Reauthenticate Every minute
My Setup: -- FreeRADIUS: Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct3 2011 at 21:39:42 -- Mysql: Server version: 5.1.51 Source distribution -- NAS: pfSense 2.0.1 release My Query: I am a bit new to freeradius and I am trying to create a setup where an active session is re-authenticated everyminute and a user is kicked if no enough credit. More Details: Using 'norestcounter' with mysql works very well without the above. Now I would like to implement this idea : http://computing-tips.net/M0n0wall_Captive_Portal_Logout_URL/#onlinestore). NAS supports a feature for reauthentication every minute. The problem is that, if I turn it on, freeradius responds: Sending delayed reject for request 2 Sending Access-Reject of id 234 to 10.250.78.200 port 64881 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Activated the option for ensuring no 'simoultenious use' via mysql. What am I missing in the freeradius config? Mutheu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
generate a random value with unlang?
Hi,
in some weird business case, I would like to generate a one-time use
token for later consumption in post-auth. So when the user is accepted,
trigger an
{sql:INSERT randomvalue INTO someplace}
The value should be new for every Access-Accept. I wonder how to
generate such a random value with unlang. Is there some {%rand} or
anything like that?
Currently I do it embedded in the INSERT:
INSERT ... SHA1(RAND())... INTO someplace
but our MySQL admins don't like me doing that. So I'd prefer to do this
on FreeRADIUS and send a simple string to the DB.
Greetings,
Stefan Winter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generate a random value with unlang?
On Wed, Mar 21, 2012 at 11:07:16AM +0100, Stefan Winter wrote:
The value should be new for every Access-Accept. I wonder how to
generate such a random value with unlang. Is there some {%rand} or
anything like that?
http://freeradius.org/press/index.html
30 September 2011 - Version 2.1.12 has been released.
...
* Added support for %{rand:...}, which generates a uniformly
distributed number between 0 and the number you specify.
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generate a random value with unlang?
On 21/03/12 10:07, Stefan Winter wrote:
Hi,
in some weird business case, I would like to generate a one-time use
token for later consumption in post-auth. So when the user is accepted,
trigger an
{sql:INSERT randomvalue INTO someplace}
The value should be new for every Access-Accept. I wonder how to
generate such a random value with unlang. Is there some {%rand} or
anything like that?
Currently I do it embedded in the INSERT:
INSERT ... SHA1(RAND())... INTO someplace
but our MySQL admins don't like me doing that. So I'd prefer to do this
on FreeRADIUS and send a simple string to the DB.
How secure a random value? You could generate a reasonably unique value
with something like:
update request {
My-Random := %{md5:A-Secret-String/%l/%n/%I}
}
There's no built-in xlat for rand() but it would be very trivial to add:
--- xlat.c 2012-03-21 11:00:51.736371799 +
+++ xlat.c~ 2012-01-05 17:06:51.512061373 +
@@ -628,17 +628,6 @@
return strlen(out);
}
-/**
- * @brief Return a random integer
- *
- */
-static size_t xlat_rand(UNUSED void *instance, REQUEST *request,
- char *fmt, char *out, size_t outlen,
- UNUSED RADIUS_ESCAPE_STRING func)
-{
- snprintf(out, outlen, %d, fr_rand());
- return strlen(out);
-}
/**
* @brief Convert a string to lowercase
@@ -840,11 +829,6 @@
rad_assert(c != NULL);
c-internal = TRUE;
- xlat_register(rand, xlat_rand, xlat_inst[0]);
- c = xlat_find(rand);
- rad_assert(c != NULL);
- c-internal = TRUE;
-
xlat_register(tolower, xlat_lc, xlat_inst[0]);
c = xlat_find(tolower);
rad_assert(c != NULL);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: generate a random value with unlang?
On 21/03/12 10:49, Matthew Newton wrote:
On Wed, Mar 21, 2012 at 11:07:16AM +0100, Stefan Winter wrote:
The value should be new for every Access-Accept. I wonder how to
generate such a random value with unlang. Is there some {%rand} or
anything like that?
http://freeradius.org/press/index.html
30 September 2011 - Version 2.1.12 has been released.
...
* Added support for %{rand:...}, which generates a uniformly
distributed number between 0 and the number you specify.
