Re: Freeradius-Users Digest, Vol 52, Issue 87
Thanks Alan. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused... Thanks, Rams. -- Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Alexander Clouter wrote:
I am running FreeRADIUS from git[1] about two days ago and found that by
putting the following in my 'hints' file gives me the segfault shown
below[2]. If I remove the end bit[3] then I do not get the segfault,
but then I also do not get my comparison :)
Any more information needed, then let me know.
I've committed a fix.
Cheers
[1] at commit 08baab6769fea367bda5dd006b659621bb9aac18 from
yesterday-ish
[2] strlcpy sourced from address 0x0
[3] User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i
DEFAULT NAS-Port-Type == Ethernet, User-Name == %{User-Password},
Calling-Station-Id =~
/^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i,
User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i
Well... that really won't work. The regular expressions in the
users file are just the strings:
Foo =~ a*b
NOT
Foo =~ /a*b/i
If you want policies that are slightly complicated, use unlang.
Really. Delete these entries from the hints file, and replace them
with unlang-style policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: accounting through detail module help
Thanks Alan. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused... Thanks, Rams. -- Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
RANDRIAMAMPIONONA José Johnny wrote: Hi All, I have suffered enough, now I d like to expose my nightmare. Freeradius-server-2.1.6 + OpenLdap. Both of the servers work perfectly, there is no firewall between them or something that can block the traffic: All Correct! but the server still has no response with the weird radclient message ! At the radius debug , authentication is mentioned as successfully (bind was successfully) What's going on ? Post the debug output as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang Question/Problem
Garber, Neal wrote: I’m running FR 2.1.6 with patches to rlm_mschap rlm_eap_mschapv2 to correct a problem with case-sensitive userids. Ok... First, if I didn’t include “updated” after the “update request” actions, then it would return reject. Is that normal (I didn’t call a module in there)? Yes... it goes back to historical behavior, and the default return codes when the authenticate section is being processed. Should the unlang be outside of the “Auth-Type MS-CHAP” block? No. It MUST be inside. Also, Ntlm-Auth-Username is expanded, there’s a “[request] returns reject”. I think this is the source of the problem, but I don’t understand where the reject is coming from. Hm... I'm not sure, either. The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug. Do I need something like: No, that won't help. It looks like the EAP-MSCHAPv2 module is either NOT being run, or something else isn't generating an appropriate EAP packet as a reply. That's why the eap-comodo module returns reject. I suggest starting off with a *simpler* configuration. Much of that unlang could be put into the authorize section, I think. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How could I assing an IP a client.
Rokkhan wrote: Hello, I want to know if it is possible assign IP to clients with the freeradius. I have tried to do this with a Sql user and setting Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 values in radreply but i doesnt work. The client always take the IP from a DHCP server. That's how networks work. It is IMPOSSIBLE to send an IP back when PEAP is being used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
Thanks Alan. sorry for posting again. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused...which file section will be processed. Thanks, Rams. -- Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging in bit or
Hi, Is there any way to change the following thing fron octects to bytes or bits? for example Acct-Input-Bytes/Bits or Acct-Output-Bytes/Bits Acct-Session-Time = 58392 Acct-Input-Octets = 101147 Acct-Output-Octets = 136624 Acct-Input-Packets = 7723 Acct-Output-Packets = 8367 Where should I configure in BRAS or in Freeradius? If i want information about uplink and downlink bit/Bytes how do i get this information logged in radius log file. Who will send this information to Freerdius BRAS? BR Ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
Hi,
**
*default {
*preacct {
preprocess
acct_unique
suffix
files
}
accounting {
if(Acct-Status-Type == 'Stop') {
detail
}
radutmp
attr_filter.accounting_response
Acct-Type Status-Server {
}
* }*
//
*buffered-sql {*
preacct {
preprocess
acct_unique
files
}
accounting {
sql
}
* }
*
Which accounting section needs to be activated? Does this configuration
correct? Please help.
Thanks,
Rams.
Message: 2
Date: Tue, 18 Aug 2009 23:29:47 +0100
From: Alan Buxey a.l.m.bu...@lboro.ac.uk
Subject: Re: accounting through detail module help
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 20090818222947.gd32...@lboro.ac.uk
Content-Type: text/plain; charset=us-ascii
Hi,
Thanks Alan.
