Re: freeradius + pptp
Alan DeKok wrote: Mervyn Yeo [EMAIL PROTECTED] wrote: This appears after I've included plugin radius.so in my /etc/ppp/options.pptpd. Can someone give me some clues on rc_avpair_new: unknown attribute 11 and 25? Read the dictionary file for the names of attributes 11 and 25. As for why pptpd doesn't understand them, ask pptpd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . Thanks Alan, I've figured that part out. Now looking at my radiusd -X I've got this, is it something to do with adding an Auth-Type with MS-CHAP in my /etc/raddb/users file? Any suggestions would be appreciated. radiusd -v radiusd: FreeRADIUS Version 1.0.2, for host , built on Mar 3 2005 at 08:50:02 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for root with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Cheers, Mervyn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log_file and NFS?
Hello, I recently moved from Cistron to freeRADIUS for the obvious reasons/benefits. My setup is pretty simple, backend users file into mySQL and accounting is relayed back to a central server. The setup was running fine until I rebooted my NFS server. I am using a log_file that is mounted from a central NFS resource to allow phone support people quick access to tell a user that they have the wrong password (the most common problem). However, when the NFS resource becomes unavaiable radiusd stops all authentication. So, the question is... is this a bug or expected? If it's expected is there any way to pipe the log_file into a program so I can send them to a central resource, or use a radrelay like program? Cheers, Greg Ulyatt REDNET Systems Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
script to run when a users is logging out?
Hello all,
I know the script need to be define in the exec {}
And the script before users login is put into post-auth, what about the
script after users logout or Just before users logout?
Anyone have any idea?
Below is the script that someone help me to control dhcp with radius...
To remove is easy Just set name and then keyin remove.
==
# !/usr/bin/bash
tr=`which tr`
omshell=`which omshell`
IPADD=$FRAMED_IP_ADDRESS
NETMASK=$FRAMED_IP_NETMASK
MACADD=`echo $1| tr - :| tr [:upper:] [:lower:]`
NASADD=$2
echo $IPADD $NETMASK $MACADD $NASADD /tmp/radtest
#creating a file to execute a value with omshell
cat ! /tmp/radtest.add
server 202.73.8.65
port 5901
connect
new host
set name = $MACADD
set hardware-address = $MACADD
set hardware-type = 1
set ip-address = $IPADD
create
!
omshell /tmp/radtest.add
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: script to run when a users is logging out?
LS
How about accounting, when the disconnect frame enters.
Nico Baggus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Chan Min Wai
Sent: Monday, March 07, 2005 10:26
To: freeradius-users@lists.freeradius.org
Subject: script to run when a users is logging out?
Hello all,
I know the script need to be define in the exec {}
And the script before users login is put into post-auth, what
about the
script after users logout or Just before users logout?
Anyone have any idea?
Below is the script that someone help me to control dhcp with
radius...
To remove is easy Just set name and then keyin remove.
==
# !/usr/bin/bash
tr=`which tr`
omshell=`which omshell`
IPADD=$FRAMED_IP_ADDRESS
NETMASK=$FRAMED_IP_NETMASK
MACADD=`echo $1| tr - :| tr [:upper:] [:lower:]`
NASADD=$2
echo $IPADD $NETMASK $MACADD $NASADD /tmp/radtest
#creating a file to execute a value with omshell
cat ! /tmp/radtest.add
server 202.73.8.65
port 5901
connect
new host
set name = $MACADD
set hardware-address = $MACADD
set hardware-type = 1
set ip-address = $IPADD
create
!
omshell /tmp/radtest.add
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script to run when a users is logging out?
[EMAIL PROTECTED] wrote:
LS
How about accounting, when the disconnect frame enters.
I've try to put there but what happen is that...
the users, get an ip and the the ip being release
Because account will be process after post-auth.
Any more idea?
regards
Chan Min Wai
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Chan Min Wai
Sent: Monday, March 07, 2005 10:26
To: freeradius-users@lists.freeradius.org
Subject: script to run when a users is logging out?
Hello all,
I know the script need to be define in the exec {}
And the script before users login is put into post-auth, what
about the
script after users logout or Just before users logout?
Anyone have any idea?
Below is the script that someone help me to control dhcp with
radius...
To remove is easy Just set name and then keyin remove.
==
# !/usr/bin/bash
tr=`which tr`
omshell=`which omshell`
IPADD=$FRAMED_IP_ADDRESS
NETMASK=$FRAMED_IP_NETMASK
MACADD=`echo $1| tr - :| tr [:upper:] [:lower:]`
NASADD=$2
echo $IPADD $NETMASK $MACADD $NASADD /tmp/radtest
#creating a file to execute a value with omshell
cat ! /tmp/radtest.add
server 202.73.8.65
port 5901
connect
new host
set name = $MACADD
set hardware-address = $MACADD
set hardware-type = 1
set ip-address = $IPADD
create
!
omshell /tmp/radtest.add
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set FreeRADIUS auth via POP3?
