Re: Usage Limit and Accounting Plan
1. I need to limit the user monthly usage, for example bandwidth 2Mbps with 5GB monthly usage. 1a.) You would not need script, you need RLM SQLCOUNTER to limit daily/weekly/monthly traffic quota 1b.) you need to control the bandwidth using radius and radius client attributes, such as WISPr-Bandwidth-Max-Down; WISPr-Bandwidth-Max-Up Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage Limit and Accounting Plan
On Tue, Jan 22, 2013 at 10:17 AM, Sokphak TOUCH touch.sokp...@gmail.comwrote: Thanks Russell for your respond. It would more appreciate if you can share some document. At the mean time I will doing research about it. Regards, Sokphak Understand the concept here, it is very easy with FreeRadius http://wiki.freeradius.org/modules/Rlm_sqlcounter Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm
On Wed, Jan 23, 2013 at 2:47 PM, Miha m...@softnet.si wrote: Hi, my radius client is sending with user-name and password aslo realm. I can not disable sending realm, is it possible to configure radius that will not user realm with user-name (user-name@realm)? i only know that it is function of proxy (realm), if helps. Are you including proxy.conf ? R M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius output attributes configuration
what is output attributes ? On Wed, Feb 6, 2013 at 10:19 AM, Lakshmi Narayana Baliah lb0074...@techmahindra.com wrote: Hi All, How can configure output attributes in free-radius? How do i do that ??? please help Thanks Lakshmi Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href= http://www.techmahindra.com/Disclaimer.html; http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/tim/disclaimer.html; http://tim.techmahindra.com/tim/disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing Issue
There are many different things you are talking at the same time. You want increase the response time of auth. Is your database indexed? Thanks On Tuesday, February 12, 2013, Muhammad Nadeem wrote: thanks alan Actually I am using load balancing for rapid authentication of users. let suppose i have one prosy server that is proxying incoming requests to these five servers. Theoratically the speed of authentication should be fast. But in case of mine it is too slow. I have changed 'max_requests' in radiusd.config. And also remove unnecessary processing on radius server (that is proxying requests). Now tell me what else can I do?? :( Though i am a new bee in RADIUS, but I think Proxy server is the bottle neck??? On Tue, Feb 12, 2013 at 1:44 PM, a.l.m.bu...@lboro.ac.ukjavascript:_e({}, 'cvml', 'a.l.m.bu...@lboro.ac.uk'); wrote: Hi, I am using Freeradius 2.2.0 on redhat 5. My goal was to increase the speed of user authentication. To achieve this I configured Load Balancing (with realms). I have a proxy Freeradius server, that is just proxying requests to 2 other freeradius servers. you only asked this question less than 2 hours ago. okay, you need to see why the proxy is causing a x3 factor in slowdown? run the servers in full debug mode with timestamps and check to see where your delay isdont throw 10 million requests at it though, just a dozen should be enought in the first instance to see where the hit is. I'd assume that you havent made any configuration changes or tweaked any configs...in which case your proxy box is probably not ready to be dealing with that many in transit requests (whereas the authentication servers can handle multiple requests per thread) - so, some basic tweaking will probably do something ..though I think you've already found that you dont need to load-balance ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply don't go out
Is there any layer 3 device between client and dhcp server? Then you need dhcp relay agent, if that is not the case chk firewall. Thanks On Tuesday, February 12, 2013, Michele Pinassi wrote: Hi all, i've just installed a FreeRadius server 2.2.0 with DHCP support because i need a dhcp server that use MySQL ad a backend. My network topology is: eth0 inet addr:193.205.4.xxx [PUBLIC] eth1 inet addr:172.20.1.2 [PRIVATE] all dhcp requests and reply should come from eth1. Here is freeradius -X dump: FreeRADIUS Version 2.2.0, for host i486-pc-linux-gnu, built on Sep 20 2012 at 13:37:59 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/smsotp including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/ldap including configuration file /etc/freeradius/mods-enabled/counter including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/otp including configuration file /etc/freeradius/mods-enabled/inner-eap including configuration file /etc/freeradius/mods-enabled/acct_unique including configuration file /etc/freeradius/mods-enabled/wimax including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/etc_group including configuration file /etc/freeradius/mods-enabled/redis including configuration file /etc/freeradius/mods-enabled/cui including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/cache including configuration file /etc/freeradius/mods-enabled/mac2ip including configuration file /etc/freeradius/mods-enabled/dhcp_sqlippool including configuration file /etc/freeradius/sql/mysql/ippool-dhcp.conf including configuration file /etc/freeradius/mods-enabled/policy including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/smbpasswd including configuration file /etc/freeradius/mods-enabled/ippool including configuration file /etc/freeradius/mods-enabled/rediswho including configuration file /etc/freeradius/mods-enabled/pam including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/ detail.example.com including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/mac2vlan including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/checkval including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/krb5 including configuration file /etc/freeradius/mods-enabled/sql_log including configuration file /etc/freeradius/mods-enabled/attr_rewrite including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/perl including configuration file /etc/freeradius/mods-enabled/radrelay including configuration file /etc/freeradius/mods-enabled/sqlcounter_expire_on_login including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/opendirectory including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sqlippool.conf including configuration file /etc/freeradius/sql/mysql/ippool.conf including
Re: radiusd starts but rejects test user