I enabled detail module in accounting. details files were created
under
radacct clients directories.
Just wanted to check if any module already available in freeradius to
scan
these detail files, parse and put attributes in mysql db every 2-3
mins?
sites-available/buffered-sql ?
just ensure that the sql stuff is configured correctly...link/copy it
into
sites-enabled and restart the daemon
alan
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hi, Long time no see. Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: You using ProCurve NAS then? Or have other people started using Service-Type = 'Call-Check' to hint at Mac-Auth? Cisco always have from what I can tell, well since they introduced mac auth back roughly two or so years ago...that is how long it's been in my config for. Cheers -- Alexander Clouter .sigmonster says: Keep your boss's boss off your boss's back. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling debugging option for compiling 1.1.0 version
Dear All, Can anybody help me in enabling the debug option for freeradius 1.1.0 version. Need to analyze a portion of the code for understanding and enhancing. Hence i want the debug enabling to be done compile time Regards Debasish Mohapatro Communication and Embedded System LARSEN TOUBRO INFOTECH LIMITED. BANGALORE-560071 INDIA ph:- +91-80-66242424 ext-2047 == ( ) LT Infotech Proprietary ( ) LT Infotech Confidential ( ) LT Infotech Internal Use Only ( ) LT Infotech General Business Information == Larsen Toubro Infotech Ltd. www.Lntinfotech.com This Document is classified as: LT Infotech Proprietary LT Infotech Confidential LT Infotech Internal Use Only LT Infotech General Business This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hi, Long time no see. Indeed. Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote: You using ProCurve NAS then? Or have other people started using Service-Type = 'Call-Check' to hint at Mac-Auth? Cisco always have from what I can tell, well since they introduced mac auth back roughly two or so years ago...that is how long it's been in my config for. Ah, so that's who they were copying. It makes it easier to be sure the NAS really is requesting MAC-Auth when it includes that Service-Type attribute. Nice condition btw, very compact :) -Arran -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap]expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
Thanks,
Anton.
2009/8/18 Anton Brinyov anton.brin...@gmail.com:
2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
The problem appears in any case - with or without require-membership option.
which version of SAMBA are you running? Latest version is known to have
issues - they've changed things with its output.
I use samba 3.0.35 on FreeBSD 7.2 box.
also, recommend you change the command to have this instead
--username=%{Stripped-User-Name:-%{User-Name:-None}}
that'll get rid of that annoying output error
I have the following command:
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
If I call it from shell with options from radius request - I get result:
# /usr/local/bin/ntlm_auth --request-nt-key
--require-membership-of=CENTAURA+InternetUsers --username=BAS
--challenge=6b6f49357dccee7c
--nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec
NT_KEY: A9B342EC3E218E54A330556C468415CD
What can I do for getting some details about error?
clutching at straws
maybe escape the + in your command (ie \+ ?
/clutching
*The problem appears in any case - with or without require-membership option.*
The command can be looked like
ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
And output is the same as in previous case.
Thanks,
Anton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dumping radius queryies
Hi all, I am on the way to migrate a freeRadius V1 to a V2. I would like to log the queries submitted to the running V1, so thaht I could test them via 'radclient' to the V2, before switching to production stage. So, on a V1.4, what kind of loggin should I enable in order to have a dump of all the queries? Thank you -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
hi, the default server will call detail the buffered-sql should call the actual SQL module to do the work. this means default server spews packet data to detail file, the buffered-sql then reads that data and chucks into SQL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enabling debugging option for compiling 1.1.0 version
Hi, Can anybody help me in enabling the debug option for freeradius 1.1.0 version. Need to analyze a portion of the code for understanding and enhancing. Hence i want the debug enabling to be done compile time understand and enhance the latest release - 2.1.6 1.1.0 is so old that what you're looking at may have already been fixed/upgraded alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap]expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Here my sites-enabled/default and sites-enabled/inner-tunnel files.
Thanks,
Anton
2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk:
Hi,
I have another freeradius host (freeradius 2.1.3) with the same
authentication scheme.
I look at debug output on it:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for BAS with NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS
[mschap] mschap2: bb
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=205180e1818e1214
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78
Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
ntlm_auth comands is the same on both hosts.