On Sun, 06 Mar 2005 12:27:22 -0500, Alan DeKok [EMAIL PROTECTED] wrote:
CNCA CNCA [EMAIL PROTECTED] wrote:
HI,I want FreeRADIUS use pop3 as an authentication method in FreeBSD
That's a terrible idea.
yeah...but it's not what i can determine...
it seems work fine between pam_pop3 and pop3 box, but has problem
between FreeRADIUS and pam_pop3...
I'll bet you configured FreeRADIUS to use the PAM file pop3 for
authentication. Don't do that. Read radiusd.conf to see how to
configure the PAM module, and how to configure PAM to handle
authentication requests from FreeRADIUS.
my radiusd.conf
=
modules {
pam {
pam_auth = pop3
}
}
authenticate {
pam
}
=
users
=
DEFAULT Auth-Type = PAM
Fall-Through = 1
=
/etc/pam.d/pop3
=
authrequired/usr/local/lib/pam_pop3.so
hostname=[myhost]
=
--
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem With Freeradius WinXP
: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread spawned new child 2. Total threads in pool: 2
Thread 3 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 4 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread 5 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.51:1177, id=0, length=206
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 2 got semaphore
Thread 2 handling request 0, (1 handled so far)
Message-Authenticator = 0xd7449eabc1bbfb06d6c344263b3ca902
Service-Type = Framed-User
User-Name = wireless
Framed-MTU = 1488
Called-Station-Id = 00-0F-3D-AB-70-51:xserverAP
Calling-Station-Id = 00-0C-F1-13-3F-29
NAS-Identifier = D-link Corp. Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020d01776972656c657373
NAS-IP-Address = 192.168.2.51
NAS-Port = 1
NAS-Port-Id = STA port # 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307
modcall[authorize]: module auth_log returns ok for request 0
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry wireless at line 1
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 0 to 192.168.2.51:1177
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x0a5bd7de65432910765e43ce0a57f731
Finished request 0
Going to the next request
Thread 2 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.2.51:1177, id=1, length=323
Waking up in 31 seconds...
Thread 1 got semaphore
Thread 1 handling request 1, (1 handled so far)
Message-Authenticator = 0x246361a6bd4e3ec8438706922355f530
Service-Type = Framed-User
User-Name = wireless
Framed-MTU = 1488
State = 0x0a5bd7de65432910765e43ce0a57f731
Called-Station-Id = 00-0F-3D-AB-70-51:xserverAP
Calling-Station-Id = 00-0C-F1-13-3F-29
NAS-Identifier = D-link Corp. Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message =
0x02010070198000661603010061015d0301422c39f06dbe2d9ca25e2eae1a035f420469ed488ff2300b34a80a3dd704006a203a78c05c63ec3cca58c1c5cbbc9ccb8a558025f0f0b03356da16dd06d88f9bcd001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 192.168.2.51
NAS-Port = 1
NAS-Port-Id = STA port # 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050307
modcall[authorize]: module auth_log
Re: Password entry in dialup admin
On Sun, 6 Mar 2005, zack musa wrote: Hi. When I entering the value for some user, with the admin.conf set to crypt, the value inserted in the db are encrypted. So when that new user try to login to the network, he get deny access message. so how can the ecryption can be a help avoiding the data to be exposed,at the same time allowing him to get the network access? How is the crypt,md5,clear in the dialup admin admin.conf file is set when we want the process of sending the data secured at the same time only particular or specified administrator responsible for that user can view and change the password at any time, and still secured? Password storage has nothing to do with the authentication protocol. dialupadmin allows you to set the password encryption scheme that will be used when storing password. You should take a look at PAP/CHAP/MS-CHAP/EAP for possible authentication protocols. __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log_file and NFS?
On Mon, 7 Mar 2005, Greg Ulyatt wrote: Hello, I recently moved from Cistron to freeRADIUS for the obvious reasons/benefits. My setup is pretty simple, backend users file into mySQL and accounting is relayed back to a central server. The setup was running fine until I rebooted my NFS server. I am using a log_file that is mounted from a central NFS resource to allow phone support people quick access to tell a user that they have the wrong password (the most common problem). However, when the NFS resource becomes unavaiable radiusd stops all authentication. So, the question is... is this a bug or expected? If it's expected is there any way to pipe the log_file into a program so I can send them to a central resource, or use a radrelay like program? Take a look at the log_badlogins script in dialupadmin. It should do what you want. Cheers, Greg Ulyatt REDNET Systems Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mtotacct, totacct and badlogin scripts problem
Hi I try to run mtotacct and totact scripts but these is what i get _ DELETE FROM mtotacct WHERE AcctDate = '2005-03-01'; INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration, ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress) SELECT UserName,'2005-03-01',SUM(ConnNum),SUM(ConnTotDuration), MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets), SUM(OutputOctets),NASIPAddress FROM totacct WHERE AcctDate = '2005-03-01' AND AcctDate = '2005-03-08' GROUP BY UserName,NASIPAddress; ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) __ The user password in admin.conf had been entered as shown: sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: root sql_password: password sql_database: radius Or is there other file where I should specify the mysql password? When I try to run the log_badlogin scripts the following output produced: ### Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (1 byte, need 3, after start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6497. Malformed UTF-8 character (unexpected non-continuation byte 0x73, immediately after start byte 0xea) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6501. Could not open file ### What file it couldn't open? Do I need to restore the Manip.pm? Anything else happen here? Appriciate to any help. Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay questions
[EMAIL PROTECTED] wrote: 3. if the radsqlrelay process dies (or i kill -9 it) - after restarting it - all the data in the detail-file will processed again You're right. At startup radsqlrelay sends the detail-file from the beginning, but perhaps some records were already in the database... I understand you don't want to duplicate records in the database, but killing radsqlrelay from time to time is not something you usually do. Of course, patches are welcome. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Proxy Authorize
Sandworm wrote:
However, this means that the LDAP group is unnecessarily checked
twice, once during each pass of the 'authorize' section. This is
inefficient and takes time. Is there a better way of assigning the
Class attribute so that it can be added to the attributes returned
by the ACE server, without traversing the file twice?
