Online Status with FR & SQL
I am trying to minimize the failure rate for detecting a user online status using FR105 & MySQL411. Sometimes the AcctStopTime in the radacct table remains 0 even the user is not anymore online for whatever reason (reboot, connection lost or ...). I can therefore not just check if the AcctStopTime for a particular user is 0. Since there is no record when the NAS unit sent the last update to FR and it is not recorded in the radacct table ... how do I know that the AcctStopTime=0 is not a 'leftover' ... Would it make sense to add a TIMESTAMP to the radacct table to record the last update? And would the use of TIMESTAMP for the radacct table produce some form of performance degrade? A TIMESTAMP would allow me to see if the row was updated within Idle-Timeout. Any hints from experience? Thanks, Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about pam_radius_auth.so module and creating user accounts on AAA client..
If I have a Radius client setup on a RHEL 4.0 linux with pam_auth_radius module active for telnet/ssh service, do I need to create a linux user (with no passwd) that is same as the Radius user for this authentication to work? This is assuming "sufficient" control flag for pam_radius_auth as the very first entry in the related service files under /etc/pam.d dir. Basically, I don't want to create a user account on AAA client machine but only on AAA server. Is there a way I can accomplish this using pam_auth_radius and nsswitch.conf ? i.e if there's a way to specify AAA server lookup for passwd DB in nsswitch.conf? __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Accounting
I do some post-proccesing for accounting and I do it through the exec module. I call at the end of accounting section one instance of the exec module wich calls a script wich does some post-processing, updates some tables and distinguish processing between Start/Alive/Stop. - Original Message - From: Devrim Seral To: freeradius-users@lists.freeradius.org Sent: Friday, October 07, 2005 6:04 PM Subject: Post Accounting Hi freeradius community!I want to do something with freeradius but i haven't find any information how to do that.The problem is I want to run SQL query after accounting stop request with in sql module. I found that sql module have postauth_query feature. So i want same functionality but after accounting stop request.. Is there any way to do it? (Note that i don't want to use SQL trigger)Thanks for your responses devrim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Provisioning Service Protocol
Hi Artur, A much more sane approach, IMHO, is simple authentication-by-proxy as implemented by several roaming consortia. are we still talking about L2 security? if yes, can you provide some references on this? i don't know anything about it. I mean EAP over RADIUS within a roaming consortium. A good example of one, which I'm involved in, is eduroam (www.eduroam.org). Most of the effort in WPS is expended in provisioning configuration stuff (SSID names, etc). But it's reasonably trivial for a roaming consortium to agree on these without requiring a protocol like WPS. Microsoft should put more effort into fixing their terribly broken supplicant, and stop trying to invent wheels... that's where we almost agree :-) MS really could and should improve their supplicant a lot, both in terms of correctness and in terms of usability. it's still a pain in the ass to use. the supported EAP methods are scarce. the API has changed several times since XP and the newest one is difficult to decipher... (greetings to Tom). however, i do expect from somebody as big as microsoft to do research, to invent stuff and to specify new things. btw, that's what the community was always critisizing MS before. they did hire some of the best scientists (look at their R&D stuff), so why shouldn't they invent new things now? It would be nice if this stuff ended up in their products, and worked! josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post Accounting
Hi freeradius community! I want to do something with freeradius but i haven't find any information how to do that. The problem is I want to run SQL query after accounting stop request with in sql module. I found that sql module have postauth_query feature. So i want same functionality but after accounting stop request.. Is there any way to do it? (Note that i don't want to use SQL trigger) Thanks for your responses devrim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Provisioning Service Protocol
Hi, > the community was always critisizing MS before. they did hire some of > the best scientists (look at their R&D stuff), so why shouldn't they > invent new things now? if its cross-platform then yes, they can invent things ;-) (bonus if it is Open Source too - so the community can see any problems lurking in it) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Provisioning Service Protocol
hi Josh i know it's a bit OT but i think that it might still be interesting for some of us. I'll try and keep this brief, because it's a bit OT. WPS doesn't seem to offer anything particularly novel, besides a proprietary mechanism for configuring the Windows supplicant. imho it's as proprietary as PEAP is proprietary. or TTLS. or any other EAP method which is not (yet?) an RFC. and it does offer new possibilites. A much more sane approach, IMHO, is simple authentication-by-proxy as implemented by several roaming consortia. are we still talking about L2 security? if yes, can you provide some references on this? i don't know anything about it. Microsoft should put more effort into fixing their terribly broken supplicant, and stop trying to invent wheels... that's where we almost agree :-) MS really could and should improve their supplicant a lot, both in terms of correctness and in terms of usability. it's still a pain in the ass to use. the supported EAP methods are scarce. the API has changed several times since XP and the newest one is difficult to decipher... (greetings to Tom). however, i do expect from somebody as big as microsoft to do research, to invent stuff and to specify new things. btw, that's what the community was always critisizing MS before. they did hire some of the best scientists (look at their R&D stuff), so why shouldn't they invent new things now? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best practice for combination freeradius -- active directory?