The difference is Exec-Program output:
Why?
your previous emails only listed the mschap module and radiusd.conf - but
not the sites-enabled/default or sites-enabled/inner-tunnel files.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
default
Description: Binary data
inner-tunnel
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAX-Monthly-Traffic V2 Post.
Hi everyone,
I've decided to submit this question again as it was not quite worded
correctly, and to send as PLAIN TEXT.
I'm trying to setup a new counter maxmonthlytraffic, which uses the same
method to disconnect a user by sending the Session-Timout Reply Atrribute as
with MAX-ALL-Sessions.
This is what I've done so far...
I've added to ./raddb/sql/mysql/counter.conf
sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets))
\
FROM radacct WHERE username='%{%k}' AND \
Month(acctstoptime) =(Month(NOW())) AND \
Year(acctstoptime) = Year(NOW())
}
authorize {
.
monthlytraffic
.
}
instantiate {
.
monthlytraffic
.
}
created a dictionary entry in daloradius database of:-
id 9433
Type integer
Attribute Max-Monthly-Traffic
Value NULL
Format NULL
Vendor dictionary.freeradius.internal
RecommendedOP :=
RecommendedTable check
RecommendedHelper
RecommendedTooltip Check Monthly Traffic Allowance
User created as testmaxm, with the following attributes set:-
Check
Simultaneous-Use := 1
Pool-Name := tvpool
Cleartext-Password := testmaxm
Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the
Check, the user connects fine, so everything else is working)
Reply
Framed-MTU = 1400
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300(Every 5 mins for testing)
=
Although this seems to be working on the initial Connection, it does not
send the Session Time Out Reply during the Interim Acct Updates if the Usage
has execeed.
From the Debug below, the usages is shown as 37940156 during a Acct
Update e.g. 906612 + 3733544 and is more than the initial check value of
Max-Monthly-Traffic := 1049, so I would have expected a Session-Timout
Reply to be sent.
However this is working ok on disconnect and reconnect, as I get...
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user testmaxm, check_item=1049,
counter=89021682
++[monthlytraffic] returns reject
Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
[testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1)
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user testmaxm, check_item=1049,
counter=89021682
++[monthlytraffic] returns reject
Invalid user (rlm_sqlcounter: Maximum monthly usage time reached):
[testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1)
Any Ideas why I did not get disconnect during the original session as this
is what I'm after.
FreeRadius2 Debug
.
.
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411
rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout,
value=11601138
++[monthlytraffic] returns ok
.
.
rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637,
id=47, length=140
Acct-Session-Id = 4A8B6FA0721900
User-Name = testmaxm
Acct-Status-Type = Interim-Update
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 600
Acct-Output-Octets = 37033544
Acct-Input-Octets = 906612
Acct-Output-Packets = 27837
Acct-Input-Packets = 15791
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.29
NAS-Identifier = aaa.bbb.ccc.ddd
NAS-Port = 1
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
4A8B6FA0721900,User-Name = testmaxm'
[acct_unique] Acct-Unique-Session-ID = 049e959019a363e4.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = testmaxm, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t - Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} - testmaxm
[sqlippool] sql_set_user escaped user -- 'testmaxm'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id
Re: logging in bit or
On 08/19/2009 09:45 AM, ganesh nagpure wrote: Hi, Hi Ganesh, Is there any way to change the following thing fron octects to bytes or bits? Octets are the same thing as bytes. If i want information about uplink and downlink bit/Bytes how do i get this information logged in radius log file. It will show up in your accounting logs, if you enable accounting. I personally account to a MySQL database, and there is a column for acctinputoctets and acctoutputoctets for each session, that you can easily query. Who will send this information to Freerdius BRAS? What is BRAS? Jonathan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication
I am presented with a scenario where I need to run freeradius with no authentication (the system connecting to me is not sending credentials, just blindly sends data). Is it possible? When running the debug version of freeradius it does not require authentication for incoming streams but it seems to timeout at random times and shut down and a release version does not accept data without the sender authenticating. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius authentication
