Re: freeradius + pptp
Alan DeKok wrote: Mervyn Yeo [EMAIL PROTECTED] wrote: This appears after I've included plugin radius.so in my /etc/ppp/options.pptpd. Can someone give me some clues on rc_avpair_new: unknown attribute 11 and 25? Read the dictionary file for the names of attributes 11 and 25. As for why pptpd doesn't understand them, ask pptpd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . Thanks Alan, I've figured that part out. Now looking at my radiusd -X I've got this, is it something to do with adding an Auth-Type with MS-CHAP in my /etc/raddb/users file? Any suggestions would be appreciated. radiusd -v radiusd: FreeRADIUS Version 1.0.2, for host , built on Mar 3 2005 at 08:50:02 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Cheers, Mervyn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log_file and NFS?
Hello, I recently moved from Cistron to freeRADIUS for the obvious reasons/benefits. My setup is pretty simple, backend users file into mySQL and accounting is relayed back to a central server. The setup was running fine until I rebooted my NFS server. I am using a log_file that is mounted from a central NFS resource to allow phone support people quick access to tell a user that they have the wrong password (the most common problem). However, when the NFS resource becomes unavaiable radiusd stops all authentication. So, the question is... is this a bug or expected? If it's expected is there any way to pipe the log_file into a program so I can send them to a central resource, or use a radrelay like program? Cheers, Greg Ulyatt REDNET Systems Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
script to run when a users is logging out?
Hello all, I know the script need to be define in the exec {} And the script before users login is put into post-auth, what about the script after users logout or Just before users logout? Anyone have any idea? Below is the script that someone help me to control dhcp with radius... To remove is easy Just set name and then keyin remove. == # !/usr/bin/bash tr=`which tr` omshell=`which omshell` IPADD=$FRAMED_IP_ADDRESS NETMASK=$FRAMED_IP_NETMASK MACADD=`echo $1| tr - :| tr [:upper:] [:lower:]` NASADD=$2 echo $IPADD $NETMASK $MACADD $NASADD /tmp/radtest #creating a file to execute a value with omshell cat ! /tmp/radtest.add server 202.73.8.65 port 5901 connect new host set name = $MACADD set hardware-address = $MACADD set hardware-type = 1 set ip-address = $IPADD create ! omshell /tmp/radtest.add - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: script to run when a users is logging out?
LS How about accounting, when the disconnect frame enters. Nico Baggus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chan Min Wai Sent: Monday, March 07, 2005 10:26 To: freeradius-users@lists.freeradius.org Subject: script to run when a users is logging out? Hello all, I know the script need to be define in the exec {} And the script before users login is put into post-auth, what about the script after users logout or Just before users logout? Anyone have any idea? Below is the script that someone help me to control dhcp with radius... To remove is easy Just set name and then keyin remove. == # !/usr/bin/bash tr=`which tr` omshell=`which omshell` IPADD=$FRAMED_IP_ADDRESS NETMASK=$FRAMED_IP_NETMASK MACADD=`echo $1| tr - :| tr [:upper:] [:lower:]` NASADD=$2 echo $IPADD $NETMASK $MACADD $NASADD /tmp/radtest #creating a file to execute a value with omshell cat ! /tmp/radtest.add server 202.73.8.65 port 5901 connect new host set name = $MACADD set hardware-address = $MACADD set hardware-type = 1 set ip-address = $IPADD create ! omshell /tmp/radtest.add - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script to run when a users is logging out?
[EMAIL PROTECTED] wrote: LS How about accounting, when the disconnect frame enters. I've try to put there but what happen is that... the users, get an ip and the the ip being release Because account will be process after post-auth. Any more idea? regards Chan Min Wai -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chan Min Wai Sent: Monday, March 07, 2005 10:26 To: freeradius-users@lists.freeradius.org Subject: script to run when a users is logging out? Hello all, I know the script need to be define in the exec {} And the script before users login is put into post-auth, what about the script after users logout or Just before users logout? Anyone have any idea? Below is the script that someone help me to control dhcp with radius... To remove is easy Just set name and then keyin remove. == # !/usr/bin/bash tr=`which tr` omshell=`which omshell` IPADD=$FRAMED_IP_ADDRESS NETMASK=$FRAMED_IP_NETMASK MACADD=`echo $1| tr - :| tr [:upper:] [:lower:]` NASADD=$2 echo $IPADD $NETMASK $MACADD $NASADD /tmp/radtest #creating a file to execute a value with omshell cat ! /tmp/radtest.add server 202.73.8.65 port 5901 connect new host set name = $MACADD set hardware-address = $MACADD set hardware-type = 1 set ip-address = $IPADD create ! omshell /tmp/radtest.add - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set FreeRADIUS auth via POP3?