You may add the Class attribute in the post-proxy section.
In recent CVS snapshots of FreeRADIUS, you can use the Post-Proxy-Type
stanza. Therefore you can write in the users file:
DEFAULT Huntgroup-Name == Staff-Devices, LDAP-Group == staff,
Proxy-To-Realm := 'ace', Post-Proxy-Type := staff
Fall-Through = No
DEFAULT Huntgroup-Name == Client-Devices, LDAP-Group == clients,
Proxy-To-Realm := 'ace', Post-Proxy-Type := client
Fall-Through = No
Then you write in radiusd.conf:
modules {
attr_rewrite append.staff.class {
attribute = Class
searchin = proxy_reply
searchfor = .*
replacewith = OU=staff_vpn;
new_attribute = yes
}
attr_rewrite append.client.class {
attribute = Class
searchin = proxy_reply
searchfor = .*
replacewith = OU=client_vpn;
new_attribute = yes
}
}
post-proxy {
Post-Proxy-Type staff {
append.staff.class
}
Post-Proxy-Type client {
append.client.class
}
}
This method no longer depend on the value of post_proxy_authorize
option. (which should always be set to 'no')
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Profiles
On Sun, 6 Mar 2005, Jarred Cleem wrote: Hello all; I am tying to put together an openLDAP/FreeRadius implementation for a multitude of services we provide. We are currently providing high speed cable modem services, local dial-up, national dial-up, Motorola Canopy Wireless, DSL, ISDN, extended Ethernet, Ethernet over power and a few other ISP type services. Currently we have a different AAA platform for all of the different services we provide. I am doing some research and setting up a test lab to see if I can get everything to one AAA platform. I think I am close but am looking for some additional help with the connectivity between FreeRadius and openLDAP. I currently have FreeRadius communicating with openLDAP and authenticating the user. However, the LDAP server is giving the RADIUS server the wrong profile after authentication. I am not sure if I completely and correctly understand how this works. It looks as thought it is finds the first ldap-group in my users file and returns the ldap path to the profile. My problem is that if a user has more then one service, say dial-up and DSL, it does not return the right profile. It returns the first match in the users file. How do I get LDAP and FreeRadius to return to the NAS the correct profile for the type of service the user is trying to authenticate to? Below is my configuration information. openLDAP 2.2.23 freeRadius 1.0.2 Fedora Core 3 Current users file ---begin users DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Account disabled. Please call the helpdesk. DEFAULT Ldap-Group == dial, User-Profile := uid=dial,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Ldap-Group == dsl-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Please call the helpdesk. ---end users-- With the above configuration if a user is a member on more than one groups then the first one matched will be the *only* one that will be used. And that *is* correct behaviour. What i think you need is to also use incoming request attributes to differentiate services (which you aren't right now). Something like: DEFAULT NAS-Port-Type == ISDN, Ldap-Group == isdn, User-Profile := uid=isdn,ou=profiles,dc=multiband,dc=us Fall-Through = no DEFAULT NAS-Port-Type == Virtual, Ldap-Group == dsp-ip, User-Profile := uid=dsl-ip,ou=profiles,dc=multiband,dc=us Sometimes you can also know the service based on the nas-ip-address, so its easy to use with huntgroups. eg: huntgroups file dial nas-ip-address == 1.1.1.1 dial nas-ip-address == 1.1.1.2 dial nas-ip-address == 1.1.1.3, nas-port-type == async isdn nas-ip-address == 1.1.1.3, nas-port-type == isdn adsl nas-ip-address == 1.1.1.4 What I did there was make 3 nas-ip-addresses in the dial huntgroup. One of them does both dial and isdn, so I added the additional check-item to it. One nas-ip is adsl. Then in the users file. DEAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := uid=dial... DEFAULT Huntgroup-Name == isdn, Ldap-Group == isdn, User-Profile := uid=isdn... etc... DEFAULT Auth-Type := Reject What you are doing there is first checking the huntgroup. If you come from a dial huntgroup, then we will look to see if you have the ldap-group dial which would signal that you get access to dial. If not, we move on and will eventually hit the reject line. If you do have dial, we authenticate you and return the dial profile. Same thing for isdn. If you are coming from an isdn huntgroup, then we check to see if you have the isdn group, if so we authenticate you, otherwise we move on. The documentation is getting old, but there is an explanation of that in doc/ldap_howto.txt or at http://doris.cc/radius. I will be rewriting that in the next few months with more specific radius/ldap stuff, I'll get rid of the OS specific stuff, and add some new things like configurable_failover. I was hoping to have it done now, but my radius rebuild project got demoted due to marketing trying to push out new products yesterday. Hope that helps. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy or not with NULL realm
