Re: radutmp doesnt show any users.....
My earlier email has the sql table which has all the data logged at radius. Without worrying about sql the contents of the packets are as follows. UserName NASIPAddress AcctStartTime AcctStopTime These have correct values returned from my NAS to radius and radius is successfully able to log them . From what i understand from your email is to use this info to tell apart the sessions. One way i can think of is to Use UserName and see if AcctStartTime fielf has a value. If it does , that means same UserName can not login. Now to The issue with such an approach is that i can not limit it to 2 or 3 simultaneous use sessions. It will only be one. Can you suggest anything. Also .. Under what circumstances does Simultaneous-Use Attribute works and can i use it in my case. Thanks As i was saying earlier When a sesison starts AcctStartTime gets a values and when this session ends AcctStopTime is assigned a value. So given this info On Sat, 12 Mar 2005 23:59:52 -0500, Alan DeKok [EMAIL PROTECTED] wrote: Rad Adm [EMAIL PROTECTED] wrote: The problem is that the NAS ( can not ) send NAS-Port Attribute and that is not changeable at the moment . So that eliminates the options of using radutmp. It would appear so. Now knowing that radutmp can not work .. do you have any suggestion as to how i am implement User Concurrency. If your NAS sends attributes which lets you tell sessions apart, then you can use those attributes. Each time a user connects to my NAS , it send a Accounting Start packet and on user disconnect a Accounting Stop packet. That's what the standard says. Given this information what would you suggest is the best way to go about and implement user concurrency . I have no idea. I don't use SQL, so I don't recall what information is being logged in them. The key is to look at the contents of the packets. That's what's important. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Windows XP Authentication
On Sunday 13 March 2005 13:47, chiam kuosiang wrote: When i tried to lauch peap authentication with the windows xp client, the radius snippet keep on showing Sending Access-Challenge. In D-Link DWL-900AP+, log show EAP-Failure modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 54 to 192.168.0.50:1206 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x621660927c5033dae390af4ffc09dfc5 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Your supplicant is not responding to the challenge. The conversation between it and the NAS may not be taking place properly. Check config on supplicant and NAS to make sure they agree. Do you have the latest drivers and patches on XP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip certain number of characters from username?
If you are using SQL authentication, you may want to strip the info in the SQL call. Brian Andrus FirstSpot, Inc. (310) 899-WiFi [EMAIL PROTECTED] http://www.firstspot.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bülent Akdemir Sent: Saturday, March 12, 2005 1:34 PM To: freeradius-users@lists.freeradius.org Subject: Strip certain number of characters from username? Hi all, Is it possible to retrieve only the last 5 characters of username and then use it for authentication? I tried to do it by means of hints file but i could only remove the matching part of usernames. My strings(username) are like: AXYu and i removed the A part in the hints file since it's identical for all usernames. But the XY part differs from username to username and i only need the u part. I know it seems very awkward but believe me, i need to do it. I'm using freeradius version 1.0.2. Any idea would be appreciated. Thanx a lot... Sorry for my poor English... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL auth_check_query and available variables
I figured it out. As odd as it was, I had to restart Postgres after making
the changes to the radius configs. Once I did that, it started passing the
value rather than the variable name.
Brian Andrus
FirstSpot, Inc.
(310) 899-WiFi
[EMAIL PROTECTED]
http://www.firstspot.net
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Saturday, March 12, 2005 9:49 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: SQL auth_check_query and available variables
Brian Andrus [EMAIL PROTECTED] wrote:
What variables are available to the auth_check_query?
All attributes that exist.
SELECT id, username, attribute, value, op FROM radcheck WHERE username
= 'brian' AND allowed_NAS = '%{NAS-Identifier}'
I'm not sure why that would happen. I've never seen it myself.
Are the variables from the NAS unavailable to a SQL query for auth?
If an attribute is in the request packet, you can use it in the SQL query.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius ldap authentication sql authorization help!!