On Sun, 06 Mar 2005 12:27:22 -0500, Alan DeKok [EMAIL PROTECTED] wrote: CNCA CNCA [EMAIL PROTECTED] wrote: HI,I want FreeRADIUS use pop3 as an authentication method in FreeBSD That's a terrible idea. yeah...but it's not what i can determine... it seems work fine between pam_pop3 and pop3 box, but has problem between FreeRADIUS and pam_pop3... I'll bet you configured FreeRADIUS to use the PAM file pop3 for authentication. Don't do that. Read radiusd.conf to see how to configure the PAM module, and how to configure PAM to handle authentication requests from FreeRADIUS. my radiusd.conf = modules { pam { pam_auth = pop3 } } authenticate { pam } = users = DEFAULT Auth-Type = PAM Fall-Through = 1 = /etc/pam.d/pop3 = authrequired/usr/local/lib/pam_pop3.so hostname=[myhost] = -- Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem With Freeradius WinXP
: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread spawned new child 2. Total threads in pool: 2 Thread 3 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread 4 waiting to be assigned a request Thread spawned new child 4. Total threads in pool: 4 Thread 5 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.51:1177, id=0, length=206 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 2 got semaphore Thread 2 handling request 0, (1 handled so far) Message-Authenticator = 0xd7449eabc1bbfb06d6c344263b3ca902 Service-Type = Framed-User User-Name = wireless Framed-MTU = 1488 Called-Station-Id = 00-0F-3D-AB-70-51:xserverAP Calling-Station-Id = 00-0C-F1-13-3F-29 NAS-Identifier = D-link Corp. Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01776972656c657373 NAS-IP-Address = 192.168.2.51 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307 modcall[authorize]: module auth_log returns ok for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry wireless at line 1 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.2.51:1177 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x0a5bd7de65432910765e43ce0a57f731 Finished request 0 Going to the next request Thread 2 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.2.51:1177, id=1, length=323 Waking up in 31 seconds... Thread 1 got semaphore Thread 1 handling request 1, (1 handled so far) Message-Authenticator = 0x246361a6bd4e3ec8438706922355f530 Service-Type = Framed-User User-Name = wireless Framed-MTU = 1488 State = 0x0a5bd7de65432910765e43ce0a57f731 Called-Station-Id = 00-0F-3D-AB-70-51:xserverAP Calling-Station-Id = 00-0C-F1-13-3F-29 NAS-Identifier = D-link Corp. Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x02010070198000661603010061015d0301422c39f06dbe2d9ca25e2eae1a035f420469ed488ff2300b34a80a3dd704006a203a78c05c63ec3cca58c1c5cbbc9ccb8a558025f0f0b03356da16dd06d88f9bcd001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.2.51 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307 modcall[authorize]: module auth_log
Re: Password entry in dialup admin
On Sun, 6 Mar 2005, zack musa wrote: Hi. When I entering the value for some user, with the admin.conf set to crypt, the value inserted in the db are encrypted. So when that new user try to login to the network, he get deny access message. so how can the ecryption can be a help avoiding the data to be exposed,at the same time allowing him to get the network access? How is the crypt,md5,clear in the dialup admin admin.conf file is set when we want the process of sending the data secured at the same time only particular or specified administrator responsible for that user can view and change the password at any time, and still secured? Password storage has nothing to do with the authentication protocol. dialupadmin allows you to set the password encryption scheme that will be used when storing password. You should take a look at PAP/CHAP/MS-CHAP/EAP for possible authentication protocols. __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log_file and NFS?