ho wrote: Hi all, i need some more ideas for doing a good, stable and easy to use connection between freeradius and Active Directory. You can always proxy radius to the IAS component that comes with windows that authenticates against AD. There are other ways. joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, Ldap, and static IPs for users.
Hello All, I'm trying to figure out how to get a static ip to only show up on a DSL login, and not a Dial-up. I'm using Freeradius 1.0.1 and OpenLdap 2.1.30. The only changes in the radiusd.conf is to bind to an ip and port and turn off radutmp and radwtmp I have a huntgroup for the dial-up that allows me to differentiate between the dial and dsl based on the radiusGroupName without any problems. But now i need to be able to let a DSL user with a static ip be able to log in via dial-up and pull a dynamic ip. Is this possible and how do i do it (or for that matter, what docs might even point me in the right direction) i'm not seeing much on this in my searches. my huntgroups.conf is like this: dialup NAS-IP-Address == ip of nas device in my users file i have this: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = "Account disabled. Please call the helpdesk." DEFAULT Huntgroup-Name == dialup, Ldap-Group == dial, User-Profile := "uid=dial,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl128, User-Profile :="uid=dsl128,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl256, User-Profile :="uid=dsl256,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl512, User-Profile :="uid=dsl512,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl768, User-Profile :="uid=dsl768,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl4m, User-Profile :="uid=dsl4m,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Ldap-Group == dsl8m, User-Profile :="uid=dsl8m,ou=profiles,ou=radius,dc=mtaonline,dc=net" Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Please call the helpdesk." the ldap user i'm testing this all with looks like this: dn: uid=tfike,ou=People,dc=mtaonline,dc=net cn: Terry gecos: Terry,,Fike gidNumber: 14 homeDirectory: /export/home/tfike loginShell: /bin/csh objectClass: posixAccount objectClass: top objectClass: radiusprofile objectClass: shadowAccount radiusFramedIPAddress: 216.152.176.25 radiusFramedIPNetmask: 255.255.255.255 radiusGroupName: dial radiusGroupName: dsl4m shadowLastChange: 13062 uid: tfike uidNumber: 130 userPassword: temppass thanks in advance. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best practice for combination freeradius -- active directory?
"ho" <[EMAIL PROTECTED]> wrote: > - has anybody implemented a similar system? Yes. > - what could be a alternative/better way to make a connection between > freeradius and the AD-Servers only for password-authentication? ntlm_auth. See "radiusd.conf" > - I've heard from our AD-God's ;-) that kerberos is used in the = > AD-system and that it could be a way? If you're doing MS-CHAP or wireless, no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
best practice for combination freeradius -- active directory?