On 08/19/2009 11:58 AM, Rundzio, Remi wrote: I am presented with a scenario where I need to run freeradius with no authentication (the system connecting to me is not sending credentials, just blindly sends data). Is it possible? When running the debug version of freeradius it does not require authentication for incoming streams but it seems to timeout at random times and shut down and a release version does not accept data without the sender authenticating. Thanks This is a poorly formulated question, how about at least a couple of details, for instance the version of freeradius you're running, debug output, etc. I have no clue what you mean by debug vs. release version because there is no difference, only a difference in command line args (and whether the process stays in the foreground, etc.) There should be no difference in behavior between running debug mode. Anyway, of course you can disable authentication, just force the Auth-Type to Accept (see raddb/sites-enabled/default). But one wonders why you would want to do this, why use any authentication at all? If this is only one pesky client then figure out how to identify the client uniquely and only force acceptance for exactly that one client. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting copying to specific systems
Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. I want something like this acct.hints DEFAULT Client-IP-Address == 1.2.3.4, Hint := FILTER-1 DEFAULT Client-IP-Address == 1.2.3.5, Hint := FILTER-1 DEFAULT Client-IP-Address == 5.6.7.8, Hint := FILTER-2 DEFAULT Client-IP-Address == 5.6.7.9, Hint := FILTER-2 acct.users DEFAULT Hint == FILTER-1, Copy-To := filter-1-system DEFAULT Hint == FILTER-2, Copy-To := filter-2-system Where both filter-1-system and filter-2-system are defined in proxy.conf and obviously Copy-To is wishful thinking. Am I headed in the right direction or is there a better way to do this? Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging in bit or
Hi Jonathan, Thanks fo your reply. BRAS is 7206 cisco brodband RAS we are integrating with free radius. We have two type of user prepaid and post paid . I am just worndering how can i define this in cisco-avpair += parameter. I also want to defin quota for uplink and down link if this exceed user should disconnect from BRAS i.e 7206 . Is it possible to do that? BR Ganesh --- On Wed, 8/19/09, Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote: From: Jonathan Gazeley jonathan.gaze...@bristol.ac.uk Subject: Re: logging in bit or To: freeradius-users@lists.freeradius.org Date: Wednesday, August 19, 2009, 8:50 PM On 08/19/2009 09:45 AM, ganesh nagpure wrote: Hi, Hi Ganesh, Is there any way to change the following thing fron octects to bytes or bits? Octets are the same thing as bytes. If i want information about uplink and downlink bit/Bytes how do i get this information logged in radius log file. It will show up in your accounting logs, if you enable accounting. I personally account to a MySQL database, and there is a column for acctinputoctets and acctoutputoctets for each session, that you can easily query. Who will send this information to Freerdius BRAS? What is BRAS? Jonathan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post.
=
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
4A8B6FA0721900,User-Name = testmaxm'
[acct_unique] Acct-Unique-Session-ID = 049e959019a363e4.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = testmaxm, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t - Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} - testmaxm
[sqlippool] sql_set_user escaped user -- 'testmaxm'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' -
UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE
nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username =
'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29'
rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND
username = 'testmaxm' AND callingstationid = '' AND framedipaddress =
'192.168.0.29'
[sqlippool] expand: COMMIT - COMMIT
rlm_sql_mysql: query: COMMIT
rlm_sql (sql): Released sql socket id: 1
++[sqlippool] returns ok
[sql] expand: %{User-Name} - testmaxm
[sql] sql_set_user escaped user -- 'testmaxm'
[sql] expand: %{Acct-Input-Gigawords} -
[sql] expand: %{Acct-Input-Octets} - 906612
[sql] expand: %{Acct-Output-Gigawords} -
[sql] expand: %{Acct-Output-Octets} - 37033544
[sql] expand:UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets=
'%{%{Acct-Output-Gigawords}:-0}' 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username= '%{SQL-User-Name}'
AND nasipaddress= '%{NAS-IP-Address}' -UPDATE radacct
SET framedipaddress = '192.168.0.29',
acctsessiontime = '600', acctinputoctets = '0' 32 |
'906612', acctoutputoctets= '0' 32 |
'37033544' WHERE acctsessionid = '4A8B6FA0721900' AND
username= 'testmaxm'
[sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: UPDATE radacct SET
framedipaddress = '192.168.0.29', acctsessiontime = '600',
acctinputoctets = '0' 32 |
'906612', acctoutputoctets= '0' 32 |
'37033544' WHERE acctsessionid = '4A8B6FA0721900' AND
username= 'testmaxm' AND nasipaddress=
'aaa.bbb.ccc.ddd'
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - testmaxm
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 47 to aaa.bbb.ccc.ddd port 53637
Finished request 16.