On Mon, 7 Mar 2005, Greg Ulyatt wrote: Hello, I recently moved from Cistron to freeRADIUS for the obvious reasons/benefits. My setup is pretty simple, backend users file into mySQL and accounting is relayed back to a central server. The setup was running fine until I rebooted my NFS server. I am using a log_file that is mounted from a central NFS resource to allow phone support people quick access to tell a user that they have the wrong password (the most common problem). However, when the NFS resource becomes unavaiable radiusd stops all authentication. So, the question is... is this a bug or expected? If it's expected is there any way to pipe the log_file into a program so I can send them to a central resource, or use a radrelay like program? Take a look at the log_badlogins script in dialupadmin. It should do what you want. Cheers, Greg Ulyatt REDNET Systems Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mtotacct, totacct and badlogin scripts problem
Hi I try to run mtotacct and totact scripts but these is what i get _ DELETE FROM mtotacct WHERE AcctDate = '2005-03-01'; INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration, ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress) SELECT UserName,'2005-03-01',SUM(ConnNum),SUM(ConnTotDuration), MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets), SUM(OutputOctets),NASIPAddress FROM totacct WHERE AcctDate = '2005-03-01' AND AcctDate = '2005-03-08' GROUP BY UserName,NASIPAddress; ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) __ The user password in admin.conf had been entered as shown: sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: root sql_password: password sql_database: radius Or is there other file where I should specify the mysql password? When I try to run the log_badlogin scripts the following output produced: ### Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (1 byte, need 3, after start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6497. Malformed UTF-8 character (unexpected non-continuation byte 0x73, immediately after start byte 0xea) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6501. Could not open file ### What file it couldn't open? Do I need to restore the Manip.pm? Anything else happen here? Appriciate to any help. Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay questions
[EMAIL PROTECTED] wrote: 3. if the radsqlrelay process dies (or i kill -9 it) - after restarting it - all the data in the detail-file will processed again You're right. At startup radsqlrelay sends the detail-file from the beginning, but perhaps some records were already in the database... I understand you don't want to duplicate records in the database, but killing radsqlrelay from time to time is not something you usually do. Of course, patches are welcome. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Proxy Authorize
Sandworm wrote: However, this means that the LDAP group is unnecessarily checked twice, once during each pass of the 'authorize' section. This is inefficient and takes time. Is there a better way of assigning the Class attribute so that it can be added to the attributes returned by the ACE server, without traversing the file twice? You may add the Class attribute in the post-proxy section. In recent CVS snapshots of FreeRADIUS, you can use the Post-Proxy-Type stanza. Therefore you can write in the users file: DEFAULT Huntgroup-Name == Staff-Devices, LDAP-Group == staff, Proxy-To-Realm := 'ace', Post-Proxy-Type := staff Fall-Through = No DEFAULT Huntgroup-Name == Client-Devices, LDAP-Group == clients, Proxy-To-Realm := 'ace', Post-Proxy-Type := client Fall-Through = No Then you write in radiusd.conf: modules { attr_rewrite append.staff.class { attribute = Class searchin = proxy_reply searchfor = .* replacewith = OU=staff_vpn; new_attribute = yes } attr_rewrite append.client.class { attribute = Class searchin = proxy_reply searchfor = .* replacewith = OU=client_vpn; new_attribute = yes } } post-proxy { Post-Proxy-Type staff { append.staff.class } Post-Proxy-Type client { append.client.class } } This method no longer depend on the value of post_proxy_authorize option. (which should always be set to 'no') -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
On Sun, 6 Mar 2005, Jarred Cleem wrote: Hello all; I am tying to put together an openLDAP/FreeRadius implementation for a multitude of services we provide. We are currently providing high speed cable modem services, local dial-up, national dial-up, Motorola Canopy Wireless, DSL, ISDN, extended Ethernet, Ethernet over power and a few other ISP type services. Currently we have a different AAA platform for all of the different services we provide. I am doing some research and setting up a test lab to see if I can get everything to one AAA platform. I think I am close but am looking for some additional help with the connectivity between FreeRadius and openLDAP. I currently have FreeRadius communicating with openLDAP and authenticating the user. However, the LDAP server is giving the RADIUS server the wrong profile after authentication. I am not sure if I completely and correctly understand how this works. It looks as thought it is finds the first ldap-group in my users file and returns the ldap path to the profile. My problem is that if a user has more then one service, say dial-up and DSL, it does not return the right profile. It returns the first match in the users file. How do I get LDAP and FreeRadius to return to the NAS the correct profile for the type of service the user is trying to authenticate to? Below is my configuration information. openLDAP 2.2.23 freeRadius 1.0.2 Fedora Core 3 Current users file ---begin users DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Ldap-Group == dial, User-Profile := uid=dial,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == dsl-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. ---end users-- With the above configuration if a user is a member on more than one groups then the first one matched will be the *only* one that will be used. And that *is* correct behaviour. What i think you need is to also use incoming request attributes to differentiate services (which you aren't right now). Something like: DEFAULT NAS-Port-Type == ISDN, Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT NAS-Port-Type == Virtual, Ldap-Group == dsp-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Sometimes you can also know the service based on the nas-ip-address, so its easy to