Re: Freeradius-Users Digest, Vol 52, Issue 87
Thanks Alan. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused... Thanks, Rams. -- Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Alexander Clouter wrote: I am running FreeRADIUS from git[1] about two days ago and found that by putting the following in my 'hints' file gives me the segfault shown below[2]. If I remove the end bit[3] then I do not get the segfault, but then I also do not get my comparison :) Any more information needed, then let me know. I've committed a fix. Cheers [1] at commit 08baab6769fea367bda5dd006b659621bb9aac18 from yesterday-ish [2] strlcpy sourced from address 0x0 [3] User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i DEFAULT NAS-Port-Type == Ethernet, User-Name == %{User-Password}, Calling-Station-Id =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i, User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i Well... that really won't work. The regular expressions in the users file are just the strings: Foo =~ a*b NOT Foo =~ /a*b/i If you want policies that are slightly complicated, use unlang. Really. Delete these entries from the hints file, and replace them with unlang-style policies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: accounting through detail module help
Thanks Alan. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused... Thanks, Rams. -- Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
RANDRIAMAMPIONONA José Johnny wrote: Hi All, I have suffered enough, now I d like to expose my nightmare. Freeradius-server-2.1.6 + OpenLdap. Both of the servers work perfectly, there is no firewall between them or something that can block the traffic: All Correct! but the server still has no response with the weird radclient message ! At the radius debug , authentication is mentioned as successfully (bind was successfully) What's going on ? Post the debug output as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang Question/Problem
Garber, Neal wrote: I’m running FR 2.1.6 with patches to rlm_mschap rlm_eap_mschapv2 to correct a problem with case-sensitive userids. Ok... First, if I didn’t include “updated” after the “update request” actions, then it would return reject. Is that normal (I didn’t call a module in there)? Yes... it goes back to historical behavior, and the default return codes when the authenticate section is being processed. Should the unlang be outside of the “Auth-Type MS-CHAP” block? No. It MUST be inside. Also, Ntlm-Auth-Username is expanded, there’s a “[request] returns reject”. I think this is the source of the problem, but I don’t understand where the reject is coming from. Hm... I'm not sure, either. The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug. Do I need something like: No, that won't help. It looks like the EAP-MSCHAPv2 module is either NOT being run, or something else isn't generating an appropriate EAP packet as a reply. That's why the eap-comodo module returns reject. I suggest starting off with a *simpler* configuration. Much of that unlang could be put into the authorize section, I think. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How could I assing an IP a client.
Rokkhan wrote: Hello, I want to know if it is possible assign IP to clients with the freeradius. I have tried to do this with a Sql user and setting Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 values in radreply but i doesnt work. The client always take the IP from a DHCP server. That's how networks work. It is IMPOSSIBLE to send an IP back when PEAP is being used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
Thanks Alan. sorry for posting again. But we have two accounting sections in default and buffered-sql. Do i need to enable sql module only in buffered-sql? And place buffered-sql in defualt 'accounting' section. am Confused...which file section will be processed. Thanks, Rams. -- Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging in bit or
Hi, Is there any way to change the following thing fron octects to bytes or bits? for example Acct-Input-Bytes/Bits or Acct-Output-Bytes/Bits Acct-Session-Time = 58392 Acct-Input-Octets = 101147 Acct-Output-Octets = 136624 Acct-Input-Packets = 7723 Acct-Output-Packets = 8367 Where should I configure in BRAS or in Freeradius? If i want information about uplink and downlink bit/Bytes how do i get this information logged in radius log file. Who will send this information to Freerdius BRAS? BR Ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
Hi, ** *default { *preacct { preprocess acct_unique suffix files } accounting { if(Acct-Status-Type == 'Stop') { detail } radutmp attr_filter.accounting_response Acct-Type Status-Server { } * }* // *buffered-sql {* preacct { preprocess acct_unique files } accounting { sql } * } * Which accounting section needs to be activated? Does this configuration correct? Please help. Thanks, Rams. Message: 2 Date: Tue, 18 Aug 2009 23:29:47 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: accounting through detail module help To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20090818222947.gd32...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. I enabled detail module in accounting. details files were created under radacct clients directories. Just wanted to check if any module already available in freeradius to scan these detail files, parse and put attributes in mysql db every 2-3 mins? sites-available/buffered-sql ? just ensure that the sql stuff is configured correctly...link/copy it into sites-enabled and restart the daemon alan -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hi, Long time no see. Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: You using ProCurve NAS then? Or have other people started using Service-Type = 'Call-Check' to hint at Mac-Auth? Cisco always have from what I can tell, well since they introduced mac auth back roughly two or so years ago...that is how long it's been in my config for. Cheers -- Alexander Clouter .sigmonster says: Keep your boss's boss off your boss's back. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling debugging option for compiling 1.1.0 version
