
ip-index = ${sysconfdir}/raddb/db.ipindex
override = yes
maximum-timeout = 0
}
I've tried adding the statement before and inside this but even static
assigned users get an address from the pool.
Thanks
Tony
-Original Message-
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 11:17
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Where do I put this statement
Where is your current "ippool" module referenced?
> and does override have to be yes or no?
"yes"
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > Where do I put this statement Where is your current "ippool" module referenced? > and does override have to be yes or no? "yes" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Where do I put this statement and does override have to be yes or no?
Thanks in advance
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 10:33
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Is there a way to tell Freeradius to only assign from the pool for the
user
> if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang
In 2.0.1:
if ("%{proxy_reply:Framed-IP-Address}" != "255.255.255.254") {
ippool
}
It's pretty much that easy...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Is there a way to tell Freeradius to only assign from the pool for the user
> if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang
In 2.0.1:
if ("%{proxy_reply:Framed-IP-Address}" != "255.255.255.254") {
ippool
}
It's pretty much that easy...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Everything seems to be working fine with the new upgraded version of
Freeradius.
I've also made progress in assigning from an IP pool for a realm.
However it seems to be all or nothing, if the reply comes back with a
Framed-IP-Address already set it gets ignored if I set:
override = yes
in the IP pool section of radiusd.conf.
However some users are supposed to have a static IP address and some dynamic
IP assignment.
Those with no static set come back from with the reply:
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x313832
Is there a way to tell Freeradius to only assign from the pool for the user
if the Framed-IP-Address comes back as 255.255.255.254?
Thanks
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 11 February 2008 20:42
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Right I've now managed to get v2.0.1 working on our radius server.
> Although for some reason its not logging to radiusd.log.
> Previously we have logged accounting to the log file and the radacct
table.
> If anyone can spare a thought on why this isn't now logging to the
> radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
> Onto the different IP pool per realm...
> This still doesn't seem to work.
> The debug doesn't show the IP pool being loaded.
> Does this still need to be put into radiusd.conf or the sites-enabled
file?
You can put everything in radiusd.conf, just like in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
> Right I've now managed to get v2.0.1 working on our radius server.
> Although for some reason its not logging to radiusd.log.
> Previously we have logged accounting to the log file and the radacct table.
> If anyone can spare a thought on why this isn't now logging to the
> radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
> Onto the different IP pool per realm...
> This still doesn't seem to work.
> The debug doesn't show the IP pool being loaded.
> Does this still need to be put into radiusd.conf or the sites-enabled file?
You can put everything in radiusd.conf, just like in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 11 February 2008 13:39 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: > We are running freeradius on Centos and the most supported package that gets > installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have > installed. Ugh. > I've tried to upgrade by downloading the latest version, 2.0.1. > Although it builds and installs it doesn't seem to try to connect to my SQL > database. When I start the old version with -X I see a lot of mention of > sql. > But version 2.0.1 started with -X doesn't seem to say anything apart from > its loading the sql.conf file. > Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf && sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure && debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > We are running freeradius on Centos and the most supported package that gets > installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have > installed. Ugh. > I've tried to upgrade by downloading the latest version, 2.0.1. > Although it builds and installs it doesn't seem to try to connect to my SQL > database. When I start the old version with -X I see a lot of mention of > sql. > But version 2.0.1 started with -X doesn't seem to say anything apart from > its loading the sql.conf file. > Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf && sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure && debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