Cristian Cappelletti wrote: The problem is, if there are NOT matches into local DB the radius answer with an Access-Reject, instead to proxy the request to the second Radius and wait an answer from it. How set up this solution? Any suggestions? You may run the rlm_realm module at the beginning of authorize section. This will enable the proxy function. When you find the user in your database, add the variable Proxy-To-Realm := LOCAL as a check item (ie in authcheck_table) This will cancel proxying when the user is found. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checking user accounts
Hello everyone, I have a wireless network in which access points are getting authenticated by freeradius running on solaris box. I want to add user authentication and thinking of having a mysql database for that. But for time being, Im thinking of using users file for couple of users. Now my question is, where the users needs to key in their username and password if they have windows xp machines and want to use my wireless network. Future I have the plans for captive portal like Chillipot but right now for testing purposes I want to know how the users will be authenticated with the freeradius if I use windows xp machine and username and password in users file. I would appreciate any help on this. Thx in advance. Regards, Janakan Rajendran
sql accounting basic question
Hi could anyone tell the difference between AcctSessionId and AcctUniqueId in the sql table? and also: i see that an insert is performed with acctstarttime set to the timestamp and acctstoptime set to 0 at accounting start. an update is done at accounting stop, and another insert is done with acctstarttime and acctstoptime set to the starting end ending time values. is this how it works? or did i make mistakes when configuring it? i used url http://www.frontios.com/freeradius-old.html for configuring, and the result is very basic - only accounting to sql. this is what i wanted, but not sure if all the sql querys are needed. rtfm answers are welcome too, i've been through the doc/ directory and http://www.frontios.com/freeradius.html too. thanks adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + PAP in LDAP for freeradius
Hell Justin. Dne etrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a): TTLS + PAP has worked for me out of the box with FreeRADIUS. The only changes I have made to the EAP settings is to point FreeRADIUS to my server certificates. The server does the rest. There is more to seting up things than just to make something work. What about disabling other authentication methods ? Routing of accounting packets ? Anonymous username handling ? Logging network usage to the database ? .. and much more :). If you attitude is: I just changed something and software did the rest, you are better off running your freeradius under the Cygwin ;))). -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy+peap
I have user with username like this [EMAIL PROTECTED] , I proxy them to the domain1 radius. Whith peap/mschapv2 I have this on the domain1 radius log : Identity does not match User-Name, setting from EAP Identity The ldap only know login, and the radius attribute: User-Name = login. How can I configure radius for using login instead of [EMAIL PROTECTED] for EAP ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Chan Min Wai [EMAIL PROTECTED] wrote:
What about the info that provided by the freeradius?
When we are using ippool which meant that the ipaddress actually came
from us. So we should be able to log them right?
When the IP address is assigned, yes.
I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that isn't working.
Since you didn't say where you put it, my conclusion is that you put
it in the wrong place.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Accounting logging desired
Stefan Winter [EMAIL PROTECTED] wrote: I'd like to log accounting packets on our local (proxying) FR-1.0.2 server but as well send them to the realm server that is configured for them in proxy.conf. The server does this by default when proxying accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + pptp
Mervyn Yeo [EMAIL PROTECTED] wrote: Thanks Alan, I've figured that part out. Now looking at my radiusd -X I've got this, is it something to do with adding an Auth-Type with MS-CHAP in my /etc/raddb/users file? Any suggestions would be appreciated. The server is already using the mschap module and the debug log shows this. So you don't have to set Auth-Type to mschap. What you DO have to do is tell the server what the users password is. See umpteen posts to the list with this exact error message. Maybe I'll add more detailed complaint messages to the mschap module, describing in excruciating detail what's going wrong. Nothing else seems to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set FreeRADIUS auth via POP3?
CNCA CNCA [EMAIL PROTECTED] wrote: On Sun, 06 Mar 2005 12:27:22 -0500, Alan DeKok [EMAIL PROTECTED] wrote: I'll bet you configured FreeRADIUS to use the PAM file pop3 for authentication. Don't do that. ... /etc/pam.d/pop3 = authrequired/usr/local/lib/pam_pop3.so hostname=[myhost] Ok what part of my message was unclear? Read radiusd.conf to see how to configure the PAM module, and how to configure PAM to handle authentication requests from FreeRADIUS. Perhaps you could try: a) reading my responses on this list b) reading the documentation in the server Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log_file and NFS?