use with huntgroups. eg: huntgroups file dial nas-ip-address == 1.1.1.1 dial nas-ip-address == 1.1.1.2 dial nas-ip-address == 1.1.1.3, nas-port-type == async isdn nas-ip-address == 1.1.1.3, nas-port-type == isdn adsl nas-ip-address == 1.1.1.4 What I did there was make 3 nas-ip-addresses in the dial huntgroup. One of them does both dial and isdn, so I added the additional check-item to it. One nas-ip is adsl. Then in the users file. DEAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := uid=dial... DEFAULT Huntgroup-Name == isdn, Ldap-Group == isdn, User-Profile := uid=isdn... etc... DEFAULT Auth-Type := Reject What you are doing there is first checking the huntgroup. If you come from a dial huntgroup, then we will look to see if you have the ldap-group dial which would signal that you get access to dial. If not, we move on and will eventually hit the reject line. If you do have dial, we authenticate you and return the dial profile. Same thing for isdn. If you are coming from an isdn huntgroup, then we check to see if you have the isdn group, if so we authenticate you, otherwise we move on. The documentation is getting old, but there is an explanation of that in doc/ldap_howto.txt or at http://doris.cc/radius. I will be rewriting that in the next few months with more specific radius/ldap stuff, I'll get rid of the OS specific stuff, and add some new things like configurable_failover. I was hoping to have it done now, but my radius rebuild project got demoted due to marketing trying to push out new products yesterday. Hope that helps. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy or not with NULL realm
Cristian Cappelletti wrote: The problem is, if there are NOT matches into local DB the radius answer with an Access-Reject, instead to proxy the request to the second Radius and wait an answer from it. How set up this solution? Any suggestions? You may run the rlm_realm module at the beginning of authorize section. This will enable the proxy function. When you find the user in your database, add the variable Proxy-To-Realm := LOCAL as a check item (ie in authcheck_table) This will cancel proxying when the user is found. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checking user accounts
Hello everyone, I have a wireless network in which access points are getting authenticated by freeradius running on solaris box. I want to add user authentication and thinking of having a mysql database for that. But for time being, Im thinking of using users file for couple of users. Now my question is, where the users needs to key in their username and password if they have windows xp machines and want to use my wireless network. Future I have the plans for captive portal like Chillipot but right now for testing purposes I want to know how the users will be authenticated with the freeradius if I use windows xp machine and username and password in users file. I would appreciate any help on this. Thx in advance. Regards, Janakan Rajendran
sql accounting basic question
Hi could anyone tell the difference between AcctSessionId and AcctUniqueId in the sql table? and also: i see that an insert is performed with acctstarttime set to the timestamp and acctstoptime set to 0 at accounting start. an update is done at accounting stop, and another insert is done with acctstarttime and acctstoptime set to the starting end ending time values. is this how it works? or did i make mistakes when configuring it? i used url http://www.frontios.com/freeradius-old.html for configuring, and the result is very basic - only accounting to sql. this is what i wanted, but not sure if all the sql querys are needed. rtfm answers are welcome too, i've been through the doc/ directory and http://www.frontios.com/freeradius.html too. thanks adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + PAP in LDAP for freeradius
Hell Justin. Dne etrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a): TTLS + PAP has worked for me out of the box with FreeRADIUS. The only changes I have made to the EAP settings is to point FreeRADIUS to my server certificates. The server does the rest. There is more to seting up things than just to make something work. What about disabling other authentication methods ? Routing of accounting packets ? Anonymous username handling ? Logging network usage to the database ? .. and much more :). If you attitude is: I just changed something and software did the rest, you are better off running your freeradius under the Cygwin ;))). -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy+peap
I have user with username like this [EMAIL PROTECTED] , I proxy them to the domain1 radius. Whith peap/mschapv2 I have this on the domain1 radius log : Identity does not match User-Name, setting from EAP Identity The ldap only know login, and the radius attribute: User-Name = login. How can I configure radius for using login instead of [EMAIL PROTECTED] for EAP ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Chan Min Wai [EMAIL PROTECTED] wrote: What about the info that provided by the freeradius? When we are using ippool which meant that the ipaddress actually came from us. So we should be able to log them right? When the IP address is assigned, yes. I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that isn't working. Since you didn't say where you put it, my conclusion is that you put it in the wrong place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Accounting logging desired
Stefan Winter [EMAIL PROTECTED] wrote: I'd like to log accounting packets on our local (proxying) FR-1.0.2 server but as well send them to the realm server that is configured for them in proxy.conf. The server does this by default when proxying accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + pptp
Mervyn Yeo [EMAIL PROTECTED] wrote: Thanks Alan, I've figured that part out. Now looking at my radiusd -X I've got this, is it something to do with adding an Auth-Type with MS-CHAP in my /etc/raddb/users file? Any suggestions would be appreciated. The server is already using the mschap module and the debug log shows this. So you don't have to set Auth-Type to mschap. What you DO have to do is tell the server what the users password is. See umpteen posts to the list with this exact error message. Maybe I'll add more detailed complaint messages to the mschap module, describing in excruciating detail what's going wrong. Nothing else seems to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set FreeRADIUS auth via POP3?