On Fri, Feb 15, 2013 at 3:50 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, I am new to radius. I have installed the freeradius to my linux and after starting radiusd -X I executed radtest tool for testing as below but it could not get authenticated and Access-Reject returned. $ radtest testing password localhost 0 testing123 Can any one plz help me in fixing this issue? below is radtest and radiusd log in debug mode. /rootradtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=20 I *assume* that you put testing Cleartext-Password := password at the top of the $RADDB/users file? alan - Hi, might you would have see the error in debug. As Alan indicated, it is authentication problem. He has also told the solution. [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT Thanks RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Phil Mayers wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, Very good elaborated response, it also helped me. Quality of Information was superB. Thanks Man RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Mobin Yazarlou wrote: On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukjavascript:_e({}, 'cvml', 'p.may...@imperial.ac.uk'); wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, That you for the quick reply Phil. The solutions you have provided brought new thing into my mind. I was thinking about similar scenarios that I found out if NAS crashes, same thing will happen. Clients will get disconnected due to NAS unavailability and when NAS is unavailable, radius won't be notified about users getting disconnected. By taking this into consideration, the most effective solution would be the first or the third approach you have listed. And between this two solutions, the last one seems to be easier to implement. Please correct me if I am wrong. Thank you, Moby Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. Thanks / RM-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 11:08 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/02/13 06:53, Russell Mike wrote: Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. It's a pretty simple script. Depending on your SQL database, you just do a select from radacct where acctstarttime + acctsessiontime 'now - 2 hours' or whatever. It should be a 1-line SQL query. However - I should emphasise that interim accounting and expiring dead SQL sessions is no substitute for a resilient RADIUS service; you should really have two servers, and look to use robust accounting *as well* as interim acct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Dear Phil, Thanks for the guidelines again, maintaing two radius seems to be simple and right solution, whereas it also offer high availability within the fix. do you think problem would be solve? if i have two radius configured in coova config Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 11:23 AM, Mobin Yazarlou yazarlo...@gmail.comwrote: On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike radius@gmail.comwrote: On Monday, February 18, 2013, Mobin Yazarlou wrote: On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, That you for the quick reply Phil. The solutions you have provided brought new thing into my mind. I was thinking about similar scenarios that I found out if NAS crashes, same thing will happen. Clients will get disconnected due to NAS unavailability and when NAS is unavailable, radius won't be notified about users getting disconnected. By taking this into consideration, the most effective solution would be the first or the third approach you have listed. And between this two solutions, the last one seems to be easier to implement. Please correct me if I am wrong. Thank you, Moby Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. Thanks / RM-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Mike, Now it is an hour that I am looking for a built-in solution or a ready-to-use script. The only thing I found was Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute. This problem could be solved if RADIUS was responsible for handling this attribute but from what I read, it's the NAS's responsibility. I hope someone helps us to find the easiest and most effective solution. Thank you, Moby Dear Moby, That is brilliant, i also read after your advise, and i feel that nothing can be easiest and effective than this, once Freeraiuds knows the ideal timeout value, user can be logged out by Freeradius this is what we were trying to do. Lets use it and see, i trust that it would do. Great Thanks !! For Helping Community By Sharing Solutions. Thanks Moby Phil Regards --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Tue, Feb 19, 2013 at 5:28 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/02/13 16:09, Russell Mike wrote: *A.) *Enable interim accounting Yes *B.)* Enable post-auth { update reply { Acct-Interim-Interval = 900 } } Yes C.) *You Said:* You also need to ensure the accounting_update_query{,___**alt} are configured in your sql.conf; this is the default. C1.) Unclear to this, i have nothing like this in my sql.conf $INCLUDE sql/${database}/dialup.conf See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf *D.) * *You Said:* I also found that sometimes removing the last accounting record for the locked user in the radacct table won't work and you need to set /var/log/freeradius/radutmp to null, to unlock that user. No, I didn't say that. Someone else did. *D1.)* I use radutmp For Simultaneous-Use tracking. Do you mean it should be disable ? radutmp is inferior to SQL. There is no point in using both, and radutmp has problems. I am clear with AB. I need more help to tell us more about *C* what exactly should be added in sql.conf and *D* how to set null The default SQL schema and queries that come with the server support interim accounting. If you haven't changed them, you don't need to do thing for C. Just tell the NAS to send interim accounting, and then check using debug/tcpdump/radsniff/**whatever that it's actually doing that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Dear Phil Mayers, Thank you very much for your kind assistance also being patience with slow learners. You are so gental man indeed, i have no words to thank you for helping us out step by step. Everything is clear at this point after reading your message. i wish to thank once again for attending to us in your time. Thanks / REGARDS --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC-Auth + Freeradius + MySQL Database
Greetings Dear Alan D. List Members, First of all, thank you very much for developing such application. I need help, i have functional Freeradius server with MySQL backend. i have been asked to add MAC address authentication support for the servers. i googled the topic and got many many mail archive results, i tried to read those for about a day before posting to the maling list. Most of them, administrators are discussing troubleshoot topics, but i was searching how to.. start implementation and the REQUIREMENTS. i also came across where guys are discussing EAP and MAC authentication. i could not conclude, if it is a better way of doing MAC authentication using EAP. Finally, i came across wiki documentation. almost everything is there and it is well explained as well, thanks. i have now understand how it works. But SQL part is not still a question. http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL How to store MACs in MySQL database. Perhaps, i need to create additional table to store MAC, Honestly, i am not sure how to go about it. Is there any documentation that i may do NOT know of. and i can follow to finish the setup. Grate thanks for attending to this request and thanks for your support ever since ! additional Information: FR_v2.2 With Coova 1.3.0 Regards -- RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