We are running freeradius on Centos and the most supported package that gets installed by "yum update" is freeradius-1.0.1-3.RHEL4.5, which I now have installed. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? That said I do have some debug for the version I am using for trying to assign a different IP pool per realm. Here is the section that shows that radius is loading the IP pool: Module: Loaded IPPOOL ippool: session-db = "/etc/raddb/db.ippool" ippool: ip-index = "/etc/raddb/db.ipindex" ippool: range-start = 85.92.168.1 IP address [85.92.168.1] ippool: range-stop = 85.92.168.254 IP address [85.92.168.254] ippool: netmask = 255.255.255.0 IP address [255.255.255.0] ippool: cache-size = 800 ippool: override = no ippool: maximum-timeout = 0 Module: Instantiated ippool (main_pool) # This is the users entry: DEFAULT Realm == "dsl.realm.co.uk", Pool-Name := "main_ip_realm1" And here is the debug from a user using the realm logging in: ### rad_recv: Access-Request packet from host 192.168.1.88:1645, id=245, length=127 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7 NAS-Port-Type = Virtual NAS-Port = 2548 NAS-Port-Id = "Uniq-Sess-ID2548" Connect-Info = "4522000/1000" Service-Type = Framed-User NAS-IP-Address = 192.168.1.88 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "dsl.realm.co.uk" rlm_realm: Proxying request from user leekane to realm dsl.realm.co.uk rlm_realm: Adding Realm = "dsl.realm.co.uk" rlm_realm: Preparing to proxy authentication request to realm "dsl.realm.co.uk" modcall[authorize]: module "suffix" returns updated for request 14 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 14 users: Matched DEFAULT at 1 modcall[authorize]: module "files" returns ok for request 14 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 21 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 21 modcall[authorize]: module "sql" returns notfound for request 14 modcall: group authorize returns updated for request 14 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 14 radius_xlat: '/var/log/rad
Re: Different IP Pool per proxied realm
Tony Spencer wrote: > We are using FreeRADIUS Version 1.0.1 Why? I would suggest upgrading. The newer versions have a LOT more features, and make this kind of configuration much easier. > But when the user logs in they get assigned an IP from the NAS and not from > the IP Pool. > Am I doing something wrong? The debug log should explain what the server is sending back. But if you're using 1.0.1, I would suggest upgrading before posting the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different IP Pool per proxied realm
Hi all
I’m trying to assign a different IP Pool per realm, instead of the IP being
assigned by the NAS.
However after reading some postings and doing some searching I can’t get
this to work.
The realms we want to assign different IP Pools to, we proxy to different
customers.
So we don’t do the authentication for these realms, we just proxy to
authentication.
We are using FreeRADIUS Version 1.0.1 and using MySQL and not flat files.
Our NAS is a Cisco 7304 terminating L2TP for DSL users.
So far I’ve tried to add the following to the users file:
DEFAULT Realm == "realm1.com", Pool-Name := "pool_one"
And created the pool in radiusd.conf:
ippool pool_one {
range-start = 192.168.1.1
range-stop = 192.168.1.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
But when the user logs in they get assigned an IP from the NAS and not from
the IP Pool.
Am I doing something wrong?
Does this not work if I'm use MySQL?
Thanks in advance
Tony
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.20/1261 - Release Date: 05/02/2008
20:57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool problem
thanks. I think that's the problem. Luis Ivan Kalik escribió: Could it be a problem from the NAS params sent to radius? It could - if NAS-Port parameter is the same for all users. If user C logs out IP adresses will be released from the pool and B will be able to get A's IP address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool problem
> >Could it be a problem from the NAS params sent to radius? It could - if NAS-Port parameter is the same for all users. If user C logs out IP adresses will be released from the pool and B will be able to get A's IP address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool problem
Hi!
I am using freeradius 1.1.3 and I have some problems with dial-up users using
a dynamic pool of ip adresses.
When user A are logged in with ip address 1, its ip is marked as used in the
pool only for 2/3 minutes.
After that if an user B logs in, then this new user can received the same ip
address that user A was using.
Could it be a problem from the NAS params sent to radius?
What attributes are used to control the pool assignment?
Could someone help me?
.
.
.
ippool poolJazDialup {
range-start = 1.1.1.129
range-stop = 1.1.1.254
netmask = 255.255.255.255
cache-size = 126
session-db = ${raddbdir}/db.ippool.poolDialup
ip-index = ${raddbdir}/db.ipindex.poolDialup
override = no
maximum-timeout = 0
}
.