CNCA CNCA [EMAIL PROTECTED] wrote: On Sun, 06 Mar 2005 12:27:22 -0500, Alan DeKok [EMAIL PROTECTED] wrote: I'll bet you configured FreeRADIUS to use the PAM file pop3 for authentication. Don't do that. ... /etc/pam.d/pop3 = authrequired/usr/local/lib/pam_pop3.so hostname=[myhost] Ok what part of my message was unclear? Read radiusd.conf to see how to configure the PAM module, and how to configure PAM to handle authentication requests from FreeRADIUS. Perhaps you could try: a) reading my responses on this list b) reading the documentation in the server Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log_file and NFS?
Greg Ulyatt [EMAIL PROTECTED] wrote: I am using a log_file that is mounted from a central NFS resource to allow phone support people quick access to tell a user that they have the wrong password (the most common problem). However, when the NFS resource becomes unavaiable radiusd stops all authentication. Yes. That's why most people don't put log files onto NFS partitions. When NFS goes away, and the application tries to write to the file, the *kernel* blocks the process until NFS comes back. So, the question is... is this a bug or expected? It's a feature of the OS, and here's very little you can do to FreeRADIUS to avoid it, except to not put log files in NFS. If it's expected is there any way to pipe the log_file into a program so I can send them to a central resource, or use a radrelay like program? Put the log files on a local disk. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking user accounts
Janakan Rajendran [EMAIL PROTECTED] wrote: Future I have the plans for captive portal like Chillipot but right now for testing purposes I want to know how the users will be authenticated with the freeradius if I use windows xp machine and username and password in users file. http://www.freeradius.org/doc/ Read the EAP howto's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem With Freeradius WinXP
Badrul Anuar [EMAIL PROTECTED] wrote: i have install the hotfix. but the radius reject the authentication. could you pls give me some advice. I have change the cert twice,the the problem sama. Weird. From what I can tell of the log, the same thing is happening. I'm not sure what else to suggest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting basic question
Adam KOSA [EMAIL PROTECTED] wrote: could anyone tell the difference between AcctSessionId and AcctUniqueId in the sql table? The first is the Acct-Session-Id, as sent by the NAS. NASes tend to re-use ID's however, despite the standard saying to NOT do that. As a result, FreeRADIUS create the unique Id, based on some additional information. and also: i see that an insert is performed with acctstarttime set to the timestamp and acctstoptime set to 0 at accounting start. an update is done at accounting stop, and another insert is done with acctstarttime and acctstoptime set to the starting end ending time values. That sounds right. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + PAP in LDAP for freeradius
Rok Papez [EMAIL PROTECTED] wrote: Dne =C4=8Detrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a): TTLS + PAP has worked for me out of the box with FreeRADIUS. The only changes I have made to the EAP settings is to point FreeRADIUS to my server certificates. The server does the rest. There is more to seting up things than just to make something work. The design of the server and the default configuration files is to make everything just work with minimal effort by the administrator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
I've done a tcpdump while it's logging all the duplcates and all I see is one way communication. The NAS box will send 10 sessions or so to the accounting port to log but the radius never sends anything back. Why would that be? 08:08:59.006081 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4e length: 112 08:08:59.006702 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4c length: 168 08:08:59.007103 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4b length: 173 08:08:59.008191 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4a length: 171 08:08:59.008230 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x49 length: 112 08:08:59.008988 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x47 length: 109 08:08:59.009033 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x45 length: 114 08:08:59.010149 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x43 length: 179 08:08:59.010188 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x42 length: 113 08:08:59.011184 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x40 length: 160 08:08:59.011234 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x3f length: 171 All the traffic is one way. Would something be preventing the radius from sending the received? Something in the configuration? Scott Thor Spruyt wrote: Stephen D. Bechard wrote: I do believe that the NAS needs the return packet. When the NAS sends a packet to the server, the server should respond with an accounting ack packet back to the NAS. Check that the server indeed sends an ack packet and that the NAS receives the ack packet. Also, on the NAS you should be able to configure how many times the NAS has to retry to send the packet and at which interval. The settings you should choose depend greatly on the connection between your NAS and your server. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Scott Baker [EMAIL PROTECTED] wrote: I've done a tcpdump while it's logging all the duplcates and all I see is one way communication. The NAS box will send 10 sessions or so to the accounting port to log but the radius never sends anything back. Why would that be? Many reasons. All the traffic is one way. Would something be preventing the radius from sending the received? Something in the configuration? Run the server in debugging mode to see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying to NT auth server ?