On Sunday, February 24, 2013, Alan DeKok wrote: Russell Mike wrote: i also came across where guys are discussing EAP and MAC authentication. i could not conclude, if it is a better way of doing MAC authentication using EAP. To be clear: you don't. EAP is authentication. MAC authentication is just checking if the MAC address is in a known list. Terminology matters. Using the right terminology means that the solution is usually simple. Using the wrong terminology means you're using the wrong design. How to store MACs in MySQL database. Perhaps, i need to create additional table to store MAC, Honestly, i am not sure how to go about it. Is there any documentation that i may do NOT know of. and i can follow to finish the setup. If all you want is a known MAC list, then just put them into a table in SQL. Then, select MAC addresses from the table at run time. If they're found, continue. If not, reject. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan D. Thanks for guidelines. exactly, as you stated I simple want to store MAC address somewhere compair against the request. Can they be in radcheck? Would you recommend that? or seperate table? Storing MAC in radcheck, would it be correct terminology? Secondly, i would have list of maximum 500 MACs, how about listing them in a file. Would it be considerably slow reading from file than DB? I have no idea because I never used radius with files. Thanks Alan De. for your support ever Regards --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
On Sun, Feb 24, 2013 at 2:20 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Thanks for guidelines. exactly, as you stated I simple want to store MAC address somewhere compair against the request. Can they be in radcheck? I wouldn't do that. Just create your own table of MAC addresses. If all you want is to list known MACs, you can do that with a custom table. Then, do: if (%{sql: SELECT ...}) { # known MAC } Use a SQL client to write the correct SELECT statement, and then put it into the example above. Then apply any known MAC rule inside of the if statement. Secondly, i would have list of maximum 500 MACs, how about listing them in a file. Would it be considerably slow reading from file than DB? I have no idea because I never used radius with files. See man rlm_passwd. It contains examples. You could put the MACs into a group via that module, and then do group checking. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dear Alan De. Thanks for your input, you are so helpful. And the information sent is also very much useful, i will try to more forward base on your guidelines. Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
On Sun, Feb 24, 2013 at 1:55 PM, David Peterson dav...@wirelessconnections.net wrote: I know of one person doing something similar to what you are looking to do. If your NAS sends the MAC of the device with the EAP request, you can extract the MAC from the request using unlang and check that against a database of MACs. ** ** No clue how to do this, I just know it can be done. David ** ** Dear David, thanks for attending to the request, what do you mean when you say one person doing something similar to what you are looking to do. Does other do the MAC-Auth in different way i am doing? I read the response from Mr. Alan De. about storing MAC in to Database. Following wiki also explain how to rewrite calling-station-id using unlang and further compair against file or DB. http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL Your information is appreciable. Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth + Freeradius + MySQL Database
Understood, Thanks dear David. P, for participating in my troubleshoot. i am grateful. Thanks / Regards RM -- On Sun, Feb 24, 2013 at 3:31 PM, David Peterson dav...@wirelessconnections.net wrote: He approached the problem differently than most people. He already had a database with the MAC addresses. Due to a deployment mistake in the past he did not have the passwords from each of 500 EAP clients. So rather than going out and changing those addresses he matches up the MAC address with a paying customer from the database. ** ** The person is in charge of a wireless ISP so scheduling 500 home visits was a worse option than writing some code to authorize the CPE. ** ** David ** ** *From:* Russell Mike [mailto:radius@gmail.com] *Sent:* Sunday, February 24, 2013 10:00 AM *To:* David Peterson-WirelessConnections; FreeRadius users mailing list *Subject:* Re: MAC-Auth + Freeradius + MySQL Database ** ** ** ** ** ** On Sun, Feb 24, 2013 at 1:55 PM, David Peterson dav...@wirelessconnections.net wrote: I know of one person doing something similar to what you are looking to do. If your NAS sends the MAC of the device with the EAP request, you can extract the MAC from the request using unlang and check that against a database of MACs. No clue how to do this, I just know it can be done. David Dear David, thanks for attending to the request, what do you mean when you say one person doing something similar to what you are looking to do. Does other do the MAC-Auth in different way i am doing? ** ** I read the response from Mr. Alan De. about storing MAC in to Database. Following wiki also explain how to rewrite calling-station-id using unlang and further compair against file or DB. ** ** http://wiki.freeradius.org/guide/Mac-Auth#Mac-Auth-authorisation-by-SSID-SQL ** ** Your information is appreciable. ** ** Thanks / Regards RM -- ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Using Framed-IP-Address
Hi Arran, Thanks for the answer to my question. Nothing wrong to say thanks but perhaps to see it from that angle. Regards / RM -- On Thu, Mar 7, 2013 at 3:12 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote: Dear Alan. De. List Greetings May i please ask your opinion, if it possible to accept reject users base on Framed-IP-Address. Yes if the Framed-IP-Address is available in the request. There are however, no IP specific operators, so it's more difficult to check whether an IP address is in a certain range. Also, Alan doesn't need his ego stroking any more, addressing questions to the list works just as well. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redirecting Reject Request To Webpage
Hi FreeRadius List Members, Thanks for all the support ever. i am having difficulty to understand something, i need help. i am able to configure mac authentication base on the following logic. it Works !! username=mac address;attribute=Auth-Type;op=:=;value=Accept username=mac address;attribute=Auth-Type;op=:=;value=Reject *Question:* Redirecting Reject Request To Webpage For example, a customer would get reject from FR due to non payment. but at this stage customer do not know, what is happening. Why internet in down. We want the request to redirected to a web page that will display the cause of disconnection. Thanks RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirecting Reject Request To Webpage
Thanks Dear Alan D. Good answer with explanations. Appreciated your input. I am using CoovaChilli as NAS, i will check with them also. But i would appreciate if you could please indicate the FR attribute may can use. Thanks / Regards RM -- On Fri, Mar 8, 2013 at 2:14 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: *Question:* Redirecting Reject Request To Webpage For example, a customer would get reject from FR due to non payment. but at this stage customer do not know, what is happening. Why internet in down. We want the request to redirected to a web page that will display the cause of disconnection. RADIUS doesn't do that. It does authorization or authentication. It doesn't do firewalling or routing. Read the NAS documentation to see if it's possible. It might be, but it would involve FreeRADIUS sending an attribute to the NAS saying do this. The NAS would then be responsible for firewalling. Remember, RADIUS carries *suggestions*. The RADIUS protocol isn't involved in routing, filtering, firewalling, web serving, etc. No user traffic ever goes through a RADIUS server, so redirecting user traffic in RADIUS is *impossible*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirecting Reject Request To Webpage