Dear All, Can anybody help me in enabling the debug option for freeradius 1.1.0 version. Need to analyze a portion of the code for understanding and enhancing. Hence i want the debug enabling to be done compile time Regards Debasish Mohapatro Communication and Embedded System LARSEN TOUBRO INFOTECH LIMITED. BANGALORE-560071 INDIA ph:- +91-80-66242424 ext-2047 == ( ) LT Infotech Proprietary ( ) LT Infotech Confidential ( ) LT Infotech Internal Use Only ( ) LT Infotech General Business Information == Larsen Toubro Infotech Ltd. www.Lntinfotech.com This Document is classified as: LT Infotech Proprietary LT Infotech Confidential LT Infotech Internal Use Only LT Infotech General Business This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault with regex and hint
Hi, Long time no see. Indeed. Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote: You using ProCurve NAS then? Or have other people started using Service-Type = 'Call-Check' to hint at Mac-Auth? Cisco always have from what I can tell, well since they introduced mac auth back roughly two or so years ago...that is how long it's been in my config for. Ah, so that's who they were copying. It makes it easier to be sure the NAS really is requesting MAC-Auth when it includes that Service-Type attribute. Nice condition btw, very compact :) -Arran -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? Thanks, Anton. 2009/8/18 Anton Brinyov anton.brin...@gmail.com: 2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, The problem appears in any case - with or without require-membership option. which version of SAMBA are you running? Latest version is known to have issues - they've changed things with its output. I use samba 3.0.35 on FreeBSD 7.2 box. also, recommend you change the command to have this instead --username=%{Stripped-User-Name:-%{User-Name:-None}} that'll get rid of that annoying output error I have the following command: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} If I call it from shell with options from radius request - I get result: # /usr/local/bin/ntlm_auth --request-nt-key --require-membership-of=CENTAURA+InternetUsers --username=BAS --challenge=6b6f49357dccee7c --nt-response=ce2480f1e35c222a4d3481b83ee78854094394517f29d9ec NT_KEY: A9B342EC3E218E54A330556C468415CD What can I do for getting some details about error? clutching at straws maybe escape the + in your command (ie \+ ? /clutching *The problem appears in any case - with or without require-membership option.* The command can be looked like ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} And output is the same as in previous case. Thanks, Anton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dumping radius queryies
Hi all, I am on the way to migrate a freeRadius V1 to a V2. I would like to log the queries submitted to the running V1, so thaht I could test them via 'radclient' to the V2, before switching to production stage. So, on a V1.4, what kind of loggin should I enable in order to have a dump of all the queries? Thank you -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche Developpement +261 34 29 155 34 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting through detail module help
hi, the default server will call detail the buffered-sql should call the actual SQL module to do the work. this means default server spews packet data to detail file, the buffered-sql then reads that data and chucks into SQL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enabling debugging option for compiling 1.1.0 version
Hi, Can anybody help me in enabling the debug option for freeradius 1.1.0 version. Need to analyze a portion of the code for understanding and enhancing. Hence i want the debug enabling to be done compile time understand and enhance the latest release - 2.1.6 1.1.0 is so old that what you're looking at may have already been fixed/upgraded alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSChap via ntlm_auth problem
Here my sites-enabled/default and sites-enabled/inner-tunnel files. Thanks, Anton 2009/8/19 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, I have another freeradius host (freeradius 2.1.3) with the same authentication scheme. I look at debug output on it: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for BAS with NT-Password [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} - --username=BAS [mschap] mschap2: bb [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=205180e1818e1214 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=0a9b4e0053367b750904915b08aa65b792be3274e312aa78 Exec-Program output: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program-Wait: plaintext: NT_KEY: A9B342EC3E218E54A330556C468415CD Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok ntlm_auth comands is the same on both hosts. The difference is Exec-Program output: Why? your previous emails only listed the mschap module and radiusd.conf - but not the sites-enabled/default or sites-enabled/inner-tunnel files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html default Description: Binary data inner-tunnel Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAX-Monthly-Traffic V2 Post.