...ah. Obviously, ignore my email then! I must have an old git branch
checked-out!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reauthenticate Every minute
Mutheu wrote: I am a bit new to freeradius and I am trying to create a setup where an active session is re-authenticated everyminute and a user is kicked if no enough credit. That's usually not a good idea. The timeframe for reauthentications should be 10 minutes at least. More Details: Using 'norestcounter' with mysql works very well without the above. Now I would like to implement this idea : http://computing-tips.net/M0n0wall_Captive_Portal_Logout_URL/#onlinestore). NAS supports a feature for reauthentication every minute. That's good. The problem is that, if I turn it on, freeradius responds: Sending delayed reject for request 2 Sending Access-Reject of id 234 to 10.250.78.200 port 64881 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Activated the option for ensuring no 'simoultenious use' via mysql. Which means you activated one feature which prevents the other one from working. Don't do that. What am I missing in the freeradius config? Probably nothing. Your NAS isn't sending the same session information the second time around. So FreeRADIUS thinks that the user is now logging in twice, and is rejecting it. As always, look at the debug output to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VPN
Hi all I'm having a VPN solution which I'm using Mikrotik+FreeRadius+Freeside. Other than authenticating squid all the other services are working fine. At the moment all the customers are able to use all the VPN services (L2TP, PPTP,) I want to know how can I define user A can only use PPTP and user B can use L2TP and user C can use all the services? I wonder how should it define in FreeRadius Any help would be appreciated DaneGirl -- View this message in context: http://freeradius.1045715.n5.nabble.com/VPN-tp5583065p5583065.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
It's a section, just like any other section. This is documented in
man unlang. You put modules or unlang rules there. This is
documented in man unlang.
Thanks!! That is exactly what I needed. I did not know to look in that man
page. Awesome!
If there is documentation on
Post-Auth-Type REJECT { that is more than a paragraph please point me to
it I'd be very interested in it. I cant follow advice thats not given to
me or to read documentation that seems to be impossible to find? Im just
confused on the replys I received. Oh well.
The documentation assumes some amount of independent thought.
*This* is the cause of most of the contention on this list. Some
people want to be spoon-fed every possible piece of information. They
get testy when that doesn't happen.
I get frustrated when people don't bother reading the documentation I
wrote. I give direct opinions when they express how bad the
documentation is... that they haven't read.
Im sorry I upset you. I could have worded the last part better. Freeradius
is so full of great features that sometimes the doc is not where you expect
it which is why I needed help finding where this was documented. I did
figure it out without it in the end anyways. The man unlang advice was
exactly what I needed and the doc is very clear. Thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VPN
-Original Message- danegirl Wrote: At the moment all the customers are able to use all the VPN services (L2TP, PPTP,) I want to know how can I define user A can only use PPTP and user B can use L2TP and user C can use all the services? I wonder how should it define in FreeRadius This depends a lot on what your particular NAS sends to FreeRadius. You would want to capture packets from a PPTP request and from an L2TP reuest and compare them, to see of the NAS puts different information in any fields that would allow FreeRadius to tell the difference between PPTP and L2TP. A likely field would be the Framed-Protocol field. Once you have such a field, you can either add it as a check item in your users file (if you are using one) or use unlang to change the authorization step depending on the contents of that field. -- Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash with two radclient
Hi all,
we did some additional test by setting multithread debug on FreeRadius and
executing freeradius process tracing on server
Follow the server tracing output (each crash the same output):
*select(11, [4 6 7 8 9 10], NULL, NULL, {0, 302488}) = 1 (in [8], left {0,
302488})*
*recvfrom(8, \4y\0\251, 4, MSG_PEEK, {sa_family=AF_INET,
sin_port=htons(38662), sin_addr=inet_addr(192.168.88.151)}, [16]) = 4*
*getsockname(8, {sa_family=AF_INET, sin_port=htons(2648),
sin_addr=inet_addr(192.168.88.132)}, [549755813904]) = 0*
*recvfrom(8, \4y\0\251, 4, MSG_PEEK, {sa_family=AF_INET,
sin_port=htons(38662), sin_addr=inet_addr(192.168.88.151)}, [16]) = 4*
*recvfrom(8, \4y\0\251@\247#\33364\371I2\346Zd\305F\215A\1\0340208451346...,
169, 0, {sa_family=AF_INET, sin_port=htons(38662),
sin_addr=inet_addr(192.168.88.151)}, [16]) = 169*
*futex(0x641998, FUTEX_WAKE_PRIVATE, 1) = 1*
*select(11, [4 6 7 8 9 10], NULL, NULL, {0, 301738} unfinished ...*
Freeradius output:
FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Sep
22 2011 at 16:18:07
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/radiusd.conf
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/proxy.conf
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/clients.conf
including files in directory
/product/freeradius-server-2.1.11/etc/raddb/modules/
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/files
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/counter
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/dynamic_clients
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/echo
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/logintime
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/always
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/sradutmp
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/mac2vlan
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/linelog
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/ippool
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/soh
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/detail.example.com
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/ntlm_auth
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/expiration
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/etc_group
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/wimax
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/chap
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/detail
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/acct_unique
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/detail.sc.de
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/expr
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/digest
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/realm
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/krb5
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/perl
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/redis
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/policy
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/detail.log
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/opendirectory
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/radutmp
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/pam
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/smbpasswd
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/checkval
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/ldap
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/preprocess
including configuration file
/product/freeradius-server-2.1.11/etc/raddb/modules/sql_log
including configuration file
Re: Freeradius crash with two radclient
hi, in previous emails you were asked to run 2.1.12 or the latest 2.1.x GIT release - but this output is from 2.1.11 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash with two radclient
Yes I know, we did not yet test the latest 2.1.x GIT release and test with 2.1.12 or 2.1.11 give same results. Is it mandatory? 2012/3/21 Alan Buxey a.l.m.bu...@lboro.ac.uk hi, in previous emails you were asked to run 2.1.12 or the latest 2.1.x GIT release - but this output is from 2.1.11 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using different filter for ldap modul by NAS
Hi,
i need tu use different query to ldap (filter) by NAS from witch query come.