Thanks Dear Arran. your input is very much appreciated. I will check on NAS side. Thanks On Fri, Mar 8, 2013 at 4:30 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 8 Mar 2013, at 11:22, Russell Mike radius@gmail.com wrote: Thanks Dear Alan D. Good answer with explanations. Appreciated your input. I am using CoovaChilli as NAS, i will check with them also. But i would appreciate if you could please indicate the FR attribute may can use. Consult the CoovaChilli docs for attributes. If we have an attribute define it's either for internal use, for an RFC, or because someone has contributed dictionaries that define it. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot access radius server from remote host
Hi, note for ever. FR will simply ignore the request if NAS (client) in not configured. As Mohammed has explained by giving full example earlier. when your NAS will change in future and may need additional NAS support. You need to define second client entry in the same file or in MySQL DB, only if using. Thanks RM -- On Sat, Mar 9, 2013 at 10:43 AM, Muhammad Nadeem mnadeem8...@gmail.comwrote: For this you have to define the IP address and shared secret on the Radius server in client.config following is an entry that define that you can send request from an computer having 192.168.0.102 IP address. client 192.168.0.102 { ipaddr = 192.168.0.102 secret = testing123 } Please read client.config for further details On Sat, Mar 9, 2013 at 3:35 PM, Iftakhul Anwar an...@meruvian.org wrote: Hi All, I just try connect radius server remotely. i've try to radtest with command : radtest user1 meruvian localhost 1812 testing123 Sending Access-Request of id 133 to 127.0.0.1 port 1812 User-Name = user1 User-Password = meruvian NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=133, length=20 ## i get accept response from radius server. But when i try with command bellow i got error message like a no respon from radius server: radtest user1 meruvian 192.168.2.3 1812 testing123 Sending Access-Request of id 12 to 192.168.2.3 port 1812 User-Name = user1 User-Password = meruvian NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x Sending Access-Request of id 12 to 192.168.2.3 port 1812 User-Name = user1 User-Password = meruvian NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x Sending Access-Request of id 12 to 192.168.2.3 port 1812 User-Name = user1 User-Password = meruvian NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x radclient: no response from server for ID 12 socket 3 Note:192.168.2.3 is ip of radius server. How i can try to connect radius server from another host ? i've try to disable my firewall. but still get no respon from server. Help me to solve this. Thanks -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR Login-Time Vs Unix-Time-Based-Login
Hi Freeradius List, Why someone will use Unix-Time-Based-Login why not Login-Time FR attribute? Does it offer more flexibility or control over each other. Actually, we want to implement login based on time. i am reading mail archives since yesterday to understand basic functionality of the model. And have also come across where people are talking about both techniques. But unable to know what is better way to go with. Thanks for attending to this material Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Login-Time Vs Unix-Time-Based-Login
Hi, Please mind my mistake 1.) Unix-Time-Based-Login using unlang rather than Login-Time FR attribute. On Tue, Mar 12, 2013 at 11:06 AM, Russell Mike radius@gmail.com wrote: Hi Freeradius List, Why someone will use Unix-Time-Based-Login why not Login-Time FR attribute? Does it offer more flexibility or control over each other. Actually, we want to implement login based on time. i am reading mail archives since yesterday to understand basic functionality of the model. And have also come across where people are talking about both techniques. But unable to know what is better way to go with. Thanks for attending to this material Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
checkval can helpful when you need to apply NAS-identifier Calling-Station-Id - FR attributes. checkval calledstationid { item-name = Called-Station-Id check-name = Called-Station-Id data-type = string notfound-reject = no } checkval nasidentifier { item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject = no } Thanks / Regards RM -- On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Dan, What Reject ? And MAC address listed where? Are you working around MAC authentication? FR MAC auth is working for me, I use CoovaChilli as NAS. 0.) MAc address would exist as user in MySQL DB or file 1.) Configure NAS to send MAC-Addr as username to Freeradius 2.) And do the following at Freeradius side. username=mac address;attribute=Auth-Type;op=:=;value=Accept Thanks / Regards RM -- On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi Russel, Thanks for that. However it seems the check-name cant even populated. as you can see from my log file. +- entering group authorize {...} ++[preprocess] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8 rlm_checkval: *Could not find attribute named * *Calling-Station-Id in check pairs* ++[checkval] returns notfound [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] expand: %t - Wed Mar 13 17:47:09 2013 I check the ldap.attrmap and its correctly mapped to the LDAP attribute. So how to make sure that Radius reject the request when the MAC address is not listed.. thats what i want to achieve Thanks Danny On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.comwrote: checkval can helpful when you need to apply NAS-identifier Calling-Station-Id - FR attributes. checkval calledstationid { item-name = Called-Station-Id check-name = Called-Station-Id data-type = string notfound-reject = no } checkval nasidentifier { item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject = no } Thanks / Regards RM -- On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how i can check if password is not correct ?
Debian, Ubuntu: freeradius -XXX Redhat CentOS: radiusd -XXX Thank / RM -- On Sat, Mar 30, 2013 at 9:12 AM, Mehdi Ravanbakhsh baba...@gmail.comwrote: Hi All if password in request is not correct wich module handele this and reject the client? where i can check if password is not correct ? and what the module return when password is not match ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: noresetcounter