Cleaning up request 16 ID 47 with timestamp +1965
Going to the next request
Ready to process requests.
Thx
Nev
CentOS 5.3
pptpd 1.3.4 / ppp 2.4.4
freeradius2 2.1.6
radiusclient-ng 0.5.6
daloRadius 0.9-8-SVN
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_filter segfault
Hi,
Only me...again doing things I probably should not do with FreeRADIUS.
The new config file I'm working on makes use of all the virtual
server bits more throughier, a lot of my existing setup is in the
non-virtual server setup.
What I'm doing is having all the authentication handled by an inner
virtual server (shown below) whilst the authorisation is handled by the
server that proxied the request to 'auth'. This is to handle both MAC
auth and EAP-TTLS request.
I was trying to put in some sneaky LDAP avoiding shortcuts (I do not
want to make any LDAP lookups until EAP is out the way, we use
eDirectory's Universal Password so we use the LDAP module to extract the
plaintext password) which speeds up the whole authentication.
So I decided to slap in unwisely placed 'handled' and the attr_filter on
the proxying server (in post-proxy) exploded. The backtrace is below
and I also slipped in a 'detail' and can see that the attribute value is
pretty borked for 'Freeradius-Proxied-To'.
Now, I know what I have done is wrong, terrible and should not be done,
however these things possibly point to other proper corner cases where
FreeRADIUS could explode with a safe driver at the wheel :)
It all works fine though if I comment out the whole of the first 'if'
statement block and remove the comments for the opening/closing/eap of
the second lot.
If you need any more, you know who to pester :)
Cheers
server auth {
authorize {
if ( EAP-Message ) {
eap
handled
}
# if ( !EAP-Message ) {
# we cannot have 'suffix' here as it makes the
# virtual server (and the modules) think things
# are going to get proxied and so PAP gives NOOP
#
# this would be unneeded if we could use
# 'eduPersonPrincipalName' in the ldap module :(
if ( User-Name =~ /^(.*)@.*$/ ) {
update request {
Stripped-User-Name := %{1}
}
}
ldap_auth
pap
chap
mschap
# }
# eap
}
Sending proxied request internally to virtual server.
server auth {
+- entering group authorize {...}
++? if (EAP-Message )
? Evaluating (EAP-Message ) - TRUE
++? if (EAP-Message ) - TRUE
++- entering if (EAP-Message ) {...}
[eap] EAP packet type response id 0 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
+++[handled] returns handled
++- if (EAP-Message ) returns handled
} # server auth
Going to the next request
Received proxied response code 0 from internal virtual server.
+- entering group post-proxy {...}
[detail]expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/freeradius/radacct/212.219.138.68/detail-20090819
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/freeradius/radacct/212.219.138.68/detail-20090819
[detail]expand: %t - Wed Aug 19 19:18:24 2009
[detail] Freeradius-Proxied-To = px?M???
++[detail] returns ok
[attr_filter.post-proxy]expand: %{Realm} - soas.ac.uk
attr_filter: Matched entry DEFAULT at line 103
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f93458daae0 (LWP 6411)]
0x7f9340ac8cd0 in attr_filter_common (instance=value optimized out,
request=0x146bb30, input=0x68)
at rlm_attr_filter.c:255
255 for (vp = *input; vp != NULL; vp = vp-next ) {(gdb)
where
#0 0x7f9340ac8cd0 in attr_filter_common (instance=value optimized out,
request=0x146bb30, input=0x68)
at rlm_attr_filter.c:255
#1 0x00416399 in modcall (component=6, c=value optimized out,
request=0x146bb30) at modcall.c:292
#2 0x004137c6 in indexed_modcall (comp=6, idx=value optimized out,
request=0x146bb30) at modules.c:637
#3 0x0041cd3b in process_proxy_reply (request=0x146bb30) at
event.c:1718
#4 0x0042080d in proxy_to_virtual_server (request=0x146bb30) at
event.c:1966
#5 0x00420318 in request_post_handler (request=0x146bb30) at
event.c:2236
#6 0x0042064d in radius_handle_request (request=0x146bb30,
fun=0x7f93400b9d60 rad_authenticate)
at event.c:3740
#7 0x0041877d in thread_pool_addrequest (request=0x1,
fun=0x7fff4d8e5620) at threads.c:824
#8 0x0041d2ce in event_socket_handler (xel=value optimized out,
fd=value optimized out,
ctx=value optimized out) at event.c:3358
#9 0x7f93454c34ab in fr_event_loop (el=0x1461000) at event.c:400
#10 0x00416ee7 in main (argc=2, argv=0x7fff4d8e85b8) at radiusd.c:398
(gdb)
Wed Aug 19 19:18:24 2009
Re: MAX-Monthly-Traffic V2 Post.