I add this to site-enabled/default under authorize section :
...
switch %{NAS-IP-Address} {
case 10.0.16.3 {
# test
update control {
CU-LDAP-Filter = (uid=%u@%u)
}
}
case {
# default
update control {
CU-LDAP-Filter =
\(\\(cn=%u\)\(radiusCallingStationId=%i\)\)
}
}
}
ldap
...
and this to modules/ldap:
...
filter = %{control:CU-LDAP-Filter}
...
So far so good. filter query is changed by NAS. By in debug it di this:
[ldap] expand: %{control:CU-LDAP-Filter} - \28uid\3d%u@%u\29
So it change some characters. I try escape it, by it doesn't work.
What I do wrong.
Best Regards!
Richard Kuchar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash with two radclient
Hi, Yes I know, we did not yet test the latest 2.1.x GIT release and test with 2.1.12 or 2.1.11 give same results. well, you were asked to test the 2.1.x GIT release as it has some rather important fixes in it. as for the 2.1.12 - yes. mandatory as thats the latest release code to compare against unless you DO run the 2.1.x release...which i recommend is the first course of action anyway - as the bug you have hit may have already been fixed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash with two radclient
On Thu, Mar 22, 2012 at 3:04 AM, fulvio fabiani fabiani.ful...@gmail.com wrote: Follow the server tracing output (each crash the same output): 2012/3/21 Alan DeKok al...@deployingradius.com See doc/bugs So you decide to run strace instead of using gdb as written in doc/bugs? And how did you think it can be useful? In particular, look at section 3. DEBUGGING A LIVE SERVER. It should be easy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Server Performance Provisioning
Hello there, We are using Freeradius for about four years now, and it has proven a robust and reliable AAA solution. In our actual setup, we don't use Interim updates. As our needs changed over time, it's now imminent for us to use the Interim feature, so we've done some tests and statistics. We have an average of 7K simultaneously connected users, of 15K in total. Our growth is something about 150 users per month. In our first test, we'd set our NASses to send updates with 1 minute frequency, what resulted in about 100 update queries per second. Our server didn't managed to handle that volume of activity, and when using vmstat to measure the performance, we've noticed that our problem was relative with interrupts per second and context switches, with both parameters with levels in about 3000. Since each query take about 0,016 seconds to execute, we need 1,6 seconds to handle 1 second of activity. Our current server configuration is a Quad core Xeon 3400, with 2GB RAM, and a RAID 0 array of 2 disks running MySQL as database backend. Later we had set our Interim update to 5 minutes, so we ended with an average of 20 update queries per second, and interrupts per second and context switches in about 800 with 1200 peaks. I'm no DBA, so I've done as much tuning as I could learn from MySQL documentations and users forums. But I feel that our database could be tuned a little more. In addition, we're planning to upgrade the server. So I ask you guys some advice on MySQL tuning and Server provisioning to do the AAA of about 25000 users with the 5 minutes Interim. Much Thanks Tiago Ratto t...@friistelecom.com.br IT - Friis Telecom http://www.friistelecom.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Server Performance Provisioning
On Thu, Mar 22, 2012 at 7:15 AM, Tiago Ratto tiago.ra...@friistelecom.com.br wrote: I'm no DBA, so I've done as much tuning as I could learn from MySQL documentations and users forums. But I feel that our database could be tuned a little more. In addition, we're planning to upgrade the server. ... and that, my friend, is the main problem. So I ask you guys some advice on MySQL tuning and Server provisioning to do the AAA of about 25000 users with the 5 minutes Interim. Do you use simultaneous use check? If yes, I'd start by limiting the number of entries in radacct. For example, manually move ALL entries that are from 2 months ago or older to a separate table. Other than that, I'd start by learning about database, or ask a DBA for help. Start with finding out what queries are causing most load, and how to make them more efficient (e.g. by adjusting indexes or queries). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius crash with two radclient
fulvio fabiani wrote: Yes I know, we did not yet test the latest 2.1.x GIT release and test with 2.1.12 or 2.1.11 give same results. Is it mandatory? It's mandatory to follow instructions on this list. You were asked to do certain things which would let us help you. You've ignored those instructions, and done something *else*. That is useless, and wasting our time. If you're not going to follow instructions, you will be unsubscribed from this list. It's the only way we've found to convince people that they DO NEED to follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
