Quota Control based on freeradius and SSG
Hi I have a setup where there is cisco 7200 router having SSG enabled on it, I want to enable quota control using SSG and radius. I made a service profile: quota Password := cisco Service-Type = Outbound-User, Cisco-Service-Info = R0.0.0.0;0.0.0.0, Cisco-Control-Info = QV100 and the router logs the user in and gets the profile from the radius but doesn't assign a quota to the user. I followed Cisco documentation but without any success. If anyone has faced a situation like this or succeeded in such a configuration please help. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota Control based on freeradius and SSG
Post the debug. If you have set things up properly you should get three requests: one for the user, one for the service and one for the quota. Quota doesn't belong in service profile. Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, ahmed adel [EMAIL PROTECTED] piše: Hi I have a setup where there is cisco 7200 router having SSG enabled on it, I want to enable quota control using SSG and radius. I made a service profile: quota Password := cisco Service-Type = Outbound-User, Cisco-Service-Info = R0.0.0.0;0.0.0.0, Cisco-Control-Info = QV100 and the router logs the user in and gets the profile from the radius but doesn't assign a quota to the user. I followed Cisco documentation but without any success. If anyone has faced a situation like this or succeeded in such a configuration please help. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota Control based on freeradius and SSG
I don't get a request for Quota, where does the Quota belong, I don't know where else to define it - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 25, 2008 1:11:41 PM Subject: Re: Quota Control based on freeradius and SSG Post the debug. If you have set things up properly you should get three requests: one for the user, one for the service and one for the quota. Quota doesn't belong in service profile. Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, ahmed adel [EMAIL PROTECTED] piše: Hi I have a setup where there is cisco 7200 router having SSG enabled on it, I want to enable quota control using SSG and radius. I made a service profile: quota Password := cisco Service-Type = Outbound-User, Cisco-Service-Info = R0.0.0.0;0.0.0.0, Cisco-Control-Info = QV100 and the router logs the user in and gets the profile from the radius but doesn't assign a quota to the user. I followed Cisco documentation but without any success. If anyone has faced a situation like this or succeeded in such a configuration please help. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota Control based on freeradius and SSG
It is a separate entry (in users file). Documentation does explain what needs to be in the service profile in order to generate an additional request. Use += operator to put multiple service info attributes in a reply packet. http://www.cisco.com/en/US/docs/ios/12_2/12_2b/12_2b4/feature/guide/12bssgpb.html pap will live with Password as attibute, but for current freeradius version it should be Cleartext-Password. Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, ahmed adel [EMAIL PROTECTED] piše: I don't get a request for Quota, where does the Quota belong, I don't know where else to define it - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 25, 2008 1:11:41 PM Subject: Re: Quota Control based on freeradius and SSG Post the debug. If you have set things up properly you should get three requests: one for the user, one for the service and one for the quota. Quota doesn't belong in service profile. Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, ahmed adel [EMAIL PROTECTED] piše: Hi I have a setup where there is cisco 7200 router having SSG enabled on it, I want to enable quota control using SSG and radius. I made a service profile: quota Password := cisco Service-Type = Outbound-User, Cisco-Service-Info = R0.0.0.0;0.0.0.0, Cisco-Control-Info = QV100 and the router logs the user in and gets the profile from the radius but doesn't assign a quota to the user. I followed Cisco documentation but without any success. If anyone has faced a situation like this or succeeded in such a configuration please help. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pop3 and LDAP authentication...Multiple radius servers
Hi, We have radius server which is inhouse which does the LDAP authentication. We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pop3 and LDAP authentication...Multiple radius servers
http://radiuswiki.suntel.com.tr/Proxy.conf Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, Eric Martell [EMAIL PROTECTED] piše: Hi, We have radius server which is inhouse which does the LDAP authentication We got a new request from third party to do authentication for their users using POP3. So the request comes to radiusA (our inhouse radius). If the user has realm as @xyz.net ..then we forward the request to third party to authenticate which might be radiusB which does the authentication using POP3. If there is no realm attached, radiusA does the LDAP auth and return the response. Not sure how to specify in our radiusd.conf. I could not find any thread in the list. Please let me know the link if this is already discuss. Really Appreciated your quick response. Thanks and Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS_accept:error in SSLv3 read client certificate A