Hi everyone, I've decided to submit this question again as it was not quite worded correctly, and to send as PLAIN TEXT. I'm trying to setup a new counter maxmonthlytraffic, which uses the same method to disconnect a user by sending the Session-Timout Reply Atrribute as with MAX-ALL-Sessions. This is what I've done so far... I've added to ./raddb/sql/mysql/counter.conf sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic sqlmod-inst = sql key = User-Name reset = monthly query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) \ FROM radacct WHERE username='%{%k}' AND \ Month(acctstoptime) =(Month(NOW())) AND \ Year(acctstoptime) = Year(NOW()) } authorize { . monthlytraffic . } instantiate { . monthlytraffic . } created a dictionary entry in daloradius database of:- id 9433 Type integer Attribute Max-Monthly-Traffic Value NULL Format NULL Vendor dictionary.freeradius.internal RecommendedOP := RecommendedTable check RecommendedHelper RecommendedTooltip Check Monthly Traffic Allowance User created as testmaxm, with the following attributes set:- Check Simultaneous-Use := 1 Pool-Name := tvpool Cleartext-Password := testmaxm Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the Check, the user connects fine, so everything else is working) Reply Framed-MTU = 1400 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300(Every 5 mins for testing) = Although this seems to be working on the initial Connection, it does not send the Session Time Out Reply during the Interim Acct Updates if the Usage has execeed. From the Debug below, the usages is shown as 37940156 during a Acct Update e.g. 906612 + 3733544 and is more than the initial check value of Max-Monthly-Traffic := 1049, so I would have expected a Session-Timout Reply to be sent. However this is working ok on disconnect and reconnect, as I get... rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user testmaxm, check_item=1049, counter=89021682 ++[monthlytraffic] returns reject Invalid user (rlm_sqlcounter: Maximum monthly usage time reached): [testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1) rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user testmaxm, check_item=1049, counter=89021682 ++[monthlytraffic] returns reject Invalid user (rlm_sqlcounter: Maximum monthly usage time reached): [testmaxm/via Auth-Type = mschap] (from client VPN1-UK port 1) Any Ideas why I did not get disconnect during the original session as this is what I'm after. FreeRadius2 Debug . . rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411 rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout, value=11601138 ++[monthlytraffic] returns ok . . rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637, id=47, length=140 Acct-Session-Id = 4A8B6FA0721900 User-Name = testmaxm Acct-Status-Type = Interim-Update Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS Acct-Session-Time = 600 Acct-Output-Octets = 37033544 Acct-Input-Octets = 906612 Acct-Output-Packets = 27837 Acct-Input-Packets = 15791 NAS-Port-Type = Async Framed-IP-Address = 192.168.0.29 NAS-Identifier = aaa.bbb.ccc.ddd NAS-Port = 1 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id = 4A8B6FA0721900,User-Name = testmaxm' [acct_unique] Acct-Unique-Session-ID = 049e959019a363e4. ++[acct_unique] returns ok [suffix] No '@' in User-Name = testmaxm, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail]expand: %t - Wed Aug 19 03:31:04 2009 ++[detail] returns ok rlm_sql (sql): Reserving sql socket id: 1 [sqlippool] expand: %{User-Name} - testmaxm [sqlippool] sql_set_user escaped user -- 'testmaxm' [sqlippool] expand: START TRANSACTION - START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id
Re: logging in bit or
On 08/19/2009 09:45 AM, ganesh nagpure wrote: Hi, Hi Ganesh, Is there any way to change the following thing fron octects to bytes or bits? Octets are the same thing as bytes. If i want information about uplink and downlink bit/Bytes how do i get this information logged in radius log file. It will show up in your accounting logs, if you enable accounting. I personally account to a MySQL database, and there is a column for acctinputoctets and acctoutputoctets for each session, that you can easily query. Who will send this information to Freerdius BRAS? What is BRAS? Jonathan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication
I am presented with a scenario where I need to run freeradius with no authentication (the system connecting to me is not sending credentials, just blindly sends data). Is it possible? When running the debug version of freeradius it does not require authentication for incoming streams but it seems to timeout at random times and shut down and a release version does not accept data without the sender authenticating. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius authentication