Because you have disable the valid check item Query using # sqlcounter forevertimecounter { counter-name = Max-All-Session-Time check-name = Max-All-Session count-attribute = Acct-Session-Time reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never cache-size = 5000 query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' *Check Items:* Max-All-Session 3600 Session-Timeout 3600 *Reply Items: * Session-Timeout 3600 Idle-Timeout 60 Thanks RM -- On Mon, Apr 1, 2013 at 1:35 PM, Muhammad Nuzaihan Kamal Luddin muham...@taqisystems.com wrote: Hi, My objective to configure freeradius is that the user automatically gets logged out during the accounting process by noresetcounter statement. But currently, the user that is logged in keeps being connected even when the time is up. Here's my counter.conf: --- sqlcounter noresetcounter { counter-name = Session-Timeout #check-name = Max-All-Session check-name = Session-Timeout reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never #query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } And the logs: rad_recv: Access-Request packet from host 192.168.233.9 port 2052, id=0, length=200 User-Name = 34 User-Password = EEawKbR3 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = 00-26-82-15-4E-3D Called-Station-Id = 00-0F-66-59-DD-33 NAS-Identifier = taqihotspot1 Acct-Session-Id = 515a0884 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x48faf6d6c674bceef3469467121e5eae WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Mon Apr 1 21:22:51 2013 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Mon Apr 1 21:22:51 2013 : Info: +- entering group authorize {...} Mon Apr 1 21:22:51 2013 : Info: ++[preprocess] returns ok Mon Apr 1 21:22:51 2013 : Info: ++[chap] returns noop Mon Apr 1 21:22:51 2013 : Info: ++[mschap] returns noop Mon Apr 1 21:22:51 2013 : Info: ++[digest] returns noop Mon Apr 1 21:22:51 2013 : Info: [suffix] No '@' in User-Name = 34, looking up realm NULL Mon Apr 1 21:22:51 2013 : Info: [suffix] No such realm NULL Mon Apr 1 21:22:51 2013 : Info: ++[suffix] returns noop Mon Apr 1 21:22:51 2013 : Info: [eap] No EAP-Message, not doing EAP Mon Apr 1 21:22:51 2013 : Info: ++[eap] returns noop Mon Apr 1 21:22:51 2013 : Info: [sql] expand: %{User-Name} - 34 Mon Apr 1 21:22:51 2013 : Info: [sql] sql_set_user escaped user -- '34' Mon Apr 1 21:22:51 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Mon Apr 1 21:22:51 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = '34' ORDER BY id Mon Apr 1 21:22:51 2013 : Info: [sql] User found in radcheck table Mon Apr 1 21:22:51 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = '34' ORDER BY id Mon Apr 1 21:22:51 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '34' ORDER BY priority Mon Apr 1 21:22:51 2013 : Info: [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '3mins' ORDER BY id Mon Apr 1 21:22:51 2013 : Debug: rlm_sql (sql): Released sql socket id: 4 Mon Apr 1 21:22:51 2013 : Info: ++[sql] returns ok Mon Apr 1 21:22:51 2013 : Info: ++[logintime] returns noop Mon Apr 1 21:22:51 2013 : Info: ++[pap] returns updated Mon Apr 1 21:22:51 2013 : Debug: rlm_sqlcounter: Entering module authorize code Mon Apr 1 21:22:51 2013 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Apr 1 21:22:51 2013 : Info: ++[noresetcounter] returns noop Mon Apr 1 21:22:51 2013 : Debug: rlm_sqlcounter: Entering module authorize code Mon Apr 1 21:22:51 2013 : Debug:
Freeradius Expire-After How To .. ?
Hi List, i need to expire the prepaid card after three months of first login. after reading mail achieves, i was able to figured out that i need to use Expire-After FR attribute and value in seconds. i was bit of unclear how to bring the module in to the action because i am unable to locate Expire-After attribute to users (Through Daloradius). Someone please help ... # Default Module Came With FR v2.2 sqlcounter expire_on_login { counter-name = Expire-After-Initial-Login check-name = Expire-After sqlmod-inst = sql key = User-Name reset = never query = SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \ FROM radacct \ WHERE UserName='%{${key}}' \ ORDER BY acctstarttime \ LIMIT 1; } Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Expire-After How To .. ?
Thanks Muhammed, Expiration module (Attribute) works for me already, if i want to expie a account on the calendar date. it does the job just fine. i need to expire the account after 90 days but count must start after first login. Your help is appreciated / Thanks On Tue, Apr 2, 2013 at 9:58 AM, Muhammad Nuzaihan bin Kamal Luddin muham...@taqisystems.com wrote: Hi, Have you tried expiration module? sqlcounter expiration { count-attribute = Acct-Session-Time counter-name = Max-Allowed-Session check-name = Expiration sqlmod-inst = sql key = User-Name reset = never query = SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \ MIN(AcctStartTime))),0) FROM radacct WHERE \ UserName='${key}' ORDER BY AcctStartTime LIMIT 1; } of course you have to put expiration (without quotes) in: instantiate portion of radiusd.conf accounting section of sql.conf (or sites-available/default file in debian) You may have to add Expiration in the check attributes as well. From what i have looked within daloradius code, you will need to set the time settings in Plan. Regards, Muhammad Nuzaihan Bin Kamal Luddin On Mon, 2013-04-01 at 17:12 +, Russell Mike wrote: Hi List, i need to expire the prepaid card after three months of first login. after reading mail achieves, i was able to figured out that i need to use Expire-After FR attribute and value in seconds. i was bit of unclear how to bring the module in to the action because i am unable to locate Expire-After attribute to users (Through Daloradius). Someone please help ... # Default Module Came With FR v2.2 sqlcounter expire_on_login { counter-name = Expire-After-Initial-Login check-name = Expire-After sqlmod-inst = sql key = User-Name reset = never query = SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \ FROM radacct \ WHERE UserName='%{${key}}' \ ORDER BY acctstarttime \ LIMIT 1; } Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session section is not working
Do you mean simultaneous session? If you using MySQL, Please check if enabled under session section. Thanks RM -- On Friday, April 5, 2013, Mehdi Ravanbakhsh wrote: Hi All my Session Section in site enable in not woking ! i do not have any log about that section in my radius.log file . Do you have any Ideas why? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Volume Control
Dear Alan D. What Freeraidus is using currently as to keep track. Is it 64bit or 32bit. Thanks / Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Control
Hi Aran, thanks for clarification through your response If I understand your answer is that you are saying is that currently as is freeRadius is using 64bits data types in some areas and not in others, am I Right?. Also is it possible to allow free radius to validate traffic above 4GB? Thanks / Regards On Tue, Apr 16, 2013 at 5:42 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Dear Alan D. I may create a new rule. People who address mail to me personally get unsubscribed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
Hi, Can you please revise your question and put it in better way, i am not clear, do some more typing. if captive portal (NAS) is CoovaChilli, this works for me. HS_RAD_PROTO=pap Thanks / Regards On Wed, Apr 17, 2013 at 11:51 AM, Chitrang Srivastava chitrang.srivast...@gmail.com wrote: I am facing a issue that captive portial server is sending a auth request which is not a EAP message and hence freeradius server is rejecting , it goes to users file and found the last line Auth-Type: Reject Anyone can point how to fix this ? I guess if captive portal send a eap message , it will be looked into eap.conf and then a valid authenticate section can be chosen ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Volume Control
Dear Arrran, Thanks you very(32) much. Thats what i wanted to know if it is not FR limitation. Regards / RM -- On Wed, Apr 17, 2013 at 2:13 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 17 Apr 2013, at 05:27, Russell Mike radius@gmail.com wrote: Hi Aran, thanks for clarification through your response If I understand your answer is that you are saying is that currently as is freeRadius is using 64bits data types in some areas and not in others, am I Right?. Also is it possible to allow free radius to validate traffic above 4GB? If the NAS provides the Gigawords attributes, yes. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