.
.
accounting {
detail
poolJazDialup
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
post-auth {
# Get an address from the IP Pool.
poolJazDialup
reply_log
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
Post-Auth-Type REJECT {
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: > You might try putting it at the top of radiusd.conf Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: > When I connect a client to freeradius the client authenticates, gets an > accept/accept, but does not get an IP address. I've tried it with the > Group and Pool-Name directives in each client's block, and I've tried it > with them in a DEFAULT by themselves. Neither has handed out an IP > address. ... > radius:/etc/freeradius# freeradius -v > freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built > on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, "man" page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
It's all in black and white:
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
#
Yet, you have put it as a reply item.
Ivan Kalik
Kalik Informatika ISP
Dana 24/1/2008, "Andrew D Kirch" <[EMAIL PROTECTED]> piše:
>When I connect a client to freeradius the client authenticates, gets an
>accept/accept, but does not get an IP address. I've tried it with the
>Group and Pool-Name directives in each client's block, and I've tried it
>with them in a DEFAULT by themselves. Neither has handed out an IP address.
>
>System vitals:
>radius:/etc/freeradius# uname -a
>Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux
>radius:/etc/freeradius# cat /etc/debian_version
>4.0
>radius:/etc/freeradius# freeradius -v
>freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built
>on Dec 16 2006 at 23:48:11
>
># radtest umcc xx localhost 0 xxx
>Sending Access-Request of id 144 to 127.0.0.1 port 1812
>User-Name = "umcc"
>User-Password = "bts10200"
>NAS-IP-Address = 255.255.255.255
>NAS-Port = 0
>rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44
>Service-Type = Framed-User
>Framed-IP-Netmask = 255.255.255.255
>Framed-Protocol = PPP
>Framed-Compression = Van-Jacobson-TCP-IP
>
>radius.log:
>Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output
>defined. Did you mean output=none?
>Thu Jan 24 11:20:51 2008 : Info: Ready to process requests.
>Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client
>localhost-testing port 0)
>
>users:
>umccUser-Password == "xx"
>Service-Type = Framed-User,
>Framed-IP-Netmask = 255.255.255.255,
>Group == main_pool,
>Pool-Name := "main_pool",
>Framed-Protocol = PPP,
>Framed-Compression = Van-Jacobsen-TCP-IP
>
>radiusd.conf (pertinent sections)
> ippool main_pool {
>range-start = 208.64.35.2
>range-stop = 208.64.35.254
>netmask = 255.255.255.255
>cache-size = 253
>session-db = ${raddbdir}/db.ippool
>ip-index = ${raddbdir}/db.ipindex
>override = yes
>maximum-timeout = 0
>}
>accounting {
>detail
>unix
>radutmp
>main_pool
>}
>post-auth {
>main_pool
>}
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Alan DeKok wrote: Andrew D Kirch wrote: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. ... radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, "man" page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You might try putting it at the top of radiusd.conf, everyone's eventually going to see that. Because I use Debian the others are packaged and abstracted away. I used the Freeradius wiki quite a bit as well, and perhaps it could be more visible there too. In fact I think this might be an honorable use of the element as I was able to use the freeradius -X output to immediately debug my problem. Thank you for the help. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
On Thursday 24 January 2008 13:10:09 Alan DeKok wrote: > And with all of the information you posted, you didn't include the > most important, which is requested in the FAQ, README, INSTALL, "man" > page, and daily on this list: radiusd -X. > > Is there some other place in the documentation where this should be > suggested? > > Alan DeKok. Big red letters on the front page of the website. Or below the subscribe/unsubscribe line in the footer of every message. =) -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool defined, but radius does not hand out an IP address.
When I connect a client to freeradius the client authenticates, gets an
accept/accept, but does not get an IP address. I've tried it with the
Group and Pool-Name directives in each client's block, and I've tried it
with them in a DEFAULT by themselves. Neither has handed out an IP address.