On 08/19/2009 11:58 AM, Rundzio, Remi wrote: I am presented with a scenario where I need to run freeradius with no authentication (the system connecting to me is not sending credentials, just blindly sends data). Is it possible? When running the debug version of freeradius it does not require authentication for incoming streams but it seems to timeout at random times and shut down and a release version does not accept data without the sender authenticating. Thanks This is a poorly formulated question, how about at least a couple of details, for instance the version of freeradius you're running, debug output, etc. I have no clue what you mean by debug vs. release version because there is no difference, only a difference in command line args (and whether the process stays in the foreground, etc.) There should be no difference in behavior between running debug mode. Anyway, of course you can disable authentication, just force the Auth-Type to Accept (see raddb/sites-enabled/default). But one wonders why you would want to do this, why use any authentication at all? If this is only one pesky client then figure out how to identify the client uniquely and only force acceptance for exactly that one client. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting copying to specific systems
Certain systems need copies of accounting data, but I only want to send a subset of accounting to the appropriate system. I dont want to change the way the server updates the sql accounting and local detail files. I want something like this acct.hints DEFAULT Client-IP-Address == 1.2.3.4, Hint := FILTER-1 DEFAULT Client-IP-Address == 1.2.3.5, Hint := FILTER-1 DEFAULT Client-IP-Address == 5.6.7.8, Hint := FILTER-2 DEFAULT Client-IP-Address == 5.6.7.9, Hint := FILTER-2 acct.users DEFAULT Hint == FILTER-1, Copy-To := filter-1-system DEFAULT Hint == FILTER-2, Copy-To := filter-2-system Where both filter-1-system and filter-2-system are defined in proxy.conf and obviously Copy-To is wishful thinking. Am I headed in the right direction or is there a better way to do this? Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging in bit or
Hi Jonathan, Thanks fo your reply. BRAS is 7206 cisco brodband RAS we are integrating with free radius. We have two type of user prepaid and post paid . I am just worndering how can i define this in cisco-avpair += parameter. I also want to defin quota for uplink and down link if this exceed user should disconnect from BRAS i.e 7206 . Is it possible to do that? BR Ganesh --- On Wed, 8/19/09, Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote: From: Jonathan Gazeley jonathan.gaze...@bristol.ac.uk Subject: Re: logging in bit or To: freeradius-users@lists.freeradius.org Date: Wednesday, August 19, 2009, 8:50 PM On 08/19/2009 09:45 AM, ganesh nagpure wrote: Hi, Hi Ganesh, Is there any way to change the following thing fron octects to bytes or bits? Octets are the same thing as bytes. If i want information about uplink and downlink bit/Bytes how do i get this information logged in radius log file. It will show up in your accounting logs, if you enable accounting. I personally account to a MySQL database, and there is a column for acctinputoctets and acctoutputoctets for each session, that you can easily query. Who will send this information to Freerdius BRAS? What is BRAS? Jonathan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post.
= 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id = 4A8B6FA0721900,User-Name = testmaxm' [acct_unique] Acct-Unique-Session-ID = 049e959019a363e4. ++[acct_unique] returns ok [suffix] No '@' in User-Name = testmaxm, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail]expand: %t - Wed Aug 19 03:31:04 2009 ++[detail] returns ok rlm_sql (sql): Reserving sql socket id: 1 [sqlippool] expand: %{User-Name} - testmaxm [sqlippool] sql_set_user escaped user -- 'testmaxm' [sqlippool] expand: START TRANSACTION - START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' - UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' [sqlippool] expand: COMMIT - COMMIT rlm_sql_mysql: query: COMMIT rlm_sql (sql): Released sql socket id: 1 ++[sqlippool] returns ok [sql] expand: %{User-Name} - testmaxm [sql] sql_set_user escaped user -- 'testmaxm' [sql] expand: %{Acct-Input-Gigawords} - [sql] expand: %{Acct-Input-Octets} - 906612 [sql] expand: %{Acct-Output-Gigawords} - [sql] expand: %{Acct-Output-Octets} - 37033544 [sql] expand:UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username= '%{SQL-User-Name}' AND nasipaddress= '%{NAS-IP-Address}' -UPDATE radacct SET framedipaddress = '192.168.0.29', acctsessiontime = '600', acctinputoctets = '0' 32 | '906612', acctoutputoctets= '0' 32 | '37033544' WHERE acctsessionid = '4A8B6FA0721900' AND username= 'testmaxm' [sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: UPDATE radacct SET framedipaddress = '192.168.0.29', acctsessiontime = '600', acctinputoctets = '0' 32 | '906612', acctoutputoctets= '0' 32 | '37033544' WHERE acctsessionid = '4A8B6FA0721900' AND username= 'testmaxm' AND nasipaddress= 'aaa.bbb.ccc.ddd' rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} - testmaxm attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 47 to aaa.bbb.ccc.ddd port 53637 Finished request 16. Cleaning up request 16 ID 47 with timestamp +1965 Going to the next request Ready to process requests. Thx Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_filter segfault