Greg Ulyatt [EMAIL PROTECTED] wrote: I am using a log_file that is mounted from a central NFS resource to allow phone support people quick access to tell a user that they have the wrong password (the most common problem). However, when the NFS resource becomes unavaiable radiusd stops all authentication. Yes. That's why most people don't put log files onto NFS partitions. When NFS goes away, and the application tries to write to the file, the *kernel* blocks the process until NFS comes back. So, the question is... is this a bug or expected? It's a feature of the OS, and here's very little you can do to FreeRADIUS to avoid it, except to not put log files in NFS. If it's expected is there any way to pipe the log_file into a program so I can send them to a central resource, or use a radrelay like program? Put the log files on a local disk. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking user accounts
Janakan Rajendran [EMAIL PROTECTED] wrote: Future I have the plans for captive portal like Chillipot but right now for testing purposes I want to know how the users will be authenticated with the freeradius if I use windows xp machine and username and password in users file. http://www.freeradius.org/doc/ Read the EAP howto's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem With Freeradius WinXP
Badrul Anuar [EMAIL PROTECTED] wrote: i have install the hotfix. but the radius reject the authentication. could you pls give me some advice. I have change the cert twice,the the problem sama. Weird. From what I can tell of the log, the same thing is happening. I'm not sure what else to suggest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql accounting basic question
Adam KOSA [EMAIL PROTECTED] wrote: could anyone tell the difference between AcctSessionId and AcctUniqueId in the sql table? The first is the Acct-Session-Id, as sent by the NAS. NASes tend to re-use ID's however, despite the standard saying to NOT do that. As a result, FreeRADIUS create the unique Id, based on some additional information. and also: i see that an insert is performed with acctstarttime set to the timestamp and acctstoptime set to 0 at accounting start. an update is done at accounting stop, and another insert is done with acctstarttime and acctstoptime set to the starting end ending time values. That sounds right. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + PAP in LDAP for freeradius
Rok Papez [EMAIL PROTECTED] wrote: Dne =C4=8Detrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a): TTLS + PAP has worked for me out of the box with FreeRADIUS. The only changes I have made to the EAP settings is to point FreeRADIUS to my server certificates. The server does the rest. There is more to seting up things than just to make something work. The design of the server and the default configuration files is to make everything just work with minimal effort by the administrator. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
I've done a tcpdump while it's logging all the duplcates and all I see is one way communication. The NAS box will send 10 sessions or so to the accounting port to log but the radius never sends anything back. Why would that be? 08:08:59.006081 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4e length: 112 08:08:59.006702 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4c length: 168 08:08:59.007103 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4b length: 173 08:08:59.008191 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x4a length: 171 08:08:59.008230 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x49 length: 112 08:08:59.008988 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x47 length: 109 08:08:59.009033 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x45 length: 114 08:08:59.010149 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x43 length: 179 08:08:59.010188 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x42 length: 113 08:08:59.011184 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x40 length: 160 08:08:59.011234 IP 65.182.230.2.1030 65.182.224.34.radius-acct: RADIUS, Accounting Request (4), id: 0x3f length: 171 All the traffic is one way. Would something be preventing the radius from sending the received? Something in the configuration? Scott Thor Spruyt wrote: Stephen D. Bechard wrote: I do believe that the NAS needs the return packet. When the NAS sends a packet to the server, the server should respond with an accounting ack packet back to the NAS. Check that the server indeed sends an ack packet and that the NAS receives the ack packet. Also, on the NAS you should be able to configure how many times the NAS has to retry to send the packet and at which interval. The settings you should choose depend greatly on the connection between your NAS and your server. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Scott Baker [EMAIL PROTECTED] wrote: I've done a tcpdump while it's logging all the duplcates and all I see is one way communication. The NAS box will send 10 sessions or so to the accounting port to log but the radius never sends anything back. Why would that be? Many reasons. All the traffic is one way. Would something be preventing the radius from sending the received? Something in the configuration? Run the server in debugging mode to see. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying to NT auth server ?
Hi, I've got a NAS (actually, it's a Cisco 3030 VPN concentrator) which supports the concept of 'groups' that may authenticate against different Radius or NT-domain servers. To make a long story short, it won't support NT servers which only allow NTLM v.2. So, because of that, and also to consolidate accounting, we're trying to have every group point at the same Freeradius server, and have the freeradius box itself fan out authentication to the various Radius or NT boxes. From what I read in the docs, this could be done easily with proxying, if only users would have usernames of the form '[EMAIL PROTECTED]', and use the group as a realm name. I noticed that currently the group is passed to the radius server in a 'Class' attribute, and I'm wondering if there's any way to have Freeradius determine which NT server to use (or to authenticate locally) based on the value of the Class attribute instead of forcing users to change the way they log in (by using '[EMAIL PROTECTED]' instead of simply 'user' as their login names). Any pointers to some useful place to 'rtfm', or any other hints and ideas would be much appreciated. Thanks, Gabriel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DialupAdmin and Usernames
I've run in to a snag with dialupadmin 1.0.1. Our usernames have spaces. I did not see that as a limitation in the docs. The only place it seems to be a problem is when administering group membership. A space as well as a new line defines the username to be assigned. I'd like to eliminate the space delimiter, but I just don't see how to do it. Can someone please help me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialupadmin
Hello, I couldnt find out any documentation on how to configure/run dialupadmin on free radius. Would appreciate any links or info on this. Thank you, Regards, Janakan Rajendran
Re: FreeRadius logging lots of duplicates?