Hello, To make it short, is it possible to authenticate users through ldap (which I can do right now), but limit which ports they can login to (16) on a port by port basis through sql with having to store their password in the db or modifying my ldap schema? Currently I have freeradius authenticating users through NIS and authorizing users to port numbers with the users file. This works great until the list starts changing daily on who can and cannot use ras. I'm wondering if anyone has setup freeradius to authenticate through ldap and authorize through a postgress db. All the documentation that I have read says that I need the users username and password in the database, or that I need to modify my ldap schema. Thanks, jamie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius ldap authentication sql authorization help!!
Jamie Crawford [EMAIL PROTECTED] wrote: I'm wondering if anyone has setup freeradius to authenticate through ldap and authorize through a postgress db. Yes. I haven't done it myself, but FreeRADIUS is *designed* to have that kind of flexibility. All the documentation that I have read says that I need the users username and password in the database, or that I need to modify my ldap schema. If you're authorizing via SQL, your LDAP schema shouldn't need changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AVPair
Hi. I am using various Quintum boxes to communicate with our FreeRadius server. My question concerns the attributes: Quintum-AVPair = = What we need to know is... what's the deal with that? What is the difference between an AVPair attribute and the other standard name-value attributes such as: Quintum-h323-gw-id = h323-gw-id=au-syd-wentworth Quintum-h323-call-origin = h323-call-origin=answer It seems that there are multiple values that could be passed as the AVPair, but FreeRadius only seems to be able to access. For instance, reading the FreeRadius log, during authentication, the AVPair contains h323-ivr-out=ACCESSCODE:, but then later during authorization it contains h323-ivr-out=FOLLOW_ON_FLAG:0. Then, on the stop call message, it contains h323-incoming-conf-id=33383732 61306336 38390064 393862B3. Why can the AVPair values not all be sent through in the latter format? Why could these attributes not be passed on their own, rather than lumped into this AVPair affair? If I want to access the h323-incoming-conf-id when it is not presented as its own attribute, is it accessible through the AVPair? Basically, if anyone can point me to some documentation that explains this whole AVPair ridiculousness then that would be great. Mike C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin.crfon
Hi I try to run the script (dialup_admin.cron) to allow auto update the totacct and mtotacct table. But what happen is I still need to run the totacct and mtotacct script manually or the .cron script;daily, to make an update in my database. I disable some script such truncate radacct, clean radacct from executing. Do I miss something to get this auto upodate done? Thanks. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to enable EAP-TTLS inner PAP
Thank you for your response, What should I wite instead of EAP. When I write Local or System it didnt work. I have one more question. When I add user named test in users file as following, test Auth-Type := EAP, User-Password == 11 Filter-Id = Enterasys:version=1:mgmt=su:policy=cit 802.1x authentication is successful. But I need to authenticate users on edirectory via LDAP. Ldap servwer vi have field postoffice box which Enterasys:version=1:mgmt=su:policy=cit field is stored. We want that freeradius will get postofficebox vlaue of user and send to NAS it as Filter-Id = Enterasys:version=1:mgmt=su:policy=cit. But this authentication should be in EAP-TTLS inner PAP method. We can do ot in Steel-Belted radius server. But securew2 didnt work with steel-belted. How can I do it? Thanks, Taylan KIRAN NetworkSystem Specialist Koc University [EMAIL PROTECTED] 03/11 8:18 PM TAYLAN KIRAN [EMAIL PROTECTED] wrote: You say You we only need to enable EAP-TTLS but it does not work. You can find debug log as following. ... users: Matched entry deneme at line 152 modcall[authorize]: module files returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module eap returns fail for request 4 modcall: group authenticate returns fail for request 4 You are setting Auth-Type := EAP in line 152 of the users file. DO NOT DO THAT. IT IS NOT NECESSARY. Please read eap.conf. It EXPLAINS THIS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