Hi, Only me...again doing things I probably should not do with FreeRADIUS. The new config file I'm working on makes use of all the virtual server bits more throughier, a lot of my existing setup is in the non-virtual server setup. What I'm doing is having all the authentication handled by an inner virtual server (shown below) whilst the authorisation is handled by the server that proxied the request to 'auth'. This is to handle both MAC auth and EAP-TTLS request. I was trying to put in some sneaky LDAP avoiding shortcuts (I do not want to make any LDAP lookups until EAP is out the way, we use eDirectory's Universal Password so we use the LDAP module to extract the plaintext password) which speeds up the whole authentication. So I decided to slap in unwisely placed 'handled' and the attr_filter on the proxying server (in post-proxy) exploded. The backtrace is below and I also slipped in a 'detail' and can see that the attribute value is pretty borked for 'Freeradius-Proxied-To'. Now, I know what I have done is wrong, terrible and should not be done, however these things possibly point to other proper corner cases where FreeRADIUS could explode with a safe driver at the wheel :) It all works fine though if I comment out the whole of the first 'if' statement block and remove the comments for the opening/closing/eap of the second lot. If you need any more, you know who to pester :) Cheers server auth { authorize { if ( EAP-Message ) { eap handled } # if ( !EAP-Message ) { # we cannot have 'suffix' here as it makes the # virtual server (and the modules) think things # are going to get proxied and so PAP gives NOOP # # this would be unneeded if we could use # 'eduPersonPrincipalName' in the ldap module :( if ( User-Name =~ /^(.*)@.*$/ ) { update request { Stripped-User-Name := %{1} } } ldap_auth pap chap mschap # } # eap } Sending proxied request internally to virtual server. server auth { +- entering group authorize {...} ++? if (EAP-Message ) ? Evaluating (EAP-Message ) - TRUE ++? if (EAP-Message ) - TRUE ++- entering if (EAP-Message ) {...} [eap] EAP packet type response id 0 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated +++[handled] returns handled ++- if (EAP-Message ) returns handled } # server auth Going to the next request Received proxied response code 0 from internal virtual server. +- entering group post-proxy {...} [detail]expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/freeradius/radacct/212.219.138.68/detail-20090819 [detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/212.219.138.68/detail-20090819 [detail]expand: %t - Wed Aug 19 19:18:24 2009 [detail] Freeradius-Proxied-To = px?M??? ++[detail] returns ok [attr_filter.post-proxy]expand: %{Realm} - soas.ac.uk attr_filter: Matched entry DEFAULT at line 103 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f93458daae0 (LWP 6411)] 0x7f9340ac8cd0 in attr_filter_common (instance=value optimized out, request=0x146bb30, input=0x68) at rlm_attr_filter.c:255 255 for (vp = *input; vp != NULL; vp = vp-next ) {(gdb) where #0 0x7f9340ac8cd0 in attr_filter_common (instance=value optimized out, request=0x146bb30, input=0x68) at rlm_attr_filter.c:255 #1 0x00416399 in modcall (component=6, c=value optimized out, request=0x146bb30) at modcall.c:292 #2 0x004137c6 in indexed_modcall (comp=6, idx=value optimized out, request=0x146bb30) at modules.c:637 #3 0x0041cd3b in process_proxy_reply (request=0x146bb30) at event.c:1718 #4 0x0042080d in proxy_to_virtual_server (request=0x146bb30) at event.c:1966 #5 0x00420318 in request_post_handler (request=0x146bb30) at event.c:2236 #6 0x0042064d in radius_handle_request (request=0x146bb30, fun=0x7f93400b9d60 rad_authenticate) at event.c:3740 #7 0x0041877d in thread_pool_addrequest (request=0x1, fun=0x7fff4d8e5620) at threads.c:824 #8 0x0041d2ce in event_socket_handler (xel=value optimized out, fd=value optimized out, ctx=value optimized out) at event.c:3358 #9 0x7f93454c34ab in fr_event_loop (el=0x1461000) at event.c:400 #10 0x00416ee7 in main (argc=2, argv=0x7fff4d8e85b8) at radiusd.c:398 (gdb) Wed Aug 19 19:18:24 2009
Re: MAX-Monthly-Traffic V2 Post.