Hi, I've got a NAS (actually, it's a Cisco 3030 VPN concentrator) which supports the concept of 'groups' that may authenticate against different Radius or NT-domain servers. To make a long story short, it won't support NT servers which only allow NTLM v.2. So, because of that, and also to consolidate accounting, we're trying to have every group point at the same Freeradius server, and have the freeradius box itself fan out authentication to the various Radius or NT boxes. From what I read in the docs, this could be done easily with proxying, if only users would have usernames of the form '[EMAIL PROTECTED]', and use the group as a realm name. I noticed that currently the group is passed to the radius server in a 'Class' attribute, and I'm wondering if there's any way to have Freeradius determine which NT server to use (or to authenticate locally) based on the value of the Class attribute instead of forcing users to change the way they log in (by using '[EMAIL PROTECTED]' instead of simply 'user' as their login names). Any pointers to some useful place to 'rtfm', or any other hints and ideas would be much appreciated. Thanks, Gabriel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DialupAdmin and Usernames
I've run in to a snag with dialupadmin 1.0.1. Our usernames have spaces. I did not see that as a limitation in the docs. The only place it seems to be a problem is when administering group membership. A space as well as a new line defines the username to be assigned. I'd like to eliminate the space delimiter, but I just don't see how to do it. Can someone please help me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialupadmin
Hello, I couldnt find out any documentation on how to configure/run dialupadmin on free radius. Would appreciate any links or info on this. Thank you, Regards, Janakan Rajendran
Re: FreeRadius logging lots of duplicates?
Aha! Now you're talking: Acct-Delay-Time = 62575 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69824 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69874 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69924 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69824 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69874 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69924 Acct-Session-Id = 301140517 I'll run it in debug mode, thanks for the heads up. Alan DeKok wrote: Scott Baker [EMAIL PROTECTED] wrote: So I'm guessing it's never hearing back I got your Accounting packet even though the server is logging it. Do the accounting packets require an acknowledge? Yes. If the NAS doesn't like the ACK (wrong source IP, etc), it will ignore it, and send another Accounting-Request, with an updated Acct-Delay-Time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
After running the radius in debug mode I'm not seeing any blantant errors. Maybe someone on the list can help me. The only thing I see is that it's complaining about no NULL realm, and that the module unix returns fail What should I be looking for? rad_recv: Accounting-Request packet from host 10.45.0.9:7002, id=24, length=232 User-Name = rvgibson NAS-IP-Address = 10.45.0.9 NAS-Port = 2210 NAS-Port-Type = Async Service-Type = Framed-User Acct-Status-Type = Stop Acct-Delay-Time = 17 Acct-Session-Id = 390747682 Acct-Authentic = RADIUS Idle-Timeout = 0 Acct-Session-Time = 2277 Acct-Input-Octets = 30599 Acct-Output-Octets = 127694 Acct-Input-Packets = 529 Acct-Output-Packets = 802 X-Ascend-Disconnect-Cause = 45 X-Ascend-Connect-Progress = 60 X-Ascend-Xmit-Rate = 46667 X-Ascend-Data-Rate = 21600 X-Ascend-PreSession-Time = 26 X-Ascend-Pre-Input-Octets = 285 X-Ascend-Pre-Output-Octets = 247 X-Ascend-Pre-Input-Packets = 11 X-Ascend-Pre-Output-Packets = 11 X-Ascend-First-Dest = 65.255.255.255 X-Ascend-Modem-PortNo = 52 X-Ascend-Modem-SlotNo = 9 X-Ascend-Modem-ShelfNo = 1 Calling-Station-Id = 5036512800 Called-Station-Id = 2634593 Framed-Protocol = PPP Framed-IP-Address = 65.182.231.239 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 28 modcall[preacct]: module preprocess returns noop for request 28 rlm_acct_unique: Hashing 'NAS-Port = 2210,Client-IP-Address = 10.45.0.9,NAS-IP-Address = 10.45.0.9,Acct-Session-Id = 390747682,User-Name = rvgibson' rlm_acct_unique: Acct-Unique-Session-ID = 29487a05fb1b964f. modcall[preacct]: module acct_unique returns ok for request 28 rlm_realm: No '@' in User-Name = rvgibson, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 28 modcall[preacct]: module files returns noop for request 28 modcall: group preacct returns ok for request 28 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 28 radius_xlat: '/var/log/radacct/10.45.0.9/detail-20050307' rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.45.0.9/detail-20050307 modcall[accounting]: module detail returns ok for request 28 modcall[accounting]: module unix returns fail for request 28 modcall: group accounting returns fail for request 28 Finished request 28 Scott Baker wrote: Aha! Now you're talking: Acct-Delay-Time = 62575 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69824 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69874 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69924 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69824 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69874 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69924 Acct-Session-Id = 301140517 I'll run it in debug mode, thanks for the heads up. Alan DeKok wrote: Scott Baker [EMAIL PROTECTED] wrote: So I'm guessing it's never hearing back I got your Accounting packet even though the server is logging it. Do the accounting packets require an acknowledge? Yes. If the NAS doesn't like the ACK (wrong source IP, etc), it will ignore it, and send another Accounting-Request, with an updated Acct-Delay-Time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Scott Baker [EMAIL PROTECTED] wrote: errors. Maybe someone on the list can help me. The only thing I see is that it's complaining about no NULL realm, and that the module unix returns fail What should I be looking for? That the server doesn't send an Accounting-Response to the client. This is because the unix module returns fail. The short answer is to delete unix from accounting. From looking at the source code to rlm_unix, this happens because it can't write to the radwtmp file. It SHOULD be printing out a descriptive error message, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mtotacct+totacct+logbadlogin scripts not running