the method is eap+tls, ticket that need to know and what post. thanks!!! -- -- Silvero Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota Control based on freeradius and SSG
Can anyone send me a sample for the configuration for Quota control service profile in users file. - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 25, 2008 6:22:09 PM Subject: Re: Quota Control based on freeradius and SSG It is a separate entry (in users file). Documentation does explain what needs to be in the service profile in order to generate an additional request. Use += operator to put multiple service info attributes in a reply packet. http://www.cisco.com/en/US/docs/ios/12_2/12_2b/12_2b4/feature/guide/12bssgpb.html pap will live with Password as attibute, but for current freeradius version it should be Cleartext-Password. Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, ahmed adel [EMAIL PROTECTED] piše: I don't get a request for Quota, where does the Quota belong, I don't know where else to define it - Original Message From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 25, 2008 1:11:41 PM Subject: Re: Quota Control based on freeradius and SSG Post the debug. If you have set things up properly you should get three requests: one for the user, one for the service and one for the quota. Quota doesn't belong in service profile. Ivan Kalik Kalik Informatika ISP Dana 25/8/2008, ahmed adel [EMAIL PROTECTED] piše: Hi I have a setup where there is cisco 7200 router having SSG enabled on it, I want to enable quota control using SSG and radius. I made a service profile: quota Password := cisco Service-Type = Outbound-User, Cisco-Service-Info = R0.0.0.0;0.0.0.0, Cisco-Control-Info = QV100 and the router logs the user in and gets the profile from the radius but doesn't assign a quota to the user. I followed Cisco documentation but without any success. If anyone has faced a situation like this or succeeded in such a configuration please help. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
On Sat, 23 Aug 2008 07:04:11 +0200
Alan DeKok [EMAIL PROTECTED] wrote:
Aaron Spanik wrote:
*snip*
I suggest getting access. Sorry... but it's the simplest way to debug
things when something is going wrong.
Always. But sometimes one is forced to prove something is wrong before
the other end will consent to looking for the problem.
*snip*
I have also peeled through all the dictionary files looking for an
appropriate RADIUS Attribute which I could use. I found
Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in
any of the detail sections, as they all returned 127.0.0.1, which makes
some sense to me given the initial source and destination of the
request packets; I'm also pretty sure I shouldn't be using parameters
from dictionary.freeradius.internal this way.
That's what they're defined for.
See also man unlang. If you want the destination IP address of the
*proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address}
See, I read man unlang and noticed the %{list:attribute} syntax,
but then failed to remember reading that when I actually went about
trying to use %{Packet-Dst-Ip-Address}.
So my question is this: short of editing the source to make the
auth_log pop the home server being contacted into the loglines in
radius.log, is there any way to get that information on a per-request
basis? Is there some unlang magic I could work in the pre- or
post-processing phases? It doesn't really matter to me where the
information goes, as long as I can associate it with a particular
request.
It's already associated with the request. You've just got to put 22
together to refer to the *proxied* packet, not the *request* packet.
I'm glad that I appeared to have half a clue and lacked only the other
half to rub it against ;)
As you no doubt know, once I used
%{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I
wanted to see in my logs.
I'd also suggest upgrading to recent code (git.freeradius.org). It
has *very* good statistics tracking available via RADIUS packets. You
can get accept/reject per home server. See raddb/sites-available/status.
That sounds excellent; I will check out the GIT version. Can you
comment on how long it is likely to take before those features make it
into an official release?
You can also log much more configurable messages via the linelog
module. See raddb/modules/linelog.
Alan DeKok.
Thanks much for your response; it was truly helpful.
/a
--
Aaron Spanik
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
Aaron Spanik wrote:
As you no doubt know, once I used
%{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I
wanted to see in my logs.
Yup.
That sounds excellent; I will check out the GIT version. Can you
comment on how long it is likely to take before those features make it
into an official release?
A week, maybe two. We've been meaning to do a release for a month or
so, but other things got in the way.
Thanks much for your response; it was truly helpful.