packet from host aaa.bbb.ccc.ddd port 53637, id=47, length=140 Acct-Session-Id = 4A8B6FA0721900 User-Name = testmaxm Acct-Status-Type = Interim-Update Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS Acct-Session-Time = 600 Acct-Output-Octets = 37033544 Acct-Input-Octets = 906612 Acct-Output-Packets = 27837 Acct-Input-Packets = 15791 NAS-Port-Type = Async Framed-IP-Address = 192.168.0.29 NAS-Identifier = aaa.bbb.ccc.ddd NAS-Port = 1 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id = 4A8B6FA0721900,User-Name = testmaxm' [acct_unique] Acct-Unique-Session-ID = 049e959019a363e4. ++[acct_unique] returns ok [suffix] No '@' in User-Name = testmaxm, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail]expand: %t - Wed Aug 19 03:31:04 2009 ++[detail] returns ok rlm_sql (sql): Reserving sql socket id: 1 [sqlippool] expand: %{User-Name} - testmaxm [sqlippool] sql_set_user escaped user -- 'testmaxm' [sqlippool] expand: START TRANSACTION - START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' - UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' [sqlippool] expand: COMMIT - COMMIT rlm_sql_mysql: query: COMMIT rlm_sql (sql): Released sql socket id: 1 ++[sqlippool] returns ok [sql] expand: %{User-Name} - testmaxm [sql] sql_set_user escaped user -- 'testmaxm' [sql] expand: %{Acct-Input-Gigawords} - [sql] expand: %{Acct-Input-Octets} - 906612 [sql] expand: %{Acct-Output-Gigawords} - [sql] expand: %{Acct-Output-Octets} - 37033544 [sql] expand:UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username= '%{SQL-User-Name}' AND nasipaddress= '%{NAS-IP-Address}' -UPDATE radacct SET framedipaddress = '192.168.0.29', acctsessiontime = '600', acctinputoctets = '0' 32 | '906612', acctoutputoctets= '0' 32 | '37033544' WHERE acctsessionid = '4A8B6FA0721900' AND username= 'testmaxm' [sql] expand: /var/log/radius/sqltrace.sql - /var/log/radius/sqltrace.sql rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: UPDATE radacct SET framedipaddress = '192.168.0.29', acctsessiontime = '600', acctinputoctets = '0' 32 | '906612', acctoutputoctets= '0' 32 | '37033544' WHERE acctsessionid = '4A8B6FA0721900' AND username= 'testmaxm' AND nasipaddress= 'aaa.bbb.ccc.ddd' rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok [attr_filter.accounting_response] expand: %{User-Name} - testmaxm attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 47 to aaa.bbb.ccc.ddd port 53637 Finished request 16. Cleaning up request 16 ID 47 with timestamp +1965 Going to the next request Ready to process requests. Thx Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP client can not authenticate in Radius Server - HELP ME PLEASE!!!!!!!!!!!!!
Ok!!! I will do all the changes As soon as possible my new post. Guaraldi 2009/8/18 Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, Hi ALL!!! Hi! ignore the tutorials. install latest version from source...ensure /usr/local/etc/raddb or /etc/raddb doesnt exist before 'make install' thenm run the radiusd server...the first time it will make test certs. copy the CA.der server.der to the windows system and install as trusted certificates I defined users file like: guaraldi Auth-Type := EAP, Cleartext-Password == mudar123 wrong! change to guaraldi Cleartext-Password := mudar123 now, using the SSID of whatever you chose, and the SSL cert you just trusted ...it will.work! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some users getting duplicate NULL acctstoptime records in radacct
Hi All, I have a weird problem with my freeradius 2.1.6 setup which I have not yet been able to fix. Actually, the problem is I don't understand what the hell is going on. I'm using mysql for storing auth and acct info. I'm also using sql based simultaneous use checking to prevent a user from logging in more than once. For the most part, things are working well. However, we see some people with an already active session (acctstoptime is set to NULL) get logged in again and then get a NEW row added to radacct with the acctstoptime set to NULL. So, effectively, freeradius shows TWO live sessions for the same user. When we check the NASes, we see two sessions for the same user there as well. I've run radius in debug mode, reviewed the logs, checked the configs, and I'm still lost on this. I do see people getting rejected when they try to log in more than once, which tells me the simultaneous checking is working. I don't understand why this is happening. What I'd expect to happen if accounting stop packets got lost would be the user getting rejected if he/she tried to log in again, but definitely would NOT expect seeing a NEW record in radacct with acctstoptime set to NULL. So, how could this happen? If it helps, I'm not using an ippool at the moment. I have IPs assigned to the user with entries in radreply (framed-ip-address). Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.29-170.2.78.fc10.x86_64 x86_64 GNU/Linux 19:43:28 up 3 days, 20:40, 3 users, load average: 0.21, 0.39, 0.76 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAX-Monthly-Traffic V2 Post
Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to combine
Hello, i want to know how combine user,password and telephone number for to authenticate an user in order to give acces to my network. Please I only need an superficial orientation ,not to detail -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max Monthly Traffic