Hi I try to run mtotacct and totact scripts but these is what i get * DELETE FROM mtotacct WHERE AcctDate = '2005-03-01'; INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration, ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress) SELECT UserName,'2005-03-01',SUM(ConnNum),SUM(ConnTotDuration), MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets), SUM(OutputOctets),NASIPAddress FROM totacct WHERE AcctDate = '2005-03-01' AND AcctDate = '2005-03-08' GROUP BY UserName,NASIPAddress; ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) __ The user password in admin.conf had been entered as shown: sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: root sql_password: password sql_database: radius Or is there other file where I should specify the mysql password? When I try to run the log_badlogin scripts the following output produced: ### Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (1 byte, need 3, after start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6497. Malformed UTF-8 character (unexpected non-continuation byte 0x73, immediately after start byte 0xea) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6501. Could not open file ### What file it couldn't open? Is it Manip.pm?Do I need to restore the Manip.pm or anything else happen here? Is there any other way to run the scripts, allowing them automatically filling tables in the sql database? Appriciate any help. Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: What about the info that provided by the freeradius? When we are using ippool which meant that the ipaddress actually came from us. So we should be able to log them right? When the IP address is assigned, yes. I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that isn't working. Since you didn't say where you put it, my conclusion is that you put it in the wrong place. Haha, My Bad, I put it on the sql.conf On accounting_update_query = UPDATE ${acct_table1} \ SET FramedIPAddress = '%{reply:Framed-IP-Address}', \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = '%{Acct-Input-Octets}', \ AcctOutputOctets = '%{Acct-Output-Octets}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress= '%{NAS-IP-Address}' accounting_update_query_alt = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{reply:Framed-IP-Address}', '0') accounting_start_query = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{reply:Framed-IP-Address}', '%{Acct-Delay-Time}', '0') accounting_start_query_alt = UPDATE ${acct_table1} SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query_alt = INSERT into ${acct_table2} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{reply:Framed-IP-Address}', '0', '%{Acct-Delay-Time}') It would be helpful if you can correct me Regards Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Chan Min Wai [EMAIL PROTECTED] wrote: I put it on the sql.conf On accounting_update_query = UPDATE ${acct_table1} \ SET FramedIPAddress = '%{reply:Framed-IP-Address}', \ ... And you're not seeing it in the database. This is covered in the FAQ, for accounting requests. I don't understand what the problem is. It would be helpful if you can correct me Read the FAQ. If an attribute isn't getting logged, it's because the NAS isn't sending it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Frame-IP-Address in SQL?
The accounting_xxx_query queries in sql.conf are run in response to the freeRADIUS server receiving an *accounting* request from a NAS. This is independent from the authorization/authentication process that has occurred previously. The sql queries log what was received in the *accounting* request that it is currently processing- that's why they are being called from the *accounting* sections of radiusd.conf, and why they are called accounting_xxx_query in sql.conf. So with this in mind, to insert Framed-IP-Address into the database you should use the value that is *received* in the *accounting* request, ie %{Framed-IP-Address}, as per the default configuration in sql.conf. If your NAS isn't sending the Framed-IP-Address attribute in the accounting request, then the sql module cannot insert it in the database. You appear to be struggling (or at least confused) with the fundamentals of RADIUS. I would suggest doing some reading up on the RADIUS protocol, and how a NAS interacts with a RADIUS server. Once you understand that, you'll better understand how freeRADIUS works, what the various sections of radiusd.conf mean, and you can begin to understand how to configure freeRADIUS to get the results you want. I would also recommend testing your freeRADIUS configuration using radclient (comes with freeRADIUS - check the bin directory - man radclient). This will allow you to send arbitrary RADIUS requests to the server and determine the results in a controlled environment. Once you have that working correctly you can try it with a real NAS. Hope that helps, Mike Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: What about the info that provided by the freeradius? When we are using ippool which meant that the ipaddress actually came from us. So we should be able to log them right? When the IP address is