packet from host aaa.bbb.ccc.ddd port 53637,
id=47, length=140
Acct-Session-Id = 4A8B6FA0721900
User-Name = testmaxm
Acct-Status-Type = Interim-Update
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 600
Acct-Output-Octets = 37033544
Acct-Input-Octets = 906612
Acct-Output-Packets = 27837
Acct-Input-Packets = 15791
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.29
NAS-Identifier = aaa.bbb.ccc.ddd
NAS-Port = 1
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
4A8B6FA0721900,User-Name = testmaxm'
[acct_unique] Acct-Unique-Session-ID = 049e959019a363e4.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = testmaxm, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t - Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} - testmaxm
[sqlippool] sql_set_user escaped user -- 'testmaxm'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key =
'%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' -
UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE
nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username =
'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29'
rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND
username = 'testmaxm' AND callingstationid = '' AND framedipaddress =
'192.168.0.29'
[sqlippool] expand: COMMIT - COMMIT
rlm_sql_mysql: query: COMMIT
rlm_sql (sql): Released sql socket id: 1
++[sqlippool] returns ok
[sql] expand: %{User-Name} - testmaxm
[sql] sql_set_user escaped user -- 'testmaxm'
[sql] expand: %{Acct-Input-Gigawords} -
[sql] expand: %{Acct-Input-Octets} - 906612
[sql] expand: %{Acct-Output-Gigawords} -
[sql] expand: %{Acct-Output-Octets} - 37033544
[sql] expand:UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets=
'%{%{Acct-Output-Gigawords}:-0}' 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username= '%{SQL-User-Name}'
AND nasipaddress= '%{NAS-IP-Address}' -UPDATE radacct
SET framedipaddress = '192.168.0.29',
acctsessiontime = '600', acctinputoctets = '0' 32 |
'906612', acctoutputoctets= '0' 32 |
'37033544' WHERE acctsessionid = '4A8B6FA0721900' AND
username= 'testmaxm'
[sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: UPDATE radacct SET
framedipaddress = '192.168.0.29', acctsessiontime = '600',
acctinputoctets = '0' 32 |
'906612', acctoutputoctets= '0' 32 |
'37033544' WHERE acctsessionid = '4A8B6FA0721900' AND
username= 'testmaxm' AND nasipaddress=
'aaa.bbb.ccc.ddd'
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - testmaxm
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 47 to aaa.bbb.ccc.ddd port 53637
Finished request 16.
Cleaning up request 16 ID 47 with timestamp +1965
Going to the next request
Ready to process requests.
Thx
Nev
CentOS 5.3
pptpd 1.3.4 / ppp 2.4.4
freeradius2 2.1.6
radiusclient-ng 0.5.6
daloRadius 0.9-8-SVN
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Ok!!! I will do all the changes As soon as possible my new post. Guaraldi 2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, Hi ALL!!! Hi! ignore the tutorials. install latest version from source...ensure /usr/local/etc/raddb or /etc/raddb doesnt exist before 'make install' thenm run the radiusd server...the first time it will make test certs. copy the CA.der server.der to the windows system and install as trusted certificates I defined users file like: guaraldi Auth-Type := EAP, Cleartext-Password == mudar123 wrong! change to guaraldi Cleartext-Password := mudar123 now, using the SSID of whatever you chose, and the SSL cert you just trusted ...it will.work! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some users getting duplicate NULL acctstoptime records in radacct
Hi All, I have a weird problem with my freeradius 2.1.6 setup which I have not yet been able to fix. Actually, the problem is I don't understand what the hell is going on. I'm using mysql for storing auth and acct info. I'm also using sql based simultaneous use checking to prevent a user from logging in more than once. For the most part, things are working well. However, we see some people with an already active session (acctstoptime is set to NULL) get logged in again and then get a NEW row added to radacct with the acctstoptime set to NULL. So, effectively, freeradius shows TWO live sessions for the same user. When we check the NASes, we see two sessions for the same user there as well. I've run radius in debug mode, reviewed the logs, checked the configs, and I'm still lost on this. I do see people getting rejected when they try to log in more than once, which tells me the simultaneous checking is working. I don't understand why this is happening. What I'd expect to happen if accounting stop packets got lost would be the user getting rejected if he/she tried to log in again, but definitely would NOT expect seeing a NEW record in radacct with acctstoptime set to NULL. So, how could this happen? If it helps, I'm not using an ippool at the moment. I have IPs assigned to the user with entries in radreply (framed-ip-address). Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 19:43:28 up 3 days, 20:40, 3 users, load average: 0.21, 0.39, 0.76 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to combine
Hello, i want to know how combine user,password and telephone number for to authenticate an user in order to give acces to my network. Please I only need an superficial orientation ,not to detail -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max Monthly Traffic
Neville wrote:
Hi everyone,
I'm trying to setup a new counter maxmonthlytraffic, but as soon as I
connected, sql_counter sends reply to do a session timout and I get
disconnected.