Neville wrote: Hi everyone, I'm trying to setup a new counter maxmonthlytraffic, but as soon as I connected, sql_counter sends reply to do a session timout and I get disconnected. This is what I've done so far... I've added to ./raddb/sql/mysql/counter.conf /sqlcounter monthlytraffic { counter-name = Monthly-Traffic check-name = Max-Monthly-Traffic sqlmod-inst = sql key = User-Name reset = monthly/ // /query = SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) \ FROM radacct WHERE username='%{%k}' AND \ Month(acctstoptime) =(Month(NOW())) AND \ Year(acctstoptime) = Year(NOW()) }/ // /authorize {/ // /../ /monthlytraffic/ // /}/ // /instantiate {/ // /monthlytraffic/ // /}/ // created a dictionary entry in daloradius as.. id 9433 Typeinteger Attribute Max-Monthly-Traffic Value /NULL/ Format /NULL/ Vendor dictionary.freeradius.internal RecommendedOP := RecommendedTablecheck RecommendedHelper RecommendedTooltip Check Monthly Traffic Allowance User created as testmaxm, with the following attributes set:- *Check* Simultaneous-Use := 1 Pool-Name := tvpool Cleartext-Password := testmaxm Max-Monthly-Traffic := 1049 (10Mb) (If this is removed from the Check, the user connects fine, so everything else is working) *Reply* Framed-MTU = 1400 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300(Every 5 mins for testing) *Some Debug...* rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user testmaxm, check_item=1049, counter=80411 rlm_sqlcounter: Sent Reply-Item for user testmaxm, Type=Session-Timeout, value=11601138 ++[monthlytraffic] returns ok rad_recv: Accounting-Request packet from host aaa.bbb.ccc.ddd port 53637, id=47, length=140 Acct-Session-Id = 4A8B6FA0721900 User-Name = testmaxm Acct-Status-Type = Interim-Update Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS Acct-Session-Time = 600 Acct-Output-Octets = 37033544 Acct-Input-Octets = 906612 Acct-Output-Packets = 27837 Acct-Input-Packets = 15791 NAS-Port-Type = Async Framed-IP-Address = 192.168.0.29 NAS-Identifier = aaa.bbb.ccc.ddd NAS-Port = 1 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 193.33.186.190,NAS-IP-Address = aaa.bbb.ccc.ddd,Acct-Session-Id = 4A8B6FA0721900,User-Name = testmaxm' [acct_unique] Acct-Unique-Session-ID = 049e959019a363e4. ++[acct_unique] returns ok [suffix] No '@' mailto:'@' in User-Name = testmaxm, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/aaa.bbb.ccc.ddd/detail-20090819 [detail]expand: %t - Wed Aug 19 03:31:04 2009 ++[detail] returns ok rlm_sql (sql): Reserving sql socket id: 1 [sqlippool] expand: %{User-Name} - testmaxm [sqlippool] sql_set_user escaped user -- 'testmaxm' [sqlippool] expand: START TRANSACTION - START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}' - UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' rlm_sql_mysql: query: UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600 SECOND WHERE nasipaddress = 'aaa.bbb.ccc.ddd' AND pool_key = '1' AND username = 'testmaxm' AND callingstationid = '' AND framedipaddress = '192.168.0.29' [sqlippool] expand: COMMIT - COMMIT rlm_sql_mysql: query: COMMIT rlm_sql (sql): Released sql socket id: 1 ++[sqlippool] returns ok [sql] expand: %{User-Name} - testmaxm [sql] sql_set_user escaped user -- 'testmaxm' [sql] expand: %{Acct-Input-Gigawords} - [sql] expand: %{Acct-Input-Octets} - 906612 [sql] expand: %{Acct-Output-Gigawords} - [sql] expand: %{Acct-Output-Octets} - 37033544 [sql] expand:UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32
Re: MAX-Monthly-Traffic V2 Post
Le jeudi 20 août 2009 à 01:07 +0100, Neville a écrit : Hi Alex, You are expecting an interim update to send session-timeout to your nas so it disconnect your user? If so, two things seems incorrect to me. 1- You're measuring traffic volume and want disconnection to set based on time (session-timout)... a bit tricky isn't it? So VERY True, Too many late nights and I really do appreciate your input as this gave me food for thought and I now have EVERYTHING Working. Both for Traffic Session USAGE. For Usage, I still had to use Max-Monthly-Traffic as a Check := and based on sqlcounter calc, do a Reply = Sessions-Octets-Limit = XX on the Access-Accept as this is supported by the ppp 2.4.4 NAS. Sessions-Octets-Limit!? how lucky you are to have nas devices allowing such a cool feature! I'd love redback NASes to have the same type of feature! (I wil query the list.. maybe someone knows more about redback devices) What I would like to know now, is how I can use sqlcounter to do a Month Calculation based on the date of the account being registered and NOT the Calander Month? Anyone? More an sql query problematic i guess... I can't help here! :) 2- I think the attribute Session-Timeout cannot be found in interim-updates packets (maybe I'm wrong), rfc 2869 specify that: It is envisioned that an Interim Accounting record (with Acct-Status-Type = Interim-Update (3)) would contain all of the attributes normally found in an Accounting Stop message with the exception of the Acct-Term-Cause attribute. What you would need is an attribute known by your nas and representing remaining traffic. That attrbute should be sent at acct-start time and would trigger a disconnection from the NAS when traffic limit is reached. If such a attribute does not exists for your NAS, you should take a look at CoA server. Maybe someone have better idea...? Le mercredi 19 ao?t 2009 ? 15:56 +0100, Neville a ?crit : Cheers Nev CentOS 5.3 pptpd 1.3.4 / ppp 2.4.4 freeradius2 2.1.6 radiusclient-ng 0.5.6 daloRadius 0.9-8-SVN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html attachment: face-smile.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to control users traffic ?