assigned, yes. I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that isn't working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: I put it on the sql.conf On accounting_update_query = UPDATE ${acct_table1} \ SET FramedIPAddress = '%{reply:Framed-IP-Address}', \ ... And you're not seeing it in the database. This is covered in the FAQ, for accounting requests. I don't understand what the problem is. It would be helpful if you can correct me Read the FAQ. If an attribute isn't getting logged, it's because the NAS isn't sending it. OK, so I'm trying to do something that is not design to/Should do so... because the FRAMED-IP-ADDRESS is from freeradius and the NAS Never send back the info... Any other options I can look in... If No then Thank You and forget about it. Regards Chan Min Wai Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Mitchell, Michael J wrote: The accounting_xxx_query queries in sql.conf are run in response to the freeRADIUS server receiving an *accounting* request from a NAS. This is independent from the authorization/authentication process that has occurred previously. The sql queries log what was received in the *accounting* request that it is currently processing- that's why they are being called from the *accounting* sections of radiusd.conf, and why they are called accounting_xxx_query in sql.conf. Thank for clearing me up. I don't really know that. So with this in mind, to insert Framed-IP-Address into the database you should use the value that is *received* in the *accounting* request, ie %{Framed-IP-Address}, as per the default configuration in sql.conf. If your NAS isn't sending the Framed-IP-Address attribute in the accounting request, then the sql module cannot insert it in the database. That just too bad... My NAS didn't support Framed-IP-Address... So no way to log it right? You appear to be struggling (or at least confused) with the fundamentals of RADIUS. I would suggest doing some reading up on the RADIUS protocol, and how a NAS interacts with a RADIUS server. Once you understand that, you'll better understand how freeRADIUS works, what the various sections of radiusd.conf mean, and you can begin to understand how to configure freeRADIUS to get the results you want. Yes, I'm too confused, but thank to you, much have been clear out. I would also recommend testing your freeRADIUS configuration using radclient (comes with freeRADIUS - check the bin directory - man radclient). This will allow you to send arbitrary RADIUS requests to the server and determine the results in a controlled environment. Once you have that working correctly you can try it with a real NAS. Thank You Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script to run when a users is logging out?
[EMAIL PROTECTED] wrote: LS How about accounting, when the disconnect frame enters. Where is the diconnect frame enters located? Thank You Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
what is your nas ? if cisco, you must take look this link http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1082974 http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/cisco?rev=1.9content-type=text/x-cvsweb-markup to get framed-ip-address on accounting-start you must add this command on cisco : aaa accounting delay-start [all] Use the aaa accounting delay-start command to delay generation of accounting start records until the IP address of the user has been established. by default Accounting-start records are not delayed. - Original Message - From: Chan Min Wai [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 08, 2005 10:44 AM Subject: Re: Frame-IP-Address in SQL? Alan DeKok wrote: Chan Min Wai [EMAIL PROTECTED] wrote: I put it on the sql.conf On accounting_update_query = UPDATE ${acct_table1} \ SET FramedIPAddress = '%{reply:Framed-IP-Address}', \ ... And you're not seeing it in the database. This is covered in the FAQ, for accounting requests. I don't understand what the problem is. It would be helpful if you can correct me Read the FAQ. If an attribute isn't getting logged, it's because the NAS isn't sending it. OK, so I'm trying to do something that is not design to/Should do so... because the FRAMED-IP-ADDRESS is from freeradius and the NAS Never send back the info... Any other options I can look in... If No then Thank You and forget about it. Regards Chan Min Wai Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
eDoS wrote: what is your nas ? if cisco, you must take look this link http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1082974 http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/cisco?rev=1.9content-type=text/x-cvsweb-markup to get framed-ip-address on accounting-start you must add this command on cisco : aaa accounting delay-start [all] Use the aaa accounting delay-start command to delay generation of accounting start records until the IP address of the user has been established. by default Accounting-start records are not delayed. Thank for the help, unlucky I'm not using cisco as the NAS :( Just too bad... Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ppp radius-plugin
Hi I want to use radius authentication for pptp. Therefor I need the radius.so-plugin, which isn't included in the Debian default installation of ppp 2.4.2b3. So I compiled it manually (thank god there was a makefile) and copied it to the right path. (/usr/lib/pppd/2.4.2b3/). Everything worked fine. Then I added plugin radius.so to pptp-options, startet the pptp-server and tried to connect but I get the following error: /usr/sbin/pppd: /usr/lib/pppd/2.4.2b3/radius.so: undefined symbol: chap_auth_hook /usr/sbin/pppd: Couldn't load plugin radius.so I installed pppd as a binary packet and compiled the right version of the radius-plugin. Has anyone an idea or solution? thxs best regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html