Aha! Now you're talking: Acct-Delay-Time = 62575 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69824 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69874 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69924 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69824 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69874 Acct-Session-Id = 301140517 -- Acct-Delay-Time = 69924 Acct-Session-Id = 301140517 I'll run it in debug mode, thanks for the heads up. Alan DeKok wrote: Scott Baker [EMAIL PROTECTED] wrote: So I'm guessing it's never hearing back I got your Accounting packet even though the server is logging it. Do the accounting packets require an acknowledge? Yes. If the NAS doesn't like the ACK (wrong source IP, etc), it will ignore it, and send another Accounting-Request, with an updated Acct-Delay-Time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scott Baker Canby Telephone - Network Administrator - RHCE Ph: 503.266.8253 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
After running the radius in debug mode I'm not seeing any blantant
errors. Maybe someone on the list can help me. The only thing I see
is that it's complaining about no NULL realm, and that the module
unix returns fail What should I be looking for?
rad_recv: Accounting-Request packet from host 10.45.0.9:7002, id=24,
length=232
User-Name = rvgibson
NAS-IP-Address = 10.45.0.9
NAS-Port = 2210
NAS-Port-Type = Async
Service-Type = Framed-User
Acct-Status-Type = Stop
Acct-Delay-Time = 17
Acct-Session-Id = 390747682
Acct-Authentic = RADIUS
Idle-Timeout = 0
Acct-Session-Time = 2277
Acct-Input-Octets = 30599
Acct-Output-Octets = 127694
Acct-Input-Packets = 529
Acct-Output-Packets = 802
X-Ascend-Disconnect-Cause = 45
X-Ascend-Connect-Progress = 60
X-Ascend-Xmit-Rate = 46667
X-Ascend-Data-Rate = 21600
X-Ascend-PreSession-Time = 26
X-Ascend-Pre-Input-Octets = 285
X-Ascend-Pre-Output-Octets = 247
X-Ascend-Pre-Input-Packets = 11
X-Ascend-Pre-Output-Packets = 11
X-Ascend-First-Dest = 65.255.255.255
X-Ascend-Modem-PortNo = 52
X-Ascend-Modem-SlotNo = 9
X-Ascend-Modem-ShelfNo = 1
Calling-Station-Id = 5036512800
Called-Station-Id = 2634593
Framed-Protocol = PPP
Framed-IP-Address = 65.182.231.239
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 28
modcall[preacct]: module preprocess returns noop for request 28
rlm_acct_unique: Hashing 'NAS-Port = 2210,Client-IP-Address =
10.45.0.9,NAS-IP-Address = 10.45.0.9,Acct-Session-Id =
390747682,User-Name
= rvgibson'
rlm_acct_unique: Acct-Unique-Session-ID = 29487a05fb1b964f.
modcall[preacct]: module acct_unique returns ok for request 28
rlm_realm: No '@' in User-Name = rvgibson, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 28
modcall[preacct]: module files returns noop for request 28
modcall: group preacct returns ok for request 28
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 28
radius_xlat: '/var/log/radacct/10.45.0.9/detail-20050307'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radacct/10.45.0.9/detail-20050307
modcall[accounting]: module detail returns ok for request 28
modcall[accounting]: module unix returns fail for request 28
modcall: group accounting returns fail for request 28
Finished request 28
Scott Baker wrote:
Aha! Now you're talking:
Acct-Delay-Time = 62575
Acct-Session-Id = 301140517
--
Acct-Delay-Time = 69824
Acct-Session-Id = 301140517
--
Acct-Delay-Time = 69874
Acct-Session-Id = 301140517
--
Acct-Delay-Time = 69924
Acct-Session-Id = 301140517
--
Acct-Delay-Time = 69824
Acct-Session-Id = 301140517
--
Acct-Delay-Time = 69874
Acct-Session-Id = 301140517
--
Acct-Delay-Time = 69924
Acct-Session-Id = 301140517
I'll run it in debug mode, thanks for the heads up.
Alan DeKok wrote:
Scott Baker [EMAIL PROTECTED] wrote:
So I'm guessing it's never hearing back I got your Accounting
packet even though the server is logging it. Do the accounting
packets require an acknowledge?
Yes. If the NAS doesn't like the ACK (wrong source IP, etc), it
will ignore it, and send another Accounting-Request, with an updated
Acct-Delay-Time.