This is what I've done so far...
I've added to ./raddb/sql/mysql/counter.conf
/sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
sqlmod-inst = sql
key = User-Name
reset = monthly/
//
/query = SELECT
(sum(acctinputoctets)+sum(acctoutputoctets)) \
FROM radacct WHERE username='%{%k}' AND \
Month(acctstoptime) =(Month(NOW())) AND \
Year(acctstoptime) = Year(NOW())
}/
//
/authorize {/
//
/../
/monthlytraffic/
//
/}/
//
/instantiate {/
//
/monthlytraffic/
//
/}/
//
created a dictionary entry in daloradius as..
id
9433
Typeinteger
Attribute Max-Monthly-Traffic
Value /NULL/
Format /NULL/
Vendor dictionary.freeradius.internal
RecommendedOP :=
RecommendedTablecheck
RecommendedHelper
RecommendedTooltip Check Monthly Traffic Allowance
User created as testmaxm, with the following attributes set:-
*Check*
Simultaneous-Use := 1
Pool-Name := tvpool
Cleartext-Password := testmaxm
Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the
Check, the user connects fine, so everything else is working)
*Reply*
Framed-MTU = 1400
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300(Every 5 mins for testing)
*Some Debug...*
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411
rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout,
value=11601138
++[monthlytraffic] returns ok
rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port
53637, id=47, length=140
Acct-Session-Id = 4A8B6FA0721900
User-Name = testmaxm
Acct-Status-Type = Interim-Update
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 600
Acct-Output-Octets = 37033544
Acct-Input-Octets = 906612
Acct-Output-Packets = 27837
Acct-Input-Packets = 15791
NAS-Port-Type = Async
Framed-IP-Address = 192.168.0.29
NAS-Identifier = aaa.bbb.ccc.ddd
NAS-Port = 1
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id =
4A8B6FA0721900,User-Name = testmaxm'
[acct_unique] Acct-Unique-Session-ID = 049e959019a363e4.
++[acct_unique] returns ok
[suffix] No '@' mailto:'@' in User-Name = testmaxm, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819
[detail]expand: %t - Wed Aug 19 03:31:04 2009
++[detail] returns ok
rlm_sql (sql): Reserving sql socket id: 1
[sqlippool] expand: %{User-Name} - testmaxm
[sqlippool] sql_set_user escaped user -- 'testmaxm'
[sqlippool] expand: START TRANSACTION - START TRANSACTION
rlm_sql_mysql: query: START TRANSACTION
[sqlippool] expand: UPDATE radippool SET expiry_time = NOW() +
INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND
pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND
callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
'%{Framed-IP-Address}' - UPDATE radippool SET expiry_time = NOW() +
INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND
pool_key = '1' AND username = 'testmaxm' AND callingstationid = ''
AND framedipaddress = '192.168.0.29'
rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() +
INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND
pool_key = '1' AND username = 'testmaxm' AND callingstationid = ''
AND framedipaddress = '192.168.0.29'
[sqlippool] expand: COMMIT - COMMIT
rlm_sql_mysql: query: COMMIT
rlm_sql (sql): Released sql socket id: 1
++[sqlippool] returns ok
[sql] expand: %{User-Name} - testmaxm
[sql] sql_set_user escaped user -- 'testmaxm'
[sql] expand: %{Acct-Input-Gigawords} -
[sql] expand: %{Acct-Input-Octets} - 906612
[sql] expand: %{Acct-Output-Gigawords} -
[sql] expand: %{Acct-Output-Octets} - 37033544
[sql] expand:UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32
Re: MAX-Monthly-Traffic V2 Post
Le jeudi 20 août 2009 à 01:07 +0100, Neville a écrit : Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. Sessions-Octets-Limit!? how lucky you are to have nas devices allowing such a cool feature! I'd love redback NASes to have the same type of feature! (I wil query the list.. maybe someone knows more about redback devices) What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? More an sql query problematic i guess... I can't help here! :) 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html attachment: face-smile.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
Message: 2
Date: Tue, 14 Jul 2009 08:32:18 +0430
From: Eric bbah...@gmail.com
Subject: Re: How to control users traffic ?