FR should be able to know if the allowed time used / consumed before it can deny request. have you setup rlm_sqlcounter ? Thanks RM -- On Fri, May 3, 2013 at 7:49 AM, ch2...@arcor.de wrote: All, I'm a newbie in radius. I've setup freeradius with mySQL and max-daily-session. When I set max-daily-session := 10 in radgroupcheck table, a user of this group can login (accept packet after authentication), even if he already has been logged in for 10 seconds before. I'm using NTRadPing and Radius Test Rig Utily as a client. I've sent accounting packages. Radacct table got populated (beginning and end of session, no octets). Is it a client issue? Must NTRadPing send any additional parameters? Any help is appreciated. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
You said same setup is working with Coovachilli, same groups / profiles? Else cross chech your reply check items, if in place. If FR groups are same check NAS side. Thanks On Friday, May 3, 2013, wrote: Hi, Von: Russell Mike radius@gmail.com javascript:; FR should be able to know if the allowed time used / consumed before it can deny request. have you setup rlm_sqlcounter ? Yes. The same setup is working with a Coova Chilli WLAN Router, so I guess it is a client issue. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radgroupcheck attributes and test client
On Sun, May 5, 2013 at 6:51 PM, ch2...@arcor.de wrote: Von: Russell Mike radius@gmail.com You said same setup is working with Coovachilli, same groups / profiles? Else cross chech your reply check items, if in place. If FR groups are same check NAS side. Thanks I'll check reply and check items when I'm in office again, but I'm quite sure they are the same. How can I check NAS side? Documentation will tell One is Coovachilli, the other is a radius test client (NTRadPing and Radius Test Rig Utily) you need to create NAS entry in MySQL or File for the ip address of the machine. The machine from where you would run NTRadping. Thank you! Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Service Provisioning Using AAA (FreeRadius)
Dear FreeRadius Gurus Greetings, I work with an ISP, i have been asked to research about service provisioning using AAA. I am NOT very new to FreeRadius. Have implemented and managing central CoovaChilli hotspot solution where we run more than 35 hotspots across the city using CoovaChilli + Freeradius. Currently, We do manually connection / disconnection. If a customer did not pay until 31st, somebody manually disconnect the link. And manually connect when customer comes to pay. i am somehow not clear with the idea, how that would work and where to start from. I am looking for advice from those have already setup such system. Any kind of help would be highly appreciated. i am further willing to study, if i know which direction to move on. Someone please help Thanks / Regards --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Dear Mulindawa / Marinal Alan Dekok Thanks you very much for your advice, very much valuable for ME. Saw some light end of the tunnel. i really need help, One more question please. Such as as MAC authentication, is it possible to authenticate a device using IP address FR? then i can further attach the attributes with group of IP address. i want this because the devices those would send auth requests, would come from the behind of layer3 device (Router). Thanks for everything sir(s). Thanks / Regards --RM On Tue, May 28, 2013 at 1:51 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Currently, We do manually connection / disconnection. If a customer did not pay until 31st, somebody manually disconnect the link. And manually connect when customer comes to pay. That's what Session-Timeout is for. Set it to 1 day (86400 seconds). That way they have to re-authenticate every day. On the 31st, you just refuse to re-authenticate them. Or, use Disconnect-Request. But the NAS has to support it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Hi List After googling for few days still not so much clear. Therefore, i have decided to implement three *A* in three different steps. For now, i only want to use Authorize function of FR. i do not want authentication Accounting BUT authorization. Using MySQL as a backend, Trying to make something like this: A remote user would hit Cisco NAS gateway router (in ISP NOC Data Center) --- Cisco NAS is going to ask FreeRadius, if IP is authorize to pass through. i need little idea how this can be achieved. something like this or equivalent idea. | 66 | *41.157.61.88* | | := | *Accept * | | 67 | *41.157.61.30* | | := | *Reject*| Thanks Everyone Regards --RM On Tue, May 28, 2013 at 4:12 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Dear Mulindawa / Marinal Alan Dekok Thanks you very much for your advice, very much valuable for ME. Saw some light end of the tunnel. i really need help, One more question please. Such as as MAC authentication, is it possible to authenticate a device using IP address FR? then i can further attach the attributes with group of IP address. No. RADIUS authentication occurs *before* network access. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accouting time duratin calculation
Hi, On Wed, Jun 5, 2013 at 7:43 AM, Miha m...@softnet.si wrote: Hi, how does freeradius calculate duration time? MySQL query grabs the information from radacct i.e. sqlcounter forevertimecounter { counter-name = Max-All-Session-Time check-name = Max-All-Session count-attribute = Acct-Session-Time reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never cache-size = 5000 query = SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='%{%k}' } My NAS sends start and stop packet. In mysql table I can see accstarttime and accstoptime. Is the duration time automaticly created from start time and stop time or should NAS also send duration time? No. Value is stored in radacct; rlm_sqlcounter sum the total time. hope this helps ! In other words is it possbile that freeradius automaticly calculate duration from start and stop packet:)? tnx! miha - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Dear Alan DeKok John Dennis Thanks for your input, words and clarification. Explanation was very good. Moreover, good to have people like you on the list. Regards Prabhpal Singh On Wed, Jun 5, 2013 at 1:34 PM, Alan DeKok al...@deployingradius.comwrote: John Dennis wrote: You're both right, now shake hands and make up :-) The problem with the term authorization in radius is used in a non-standard way that leads to confusion. The normal use of the term authorization (authz) indicates what a principal is permitted to do and a principal must be validated via authentication (authn) first. In radius authorization means collecting information necessary to perform the authentication operation. It's an unfortunate semantic difference that leads to a fair amount of confusion (myself included), but after a while you get used to it. It was a historical mistake in FreeRADIUS which has been kept for too long. After 3.0 is released, we'll transition to a naming scheme that's a little more complex, but much clearer. The idea is that every packet has 3 stages: recv = receive the packet process = process the packet send = send the reply We can map the existing authorize / authenticate / etc. to these processing stages. That change will be initially confusing, but will be simpler. It will also enable the server to do more protocols that are in the works. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Hi John Alan, Kindly clarify Does this means, it is posible to use only authorize function of FR and process all authentication requests with following virtual server? 1. server accept_all_requests { authorize { update control { Auth-Type := Accept } } } Thanks / Regards --RM On Wed, Jun 5, 2013 at 1:34 PM, Alan DeKok al...@deployingradius.comwrote: John Dennis wrote: You're both right, now shake hands and make up :-) The problem with the term authorization in radius is used in a non-standard way that leads to confusion. The normal use of the term authorization (authz) indicates what a principal is permitted to do and a principal must be validated via authentication (authn) first. In radius authorization means collecting information necessary to perform the authentication operation. It's an unfortunate semantic difference that leads to a fair amount of confusion (myself included), but after a while you get used to it. It was a historical mistake in FreeRADIUS which has been kept for too long. After 3.0 is released, we'll transition to a naming scheme that's a little more complex, but much clearer. The idea is that every packet has 3 stages: recv = receive the packet process = process the packet send = send the reply We can map the existing authorize / authenticate / etc. to these processing stages. That change will be initially confusing, but will be simpler. It will also enable the server to do more protocols that are in the works. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Hi John Alan, Kindly clarify This isn't a private list. Messages should NOT be addressed to individual people. Apologies Everyone. Well noted for future Just reply to a message. It's simpler, and more polite. Thanks for correction Alan D. Does this means, it is posible to use only authorize function of FR and process all authentication requests with following virtual server? Did you try it? What does it do? Not really, i wanted to know, if it make sense form experts point of view. should i try ? Regards -- RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Greetings Everyone, My goal is to use only ONE A (Authorization Only) as starting of FR implementation. i do have different system to authenticate users. Plan is to replace that with FR but one step at a time. i tried with the following virtual server to accept everyone. With that done, Everyone is accepted, regardless of user exists in MySQL_DB or not. And replay message is sent correctly as well. *Check Items in unlang code:* 1.) Login time is verified correctly - if users attempts to access outside of time slot, then rejected, else accepted. (First Attribute Works) 2.) Everyone is accepted (Second Attribute also Works) 3.) Users are not disconnected after 10 minutes (Third Attribute do not work) *Reply Items **in unlang code**: * 1.) Users are successfully redirected to the URL specified for WISPr-Redirection-URL (First Reply Item Works) 2.) Users are not disconnected after 10 minutes (Second Attribute do not work) server accept_everyone { authorize { # If user not present in MySQL Database still allow them access # Only Between 10:00 and 12:59PM # File Module Retunes noop sql Module Returns notfound #files #if(noop) { sql if(notfound) { update control { Login-Time := 'Any1000-1259' Auth-Type := Accept Max-All-Session := 600 } } # Redirect Everyone To Yale Website update reply { WISPr-Redirection-URL := http://www.yale.edu; Max-All-Session := 600 } } authenticate { Auth-Type PAP { pap } } } pap logintime forevertimecounter ## Authorization Area ENDs Here Can someone give little hint ? Only hint would be enough, i will study the rest. is it even posible to control that (Max-All-Session) using unlang code ? Thanks / Regards --RM On Wed, Jun 5, 2013 at 4:17 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: Hi John Alan, Kindly clarify This isn't a private list. Messages should NOT be addressed to individual people. Just reply to a message. It's simpler, and more polite. Does this means, it is posible to use only authorize function of FR and process all authentication requests with following virtual server? Did you try it? What does it do? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WARNING: Unknown value specified for Post-Auth-Type
Hi, It is not default virtual server). Following error occurs, when user attempt to login with invalid password, otherwise not. is it normal? or should be troubleshooted. Info: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action My postauth section post-auth { sql exec Post-Auth-Type REJECT { attr_filter.access_reject noop notfound } } Thanks / Regards --RM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang and update section
Yes, i have come across this error once. there is little mistake in your unlang code. understand form following working code. ## Authorization Area Starts Here # If user not present allow them free access # Between 10:00 and 12:59PM ('Any1000-1259') # Whole Day ('Any-2359') # File Module Retuns noop sql Module Returns notfound server accept_everyone { authorize { sql if(ok) { update control { Login-Time := 'Any-1259' Auth-Type := Accept } } update reply { WISPr-Redirection-URL := http://www.yale.edu; } else { update control { Auth-Type := Reject } update reply { WISPr-Redirection-URL := http://41.139.28.1; } } } pap files logintime expiration preprocess dailycounter forevertimecounter # Fix ForThe WARNING That Says: Unknown Value Specified For Post-Auth-Type. Cannot Perform Requested Action # # Do Not Remove The Post-Auth Configuration From Authorization Section (Here): # post-auth { Post-Auth-Type REJECT { noop notfound } } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } # END Thanks --RM On Thu, Jun 13, 2013 at 3:07 PM, Bill Schoolfield b...@billmax.com wrote: Can update sections contain if conditions? I get the following error: /etc/raddb/sites-enabled/**default[573]: update sections cannot have subsections /etc/raddb/sites-enabled/**default[465]: Errors parsing post-auth section. The documentation says The only contents permitted in an update section are attributes and values which I assume is the issue. Please confirm. Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vouchers Top Up
Hi List is anyone able to implement top up for hotspot vouchers ? Top up means, if a hotspot user is browsing and his 3600 seconds are getting finish. he wish to top up another 1800 seconds to avoid disconnection. Thanks / Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_counter module doesn't count
Hi, I am willing to help, What kind of NAS do you use? Does your NAS support accounting ? Thanks RM -- On Mon, Aug 12, 2013 at 9:50 PM, lucia j.esko...@gmx.de wrote: Thanks for quick reply, well I guess not. Can you give me a hint how I can figure it out how I can configure this ? I'm I right that I have to configure the accounting in the RADIUS conf-files or is it part of the NAS it self. Well OK I had a look into Wikipedia RADIUS and it looks like it is part of the NAS. But I do not find any comments via google about Synology and accounting I'm a bit confused now ... Regards, Lu On 12.08.2013 23:34, Alan Buxey wrote: Hi That's just an authentication request accounting packets is what you need. Is your kit configured to send accounting to this RADIUS server? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Managing Data Volume Control More Than 4GB FR CoovaChilli