Hi all, i need some more ideas for doing a good, stable and easy to use connection between freeradius and Active Directory. first of all a little bit of our configuration and history: i've set up a freeradius server for authentication/authorization/accounting of dsl-dial-in user on a cisco asa. it works very well: - local (Auth-type = system) authentication on a linux box - authorisation (especially cisco acl's) - mysql-db -- accounting (this is my favourite feature!) a new requirement was given to make a connection between the asa and our central authentication: Active Directory. AD is a must in our company. first there were many thoughts in my brain, then i decided to use a NIS-Master-Client combination to do this stuff (it was the easiest way for me to implement). -> freeradius-server is the NIS-client, so Auth-Type = system still remains -> the AD-Servers have installed MS SFU (Services for Unix) with a NIS-Master Server. Everything works well ... but the procedure to get the AD-Users into the SFU-NIS-Master-Server seems to be a little bit tricky, particularly the password stuff (it must be changed in the AD at the first time it was brought into SFU although it was synchronized !!??) I think, this is a solution for 1-100 Users, but not for 2000 and this is our aim. a LDAP-Server is not planned in our company. So now my questions: - has anybody implemented a similar system? - what could be a alternative/better way to make a connection between freeradius and the AD-Servers only for password-authentication? Authorization and Accounting still remains on the linux-box - I've heard from our AD-God's ;-) that kerberos is used in the AD-system and that it could be a way? ---> has anybody tried this? I would be glad for any idea or hints. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie install problem
I re-installed RH ES4 and selected "full install". Installed FreeRadius and now it works. Guess there were some RPM's missing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, October 06, 2005 6:03 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: newbie install problem "J.P. Fischer" <[EMAIL PROTECTED]> wrote: > In the make output I see a bunch of sql_mysql.c errors and warnings. > In the make install output I see errors and warnings as well. Warnings can often be ignored. Errors cannot. Read the errors. They tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius from inetd
Adharsh P <[EMAIL PROTECTED]> wrote: > I am trying to start radiusd from inetd.conf. Don't. It won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add Attribute into Accounting-Response packet ?
Yurij Korik <[EMAIL PROTECTED]> wrote: > When RADIUS got an update accounting packet (PW_STATUS_ALIVE), > i need create and add pair (for example "Session-timeout") > into request->reply->vps (module rlm_sql). Even if you make FreeRADIUS send that attribute, the NAS will not understand it. Accounting-Response packets are empty. Session-Timeout can only go into Access-Accept. > It's need to dynamically change Session-timeout depend by user trafic. RADIUS can't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add Attribute into Accounting-Response packet ?
Hi. Forgive for my bad english. When RADIUS got an update accounting packet (PW_STATUS_ALIVE), i need create and add pair (for example "Session-timeout") into request->reply->vps (module rlm_sql). I write apropriate code into rlm_sql.c alivepair = paircreate(PW_SESSION_TIMEOUT, PW_TYPE_INTEGER); alivepair->lvalue = sesstout; pairadd(&request->reply->vps, alivepair); It's need to dynamically change Session-timeout depend by user trafic. Is possible sothat this attributes was sended with Accounting-Response packet to NAS ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradis with other library then opnssl
Hi, I have got a supplicant which does not use openssl library. does my supplicant works with freeradius server? Does the certifiactes generated using openssl work with this? Thanks, Sudhananda This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grab caller id and insert into radcheck how to
You should use: IF NOT EXISTS -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Shane Hart Verzonden: vrijdag 7 oktober 2005 13:22 Aan: FreeRadius users mailing list Onderwerp: Grab caller id and insert into radcheck how to Hi all, I an attempting to add an additional attribute upon the first login for user accounts and I am a bit lost. The way I am testing this is with postauth query. postauth_query = "INSERT into ${authcheck_table} (id, UserName, Attribute, op, value) values('', '%{SQL-User-Name}', 'Calling-Station-Id', '==', '%{Calling-Station-Id}' )" This works great but it adds a new record every time the user successfully authenticates. Not a problem really but there are also users I don't need to lock to a caller id. I tried using postauth_query = "UPDATE in various ways but I just can't get my head around it. If I manually create an entry in radcheck for a user with the attribute "Calling-Station-Id" and a "NULL" value, then the user can't login obviously. Does anybody have any ideas how to have this attribute somehow dynamically created when the user first logs in if they are a member of a group and ultimately not create it if the record already exists? Any ideas or pointers greatly appreciated. Thanks Shane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grab caller id and insert into radcheck how to