To: freeradius-users@lists.freeradius.org
Message-ID:
38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
freeradius-1.1.3-1.4 !!
Is it the reason of problem ?
I set reply-name = Session-Octets-Limit in sqlcounter
but freeradius sends Seesion-Timeout in reply with value equal to the
deduct of octets used until now from check-name = Max-Input-Octets.
How should change the session-timeout to Session-Octets-Limit in
auth-reply?
That shouldn't happen. What freeradius version? Post the debug from server
startup and request processiong.
Ivan Kalik
Kalik Informatika ISP
Hi Ivan,
I have this working, other that I cannot set a Session-Octets-Limit higher
that 4Gb.
Is there anyway to get around this as I'm allocating 5GB of Usage Per Month?
Max-Traffic-Monthly := 429497 (4Gb)
[monthlytraffic]expand: %{sql:SELECT
(sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct
WHERE username='test1000' AND Month(acctstoptime)
=(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user test1000, check_item=4294967295, counter=0
rlm_sqlcounter: Sent Reply-Item for user test1000,
Type=Session-Octets-Limit, value=1029889
++[monthlytraffic] returns ok
Sending Access-Accept of id 144 to 193.33.186.190 port 46294
Idle-Timeout := 1800
Framed-MTU = 1488
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300
Session-Timeout = 3600
Session-Octets-Limit = 1029889
Session-Octets-Limited is set to 1Mb instead of 4Gb
Framed-IP-Address = 192.168.0.22
Max-Traffic-Monthly := 42 (3.9Gb)
[monthlytraffic]expand: %{sql:SELECT
(sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct
WHERE username='test1000' AND Month(acctstoptime)
=(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user test1000, check_item=42, counter=0
rlm_sqlcounter: Sent Reply-Item for user test1000,
Type=Session-Octets-Limit, value=4201030340
++[monthlytraffic] returns ok
Sending Access-Accept of id 98 to 193.33.186.190 port 34040
Idle-Timeout := 1800
Framed-MTU = 1488
Framed-Protocol = PPP
Service-Type = Framed-User
Acct-Interim-Interval := 300
Session-Timeout = 3600
Session-Octets-Limit = 4201030340
Framed-IP-Address = 192.168.0.23
Thx
Nev
Message: 2
Date: Tue, 14 Jul 2009 08:32:18 +0430
From: Eric bbah...@gmail.com
Subject: Re: How to control users traffic ?
To: freeradius-users@lists.freeradius.org
Message-ID:
38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
freeradius-1.1.3-1.4 !!
Is it the reason of problem ?
I set reply-name = Session-Octets-Limit in sqlcounter
but freeradius sends Seesion-Timeout in reply with value equal to the
deduct of octets used until now from check-name = Max-Input-Octets.
How should change the session-timeout to Session-Octets-Limit in
auth-reply?
That shouldn't happen. What freeradius version? Post the debug from server
startup and request processiong.
Ivan Kalik
Kalik Informatika ISP
-- next part --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redback nas
Hello, This is not really an freeradius related question... sorry about that. Does anyone know about attributes supported by redback devices that would allow disconnection of sessions based on the amount of traffic transfered during the session and which could be set to higher than 4Gb? thanks to any redback guru! :) attachment: face-smile.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