Hi List Members i have been reading archives and tying to understand for some days now, but unsuccessful. i am currently working to extend data volume control up to 10GB, which is requirement for the organization. Is anyone able to manage more then 4GB using CoovaChilli Freeradius? Since there is no one piece of information available on the net. Until now, i am unclear about the components needs to be fine tune. i understand that FR has 32 bit integers but it is not the limitation to manage more than 4GB, if NAS supports the Gigaword attributes. It seems that my sql_counter or MySQL it self is the problem. *NOTE: It is working setup up to 4GB, if i assigne 6GB to a user, counter rolls up on 4GB* 1.) I came across a post where guys are tell that sqlcounter module uses 32-bit integers in it's source code. Should it be change to 64-bit integers? 2.) CoovaChilli has built in support for gigaword attributes, which is enable. 3.) is it possible by rlm_sql or rlm_perl must be used 4.) Counter rolls up on 4GB. sqlcounter gigawordcounter { counter-name = Total-Max-Octets check-name = Acct-Input-Gigawords reply-name = Acct-Input-Gigawords sqlmod-inst = sql key = User-Name reset = never counter-type = data check-unit = KibiOctets query = SELECT SUM(acctinputoctets) + SUM(acctoutputoctets) FROM radacct WHERE username='%{%k}' } Thanks / Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Dear Arran C. Bell, Thank you very much, i am extremely grateful for your advise and guidelines for troubleshoot also. i am currently experimenting a different rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can store short number in db. This counter would reset at 2TB with same 32bit number. i have actually tested up to 6GB. it just works!!!. Next test is in progress to logout user when 7GB downloaded. i really appreciated your input and TIME. i will try your proposed solution as well after All-In-MB has tested. After the successful practical of both solutions. i would like to document this topic on one page for archives, so that it can help others. i may need your support incase i came across some challenges during the test of your solution. Thanks once again !!! Regards --RM On Tue, Oct 8, 2013 at 12:16 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: It might actually be an idea to add those to the internal dictionary to make it a bit easier. Just to clarify there are two reasons why your current config isn't working: 1. rlm_sql stores the value as a proper 64bit integer, not in the two 32bit chunks represented by Acct-Input-Gigawords and Acct-Input-Octets. When this value is pulled out into rlm_sqlcounter the value is truncated because internally it only deals with 32bit unsigned ints. I've now fixed this. 2. You're comparing gigawords to bytes, with no conversion, so even with the updated module you'll find the user is rejected way way too early. You also invented counter-type and check-unit config pairs. The server isn't magic, just because it doesn't error out, doesn't mean it knows about those config pairs or will use values assigned to them. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Dear Aran C. Bell Thanks for everything, Here is update. 1.) All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . Saying other way, if the user is online, he would remain online until he log off him self or stop browsing. But point to be noted that counter prevents from login him again. user cannot login again if he has already hit quota threshold. Please look the example of reject. This user is allowed for 7GB, please mind that *check_item which shows 7168*is specified in MB. *[gigawordcounter] expand: %{sql:SELECT SUM(AcctInputOctets) / (1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='quotauser'} - 7389.1705* *rlm_sqlcounter: (Check item - counter) is less than zero* *rlm_sqlcounter: Rejected user quotauser, check_item=7168, counter=7389* *++[gigawordcounter] returns reject* Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Counter: sqlcounter gigawordcounter { counter-name = Max-All-MB check-name = Max-All-MB reply-name = Max-All-MB reply-message = You have reached your bandwidth limit sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctInputOctets) / (1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='%{%k}' } *2.) Solution offered by You. * I tried your recommendations also, i tried to maintain following in local FR dictionary */etc/freeradius/dictionary* and Chilli dictionary ATTRIBUTE Acct-Input-Octets64 3005integer64 ATTRIBUTE Acct-Output-Octets643006integer64 Results: failed to start FR reason for failing: : un recognized value specified in * /etc/freeradius/dictionary* reason for failing: : un recognized value specified in * /usr/share/freeradius/dictionary.chillihotspot* Thanks / Regards RM -- On Tue, Oct 8, 2013 at 3:38 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 8 Oct 2013, at 15:40, Russell Mike radius@gmail.com wrote: Dear Arran C. Bell, Thank you very much, i am extremely grateful for your advise and guidelines for troubleshoot also. i am currently experimenting a different rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can store short number in db. This counter would reset at 2TB with same 32bit number. i have actually tested up to 6GB. it just works!!!. Next test is in progress to logout user when 7GB downloaded. i really appreciated your input and TIME. i will try your proposed solution as well after All-In-MB has tested. After the successful practical of both solutions. i would like to document this topic on one page for archives, so that it can help others. i may need your support incase i came across some challenges during the test of your solution. wiki.freeradius.org is the place to do that :) Thanks once again !!! No problem, glad I could help. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan. D So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in * session* section. but did not work either. session { sql gigawordcounter } You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Thanks / Regards RM-- On Wed, Oct 9, 2013 at 1:12 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan D understood. I will use unlang in accounting. Thanks On Wednesday, October 9, 2013, Alan DeKok wrote: Russell Mike wrote: So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in *session* section. but did not work either. Uh... you do know that session is not the same as accounting, right? Why are you doing something wrong? I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Do you understand what the server does when it receives an accounting packet? Have you tried running the server in debugging mode, and seeing what happens when it receives an accounting packet? Do that before asking more questions. Watch the server go update SQL. Now... how do you query SQL (independent of RADIUS) to see if the users session is over quota? Then... put that query into the accounting section, via unlang. Check if the user is over quota. If so, send a disconnect message. See raddb/sites-available/originate-coa for examples of originating a disconnect message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html