Hi all, I an attempting to add an additional attribute upon the first login for user accounts and I am a bit lost. The way I am testing this is with postauth query. postauth_query = "INSERT into ${authcheck_table} (id, UserName, Attribute, op, value) values('', '%{SQL-User-Name}', 'Calling-Station-Id', '==', '%{Calling-Station-Id}' )" This works great but it adds a new record every time the user successfully authenticates. Not a problem really but there are also users I don't need to lock to a caller id. I tried using postauth_query = "UPDATE in various ways but I just can't get my head around it. If I manually create an entry in radcheck for a user with the attribute "Calling-Station-Id" and a "NULL" value, then the user can't login obviously. Does anybody have any ideas how to have this attribute somehow dynamically created when the user first logs in if they are a member of a group and ultimately not create it if the record already exists? Any ideas or pointers greatly appreciated. Thanks Shane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius from inetd
Hello all, I am trying to start radiusd from inetd.conf. The entry in inetd.conf radiusdgramudp waitroot /usr/local/sbin/radiusd radiusd I have added the entries in /etc/services/ as radius 1812/udp radacct 1813/udp when I reload inetd, the logs say inetd[940]: /usr/local/sbin/radiusd: exit status (1) netstat -n displays *1812 but not *1813 udp 120 0 *.1812*.* however radiusd is not accepting any request from the localhost using radclient/radtest. However, when I run radiusd from the command line /usr/local/sbin/radiusd radiusd starts and accepts requests. netstat -n displays udp0 0 *.1812*.* udp0 0 *.1813*.* I am not able to understand when using inetd, radiusd doesn't start. Am I missing something ? Do I have to modify anything in the configuration files ? I tried looking in the docs and archives, there is no mention on this. Could you please guide me, or give some pointers on where to look for. regards, adharsh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
SLACKWARE Linux. Roberto Gonzalez Azevedo Gunther wrote: Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Integration
>1. It is possible with to get free radius to failed logins to the sql >database, as well as logging to another table that a successful login >occurred yes >2 is it possible to populate the utmp / wtmp files into a database as well >instead of a flat file? Yes >Thanks all in advance No problem J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: access for 24 hours after first login?
>how is the actual comparision of the calculated value in "query" done, does >it >mean, that the value returned by "query" has to be smaller than the one >referred to by "check-name" (in your example Max-Secs-Passed)? It works quite simple If ( (Max-Secs-Passed - All-Secs-Passed > 0) => allow access >what does the line "sqlmod-inst = sql" mean (in >/usr/share/doc/freeradius/rlm_sqlcounter there is also the value "sqlcc3", >what >does this do?) It are the defined SQL instances in sql.conf >what about the following: > >SELECT TO_DAYS(NOW()) - TO_DAYS(AcctStartTime) from radacct WHERE UserName >= >'%(%k)' LIMIT 1; This query works but I don't use it because of the rounding it gives me... >would this mean that a user can login until 23:59 after logged in the first >time >that day? Yes, since he doesn't look at the hour/minutes/seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
Hi Alan, for Q2, doc/Post-Auth-type don't have information to support branching by realm ? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 04, 2005 8:23 AM To: FreeRadius users mailing list Subject: Re: cannot return access accept from proxy to client "Wilson Lie" <[EMAIL PROTECTED]> wrote: > Q1. Any method such that host B won't goes into [post-auth] when it is > receiving result from another server ? I'm not sure what you mean here. Perhaps you could try using complete sentences. I *think* the answer is "source code edits". > Q2. In case host B cannot bypass [post-auth] when receiving result from > another server, how can I define multiple > sql section in [post-auth] ? As I cannot find any rule that I can > set in [post-auth] such that it can go to [sql1] > for realm A and [sql2] for realm B doc/Post-Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html (c) 2005 Interactive Technology Holdings Limited Group. All rights reserved. CONFIDENTIALITY: This communication and any attachment(s) is intended solely for the person or organisation to which it is addressed and it may be confidential. This communication may contain confidential or legally privileged material and may not be copied, redistributed or published (in whole or in part) without our prior written consent. This communication may have been intercepted, partially destroyed, arrive late, incomplete or contain viruses and no liability is accepted by any member of the Interactive Technology Holdings Limited Group as a result. If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient you must not copy, disclose, distribute or take any action in reliance on it. If you have received this communication in error, please immediately reply and highlight the error to the sender immediately and destroy the original from your computer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
just for the record, freeradius has worked wonderfully on gentoo 2005.1 On 10/7/05, Daniel Jensen <[EMAIL PROTECTED]> wrote: > Well I am currently using it with FreeBSD can't say that I have had any > problems with it, at least not functionality out of the box. > > On Fri, 2005-10-07 at 01:04 -0400, Gunther wrote: > > Nicolas Baradakis wrote: > > >I was talking about the user point of view: the users are assured that > > FreeRADIUS is regulary tested under Debian, > > >and the Debian package is up-to-date. > > > > Well, I tried CentOS (Redhat EL4) on a VPS server and with a few problems > > (missing libraries, rpm's) I got FR105 compiled. > > FR is up and running and now I have to find a way to pass the firewall ... > > > > Gunther > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html