Alan DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Scott Baker
Canby Telephone - Network Administrator - RHCE
Ph: 503.266.8253
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Scott Baker [EMAIL PROTECTED] wrote: errors. Maybe someone on the list can help me. The only thing I see is that it's complaining about no NULL realm, and that the module unix returns fail What should I be looking for? That the server doesn't send an Accounting-Response to the client. This is because the unix module returns fail. The short answer is to delete unix from accounting. From looking at the source code to rlm_unix, this happens because it can't write to the radwtmp file. It SHOULD be printing out a descriptive error message, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mtotacct+totacct+logbadlogin scripts not running
Hi I try to run mtotacct and totact scripts but these is what i get * DELETE FROM mtotacct WHERE AcctDate = '2005-03-01'; INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration, ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress) SELECT UserName,'2005-03-01',SUM(ConnNum),SUM(ConnTotDuration), MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets), SUM(OutputOctets),NASIPAddress FROM totacct WHERE AcctDate = '2005-03-01' AND AcctDate = '2005-03-08' GROUP BY UserName,NASIPAddress; ERROR 1045: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) __ The user password in admin.conf had been entered as shown: sql_type: mysql sql_server: localhost sql_port: 3306 sql_username: root sql_password: password sql_database: radius Or is there other file where I should specify the mysql password? When I try to run the log_badlogin scripts the following output produced: ### Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x78, immediately after start byte 0xf3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6488. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (unexpected non-continuation byte 0x6c, immediately after start byte 0xfa) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6489. Malformed UTF-8 character (1 byte, need 3, after start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6497. Malformed UTF-8 character (unexpected non-continuation byte 0x73, immediately after start byte 0xea) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 6501. Could not open file ### What file it couldn't open? Is it Manip.pm?Do I need to restore the Manip.pm or anything else happen here? Is there any other way to run the scripts, allowing them automatically filling tables in the sql database? Appriciate any help. Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Alan DeKok wrote:
Chan Min Wai [EMAIL PROTECTED] wrote:
What about the info that provided by the freeradius?
When we are using ippool which meant that the ipaddress actually came
from us. So we should be able to log them right?
When the IP address is assigned, yes.
I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that isn't working.
Since you didn't say where you put it, my conclusion is that you put
it in the wrong place.
Haha, My Bad,
I put it on the sql.conf
On
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{reply:Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
accounting_update_query_alt = INSERT into ${acct_table1}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{reply:Framed-IP-Address}', '0')
accounting_start_query = INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{reply:Framed-IP-Address}', '%{Acct-Delay-Time}', '0')
accounting_start_query_alt = UPDATE ${acct_table1} SET
AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}',
ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId =
'%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress
= '%{NAS-IP-Address}'
accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime
= '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'
accounting_stop_query_alt = INSERT into ${acct_table2}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay,
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
'%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{reply:Framed-IP-Address}', '0',
'%{Acct-Delay-Time}')
It would be helpful if you can correct me
Regards
Chan Min Wai
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Chan Min Wai [EMAIL PROTECTED] wrote:
I put it on the sql.conf
On
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{reply:Framed-IP-Address}', \
...
And you're not seeing it in the database. This is covered in the
FAQ, for accounting requests.
I don't understand what the problem is.
It would be helpful if you can correct me
Read the FAQ. If an attribute isn't getting logged, it's because
the NAS isn't sending it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Frame-IP-Address in SQL?
The accounting_xxx_query queries in sql.conf are run in response to the
freeRADIUS server receiving an *accounting* request from a NAS. This is
independent from the authorization/authentication process that has
occurred previously. The sql queries log what was received in the
*accounting* request that it is currently processing- that's why they
are being called from the *accounting* sections of radiusd.conf, and why
they are called accounting_xxx_query in sql.conf.
So with this in mind, to insert Framed-IP-Address into the database you
should use the value that is *received* in the *accounting* request, ie
%{Framed-IP-Address}, as per the default configuration in sql.conf. If
your NAS isn't sending the Framed-IP-Address attribute in the accounting
request, then the sql module cannot insert it in the database.
You appear to be struggling (or at least confused) with the fundamentals
of RADIUS. I would suggest doing some reading up on the RADIUS protocol,
and how a NAS interacts with a RADIUS server. Once you understand that,
you'll better understand how freeRADIUS works, what the various sections
of radiusd.conf mean, and you can begin to understand how to configure
freeRADIUS to get the results you want.
I would also recommend testing your freeRADIUS configuration using
radclient (comes with freeRADIUS - check the bin directory - man
radclient). This will allow you to send arbitrary RADIUS requests to the
server and determine the results in a controlled environment. Once you
have that working correctly you can try it with a real NAS.
Hope that helps,
Mike
Alan DeKok wrote:
Chan Min Wai [EMAIL PROTECTED] wrote:
What about the info that provided by the freeradius?
When we are using ippool which meant that the ipaddress
actually came
from us. So we should be able to log them right?
When the IP address is assigned, yes.