System vitals:
radius:/etc/freeradius# uname -a
Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux
radius:/etc/freeradius# cat /etc/debian_version
4.0
radius:/etc/freeradius# freeradius -v
freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built
on Dec 16 2006 at 23:48:11
# radtest umcc xx localhost 0 xxx
Sending Access-Request of id 144 to 127.0.0.1 port 1812
User-Name = "umcc"
User-Password = "bts10200"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
radius.log:
Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Thu Jan 24 11:20:51 2008 : Info: Ready to process requests.
Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client
localhost-testing port 0)
users:
umccUser-Password == "xx"
Service-Type = Framed-User,
Framed-IP-Netmask = 255.255.255.255,
Group == main_pool,
Pool-Name := "main_pool",
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobsen-TCP-IP
radiusd.conf (pertinent sections)
ippool main_pool {
range-start = 208.64.35.2
range-stop = 208.64.35.254
netmask = 255.255.255.255
cache-size = 253
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 0
}
accounting {
detail
unix
radutmp
main_pool
}
post-auth {
main_pool
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip assignment without ip pool
So you are using DHCP to assign ip addresses as well. Find out what's dhcp reservation. This is nothing to do with radius. And use one method to assign addresses: dhcp or radius - don't use both at the same time. Ivan Kalik Kalik Informatika ISP Dana 12/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: >ip is coming from poptop config file ( pptpd.conf ) >it's always ok with Pool-Name but with Framed-IP-Address the normal ip >config from pptpd.conf is assigned. >the user isn't in any group. > >On Dec 12, 2007 1:25 AM, <[EMAIL PROTECTED]> wrote: > >> And that address is coming from ... ? Are you assigning ippool through >> the group? Remove him from that group. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: >> >> >I've inserted this record to my radius db: >> >insert into radcheck ( username , attribute , op , value ) values ( >> "new5" , >> >"Framed-IP-Address" , ":=" , "10.6.6.6" ) >> > >> >but still the old ip address (10.1.1.x) has been assigned to client. >> > >> > >> >On Dec 12, 2007 12:38 AM, <[EMAIL PROTECTED]> wrote: >> > >> >> Framed-IP-Address >> >> >> >> Just make sure that address is not in the pool. >> >> >> >> Ivan Kalik >> >> Kalik Informatika ISP >> >> >> >> Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: >> >> >> >> >Hello, >> >> >I need to assign static ips to serveral users but not all of theme, >> >> >and I feel it's a bad way to define an ip pool for each of theme. >> >> >how to assign a specific ip address to a user? >> >> > >> >> > >> >> >> >> - >> >> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip assignment without ip pool
ip is coming from poptop config file ( pptpd.conf ) it's always ok with Pool-Name but with Framed-IP-Address the normal ip config from pptpd.conf is assigned. the user isn't in any group. On Dec 12, 2007 1:25 AM, <[EMAIL PROTECTED]> wrote: > And that address is coming from ... ? Are you assigning ippool through > the group? Remove him from that group. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: > > >I've inserted this record to my radius db: > >insert into radcheck ( username , attribute , op , value ) values ( > "new5" , > >"Framed-IP-Address" , ":=" , "10.6.6.6" ) > > > >but still the old ip address (10.1.1.x) has been assigned to client. > > > > > >On Dec 12, 2007 12:38 AM, <[EMAIL PROTECTED]> wrote: > > > >> Framed-IP-Address > >> > >> Just make sure that address is not in the pool. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: > >> > >> >Hello, > >> >I need to assign static ips to serveral users but not all of theme, > >> >and I feel it's a bad way to define an ip pool for each of theme. > >> >how to assign a specific ip address to a user? > >> > > >> > > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip assignment without ip pool
And that address is coming from ... ? Are you assigning ippool through the group? Remove him from that group. Ivan Kalik Kalik Informatika ISP Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: >I've inserted this record to my radius db: >insert into radcheck ( username , attribute , op , value ) values ( "new5" , >"Framed-IP-Address" , ":=" , "10.6.6.6" ) > >but still the old ip address (10.1.1.x) has been assigned to client. > > >On Dec 12, 2007 12:38 AM, <[EMAIL PROTECTED]> wrote: > >> Framed-IP-Address >> >> Just make sure that address is not in the pool. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: >> >> >Hello, >> >I need to assign static ips to serveral users but not all of theme, >> >and I feel it's a bad way to define an ip pool for each of theme. >> >how to assign a specific ip address to a user? >> > >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip assignment without ip pool