Message: 2 Date: Tue, 14 Jul 2009 08:32:18 +0430 From: Eric bbah...@gmail.com Subject: Re: How to control users traffic ? To: freeradius-users@lists.freeradius.org Message-ID: 38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 freeradius-1.1.3-1.4 !! Is it the reason of problem ? I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? That shouldn't happen. What freeradius version? Post the debug from server startup and request processiong. Ivan Kalik Kalik Informatika ISP Hi Ivan, I have this working, other that I cannot set a Session-Octets-Limit higher that 4Gb. Is there anyway to get around this as I'm allocating 5GB of Usage Per Month? Max-Traffic-Monthly := 429497 (4Gb) [monthlytraffic]expand: %{sql:SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct WHERE username='test1000' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user test1000, check_item=4294967295, counter=0 rlm_sqlcounter: Sent Reply-Item for user test1000, Type=Session-Octets-Limit, value=1029889 ++[monthlytraffic] returns ok Sending Access-Accept of id 144 to 193.33.186.190 port 46294 Idle-Timeout := 1800 Framed-MTU = 1488 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300 Session-Timeout = 3600 Session-Octets-Limit = 1029889 Session-Octets-Limited is set to 1Mb instead of 4Gb Framed-IP-Address = 192.168.0.22 Max-Traffic-Monthly := 42 (3.9Gb) [monthlytraffic]expand: %{sql:SELECT (sum(acctinputoctets)+sum(acctoutputoctets)) FROM radacct WHERE username='test1000' AND Month(acctstoptime) =(Month(NOW())) AND Year(acctstoptime) = Year(NOW())} - 0 rlm_sqlcounter: Check item is greater than query result rlm_sqlcounter: Authorized user test1000, check_item=42, counter=0 rlm_sqlcounter: Sent Reply-Item for user test1000, Type=Session-Octets-Limit, value=4201030340 ++[monthlytraffic] returns ok Sending Access-Accept of id 98 to 193.33.186.190 port 34040 Idle-Timeout := 1800 Framed-MTU = 1488 Framed-Protocol = PPP Service-Type = Framed-User Acct-Interim-Interval := 300 Session-Timeout = 3600 Session-Octets-Limit = 4201030340 Framed-IP-Address = 192.168.0.23 Thx Nev Message: 2 Date: Tue, 14 Jul 2009 08:32:18 +0430 From: Eric bbah...@gmail.com Subject: Re: How to control users traffic ? To: freeradius-users@lists.freeradius.org Message-ID: 38a27c8c0907132102w4d55ebfcmea079116add7b...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 freeradius-1.1.3-1.4 !! Is it the reason of problem ? I set reply-name = Session-Octets-Limit in sqlcounter but freeradius sends Seesion-Timeout in reply with value equal to the deduct of octets used until now from check-name = Max-Input-Octets. How should change the session-timeout to Session-Octets-Limit in auth-reply? That shouldn't happen. What freeradius version? Post the debug from server startup and request processiong. Ivan Kalik Kalik Informatika ISP -- next part -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redback nas
Hello, This is not really an freeradius related question... sorry about that. Does anyone know about attributes supported by redback devices that would allow disconnection of sessions based on the amount of traffic transfered during the session and which could be set to higher than 4Gb? thanks to any redback guru! :) attachment: face-smile.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html