I do try %{reply:FRAME-IP-ADDRESS} in the sql.conf but that
isn't working.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Alan DeKok wrote:
Chan Min Wai [EMAIL PROTECTED] wrote:
I put it on the sql.conf
On
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{reply:Framed-IP-Address}', \
...
And you're not seeing it in the database. This is covered in the
FAQ, for accounting requests.
I don't understand what the problem is.
It would be helpful if you can correct me
Read the FAQ. If an attribute isn't getting logged, it's because
the NAS isn't sending it.
OK, so I'm trying to do something that is not design to/Should do so...
because the FRAMED-IP-ADDRESS is from freeradius and the NAS Never send
back the info...
Any other options I can look in...
If No then Thank You and forget about it.
Regards
Chan Min Wai
Thank You
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
Mitchell, Michael J wrote:
The accounting_xxx_query queries in sql.conf are run in response to the
freeRADIUS server receiving an *accounting* request from a NAS. This is
independent from the authorization/authentication process that has
occurred previously. The sql queries log what was received in the
*accounting* request that it is currently processing- that's why they
are being called from the *accounting* sections of radiusd.conf, and why
they are called accounting_xxx_query in sql.conf.
Thank for clearing me up. I don't really know that.
So with this in mind, to insert Framed-IP-Address into the database you
should use the value that is *received* in the *accounting* request, ie
%{Framed-IP-Address}, as per the default configuration in sql.conf. If
your NAS isn't sending the Framed-IP-Address attribute in the accounting
request, then the sql module cannot insert it in the database.
That just too bad... My NAS didn't support Framed-IP-Address...
So no way to log it right?
You appear to be struggling (or at least confused) with the fundamentals
of RADIUS. I would suggest doing some reading up on the RADIUS protocol,
and how a NAS interacts with a RADIUS server. Once you understand that,
you'll better understand how freeRADIUS works, what the various sections
of radiusd.conf mean, and you can begin to understand how to configure
freeRADIUS to get the results you want.
Yes, I'm too confused, but thank to you, much have been clear out.
I would also recommend testing your freeRADIUS configuration using
radclient (comes with freeRADIUS - check the bin directory - man
radclient). This will allow you to send arbitrary RADIUS requests to the
server and determine the results in a controlled environment. Once you
have that working correctly you can try it with a real NAS.
Thank You
Regards,
Chan Min Wai
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: script to run when a users is logging out?
[EMAIL PROTECTED] wrote: LS How about accounting, when the disconnect frame enters. Where is the diconnect frame enters located? Thank You Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
what is your nas ?
if cisco, you must take look this link
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1082974
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/cisco?rev=1.9content-type=text/x-cvsweb-markup
to get framed-ip-address on accounting-start you must add this command on
cisco :
aaa accounting delay-start [all]
Use the aaa accounting delay-start command to delay generation of accounting
start records until the IP address of the user has been established.
by default Accounting-start records are not delayed.
- Original Message -
From: Chan Min Wai [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, March 08, 2005 10:44 AM
Subject: Re: Frame-IP-Address in SQL?
Alan DeKok wrote:
Chan Min Wai [EMAIL PROTECTED] wrote:
I put it on the sql.conf
On
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{reply:Framed-IP-Address}', \
...
And you're not seeing it in the database. This is covered in the
FAQ, for accounting requests.
I don't understand what the problem is.
It would be helpful if you can correct me
Read the FAQ. If an attribute isn't getting logged, it's because
the NAS isn't sending it.
OK, so I'm trying to do something that is not design to/Should do so...
because the FRAMED-IP-ADDRESS is from freeradius and the NAS Never send
back the info...
Any other options I can look in...
If No then Thank You and forget about it.
Regards
Chan Min Wai
Thank You
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frame-IP-Address in SQL?
eDoS wrote: what is your nas ? if cisco, you must take look this link http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf16.html#wp1082974 http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/doc/cisco?rev=1.9content-type=text/x-cvsweb-markup to get framed-ip-address on accounting-start you must add this command on cisco : aaa accounting delay-start [all] Use the aaa accounting delay-start command to delay generation of accounting start records until the IP address of the user has been established. by default Accounting-start records are not delayed. Thank for the help, unlucky I'm not using cisco as the NAS :( Just too bad... Regards, Chan Min Wai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ppp radius-plugin
Hi I want to use radius authentication for pptp. Therefor I need the radius.so-plugin, which isn't included in the Debian default installation of ppp 2.4.2b3. So I compiled it manually (thank god there was a makefile) and copied it to the right path. (/usr/lib/pppd/2.4.2b3/). Everything worked fine. Then I added plugin radius.so to pptp-options, startet the pptp-server and tried to connect but I get the following error: /usr/sbin/pppd: /usr/lib/pppd/2.4.2b3/radius.so: undefined symbol: chap_auth_hook /usr/sbin/pppd: Couldn't load plugin radius.so I installed pppd as a binary packet and compiled the right version of the radius-plugin. Has anyone an idea or solution? thxs best regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