I've inserted this record to my radius db: insert into radcheck ( username , attribute , op , value ) values ( "new5" , "Framed-IP-Address" , ":=" , "10.6.6.6" ) but still the old ip address (10.1.1.x) has been assigned to client. On Dec 12, 2007 12:38 AM, <[EMAIL PROTECTED]> wrote: > Framed-IP-Address > > Just make sure that address is not in the pool. > > Ivan Kalik > Kalik Informatika ISP > > Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: > > >Hello, > >I need to assign static ips to serveral users but not all of theme, > >and I feel it's a bad way to define an ip pool for each of theme. > >how to assign a specific ip address to a user? > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip assignment without ip pool
Framed-IP-Address Just make sure that address is not in the pool. Ivan Kalik Kalik Informatika ISP Dana 11/12/2007, "hadi golestani" <[EMAIL PROTECTED]> piše: >Hello, >I need to assign static ips to serveral users but not all of theme, >and I feel it's a bad way to define an ip pool for each of theme. >how to assign a specific ip address to a user? > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip assignment without ip pool
Hello, I need to assign static ips to serveral users but not all of theme, and I feel it's a bad way to define an ip pool for each of theme. how to assign a specific ip address to a user? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool
Sounds like a plan, I'll give it a try. Thanks! -- Marcelus Trojahn [EMAIL PROTECTED] wrote: How about multiple pools - one for each subnet. If I recall well, you add all the ippools to post-auth section of radiusd.conf and use Pool-Name := DEFAULT. That worked some years ago. Haven't tried it lately. Ivan Kalik Kalik Informatika ISP Dana 6/12/2007, "Marcelus Trojahn" <[EMAIL PROTECTED]> piše: Hi folks, I have a PPPoE server which authenticates the user on freeradius... Right now, the PPPoE server is in charge of assigning the IPs to the users but I want to do that via radius because I'm adding another PPPoE server on the network and OSPF routing... Problem is, I had a look on radiusd.conf and what I could understand is that I can only have pools on a same network (like 192.168.0.0/23, for instance)... But I need 1 big pool with IPs in different networks because my users receive valid public IP addresses... So, I need all users on the same pool and the pool has to have a bunch of differente IP ranges, not in order, like 200.200.200.0/24, 201.10.20.0/24 and so on... Is that even possible? -- Marcelus Trojahn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool
How about multiple pools - one for each subnet. If I recall well, you add all the ippools to post-auth section of radiusd.conf and use Pool-Name := DEFAULT. That worked some years ago. Haven't tried it lately. Ivan Kalik Kalik Informatika ISP Dana 6/12/2007, "Marcelus Trojahn" <[EMAIL PROTECTED]> piše: >Hi folks, > >I have a PPPoE server which authenticates the user on freeradius... >Right now, the PPPoE server is in charge of assigning the IPs to the >users but I want to do that via radius because I'm adding another PPPoE >server on the network and OSPF routing... > >Problem is, I had a look on radiusd.conf and what I could understand is >that I can only have pools on a same network (like 192.168.0.0/23, for >instance)... But I need 1 big pool with IPs in different networks >because my users receive valid public IP addresses... > >So, I need all users on the same pool and the pool has to have a bunch >of differente IP ranges, not in order, like 200.200.200.0/24, >201.10.20.0/24 and so on... > >Is that even possible? > >-- >Marcelus Trojahn > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool
Hi folks, I have a PPPoE server which authenticates the user on freeradius... Right now, the PPPoE server is in charge of assigning the IPs to the users but I want to do that via radius because I'm adding another PPPoE server on the network and OSPF routing... Problem is, I had a look on radiusd.conf and what I could understand is that I can only have pools on a same network (like 192.168.0.0/23, for instance)... But I need 1 big pool with IPs in different networks because my users receive valid public IP addresses... So, I need all users on the same pool and the pool has to have a bunch of differente IP ranges, not in order, like 200.200.200.0/24, 201.10.20.0/24 and so on... Is that even possible? -- Marcelus Trojahn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Port and IP pool
On Tue 16 Oct 2007, Dánial Olsen wrote: > Hi, > > I'm hoping someone can assist me with my problem with assigning ip > addresses with freeradius 1.1.6 on OpenBSD 4.1. > > I'm using freeradius to with an Ericsson CGSN and now I'm trying to > assign ip addresses to my Mobile Stations. > The problem is that the CGSN makes requests to freeradius always using > the same IP and always port 1, which means only one IP is assigned. > > After a lot of searching I've come to the conclusion that freeradius > uses NAS-port and NAS-ip to uniquely identify the clients. > > Is my conclusion correct? > > How can I assign IP addresses to my MS using another unique id, e.g. > IMSI or MSISDN - which I can include in the request? Hi Danial Take a look at http://wiki.freeradius.org/Rlm_sqlippool We developed it specifically for use with Ericsson and Cisco GGSNs and if you read the comments I wrote in the config file you will see exactly how to use the Calling-Station-Id (aka MSISDN/GSM Number) as the unique id... You should also be able to figure out how to virtualise the whole thing to allow overlapping pools in different APNs ;-) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: Ip pool lease migration
> You didn't say that... Sorry, I thought it wasn't so relevant. :-) > Use sqlippool. It's the easiest way to get what you want. Ok, thanks for helping. Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: Ip pool lease migration
Francesco Cristofori wrote: > The sql server is actually a mysql master/master replication cluster > with one virtual IP address I pointed the servers to. > I think this solution avoids s.p.o.f., isn't it? You didn't say that... > H... But ip pools are managed through local files on each radius > server, the sql backend stores sessions but not ip assignement. Do I > miss something? Use sqlippool. It's the easiest way to get what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: Ip pool lease migration
> Then there's a lot less reason to run two servers. You > still have one central point of failure: the SQL server. The sql server is actually a mysql master/master replication cluster with one virtual IP address I pointed the servers to. I think this solution avoids s.p.o.f., isn't it? > If you're insistent on running just one SQL server, you > don't need to do anything on the RADIUS side for IP pools. > Just point both RADIUS servers to the same SQL DB and tables, > and the SQL server will sort it out. H... But ip pools are managed through local files on each radius server, the sql backend stores sessions but not ip assignement. Do I miss something? Thanks, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: Ip pool lease migration
Francesco Cristofori wrote: > I have both servers using the same sql backend for accounting (not > sql_ippool at the moment), so I have a doubt: Then there's a lot less reason to run two servers. You still have one central point of failure: the SQL server. If you're insistent on running just one SQL server, you don't need to do anything on the RADIUS side for IP pools. Just point both RADIUS servers to the same SQL DB and tables, and the SQL server will sort it out. > If I relay one request to radB, will radB write an entry in radacct so I > end up with two accounting records for the same accounting request? > How could I prevent this from happening? Don't point two RADIUS servers to one SQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Ip pool lease migration
> I'm going to try it, thanks for the suggestion. > Is it correct to set up two servers radA relaying to radB and > radB relaying to radA ? > I'd like to have an active/active radius server setup. Sorry, I didn't read the docs. :-) I have both servers using the same sql backend for accounting (not sql_ippool at the moment), so I have a doubt: If I relay one request to radB, will radB write an entry in radacct so I end up with two accounting records for the same accounting request? How could I prevent this from happening? Thanks in advance, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