Any time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql configuration
hi everyone
i use fedora 9 and freeraidus 2.0.5
i want to use mysql database for user lists and i want to limit time users
login for example 3 hour or 3 days
i looked documents for howto wpa
i create the radius db by db_mysql.sql
configure the sql.conf by writein login mysql password
and include sql.conf in radiusd.conf
but i only cant correct the statement, i think they are for 1.1.7
authorise { preprocess chapmschap suffix eap # We leave
files enabled to allow creation of test users in /etc/raddb/users files
sql pap}accounting {# We leave detail enabled to _additionally_
log accounting to /var/log/radius/radacct detail sql}
i add this statment end of the radiusd.conf but it doesnt work
i am new at freeradius and linux,
thanks for replay
_
Gelen kutunuzda hiç yer kalmamasından bıktınız mı? Windows Live Hotmail şimdi
size 5GB ÜCRETSİZ depolama alanı sunuyor! Ücretsiz Windows Live Hotmail
hesabınızı buradan alın!
http://get.live.com/mail/overview-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql configuration
Ahmet DÜLGAR wrote:
hi everyone
i use fedora 9 and freeraidus 2.0.5
i want to use mysql database for user lists and i want to limit time
users login for example 3 hour or 3 days
i looked documents for howto wpa
Or... just read the examples that come with the server?
but i only cant correct the statement, i think they are for 1.1.7
authorise {
...
i add this statment end of the radiusd.conf but it doesnt work
See raddb/sites-available/default
The authorise, etc. sections have been moved there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql configuration
Read instructions at the end of radiusd.conf. It tels you where are those
sections in 2.0.5.
Ivan Kalik
Kalik Infoprmatika ISP
Dana 25/8/2008, Ahmet DÜLGAR [EMAIL PROTECTED] piše:
hi everyone
i use fedora 9 and freeraidus 2.0.5
i want to use mysql database for user lists and i want to limit time users
login for example 3 hour or 3 days
i looked documents for howto wpa
i create the radius db by db_mysql.sql
configure the sql.conf by writein login mysql password
and include sql.conf in radiusd.conf
but i only cant correct the statement, i think they are for 1.1.7
authorise {preprocess chapmschap suffix eap # We leave
files enabled to allow creation of test users in /etc/raddb/users files
sql pap}accounting {# We leave detail enabled to _additionally_
log accounting to /var/log/radius/radacct detail sql}
i add this statment end of the radiusd.conf but it doesnt work
i am new at freeradius and linux,
thanks for replay
_
Gelen kutunuzda hiç yer kalmamasýndan býktýnýz mý? Windows Live Hotmail ţimdi
size 5GB ÜCRETSÝZ depolama alaný sunuyor! Ücretsiz Windows Live Hotmail
hesabýnýzý buradan alýn!
http://get.live.com/mail/overview
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Do you remember which version of oracle instantclient you used to successfully compil rlm_sql_oracle? Alan DeKok a écrit : Alexandre Chapellon wrote: then could you point me to the place where you get the oracle libs stuff? I've always just built with whatever libraries Oracle put on the system. i.e. it was pre-installed at customer sites. I'd suggest rooting through the libraries to find out where the failing symbol is, and what else needs to be done to link with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating with two or more modules
Hi everybody, I'm wondering if it is possible to authenticate using 2 modules by ANDing them? (the 2 modules must return true, to be a sucessfully authentication). If so, would you please give me some pointers to documents, I will take it from there. Best Regards, Christian Lete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling freeradius with oracle support
Alan DeKok a écrit : Alexandre Chapellon wrote: then could you point me to the place where you get the oracle libs stuff? I've always just built with whatever libraries Oracle put on the system. i.e. it was pre-installed at customer sites. I'd suggest rooting through the libraries to find out where the failing symbol is, and what else needs to be done to link with it. Sorry but i don't understand what you mean... could explaint me in a little bit more detailled maner pls. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address, rlm_perl, and loopback
Thanks for the help guys, but I don't think that's going to work for me. I was doing some testing today and it doesn't seem like I can add a filter-id to the access-accept packet from the post-auth function. Our switches require that to set the policy. Am I missing something here? - Original Message - From: [EMAIL PROTECTED] Sent: Fri, 8/22/2008 3:10am To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: NAS-IP-Address, rlm_perl, and loopback Hi, Which explains what's going on. PEAP is really two things: an outer TLS session, and inner EAP-MSCHAPv2 authentication. So there are *two* streams of RADIUS packets. One that sets up the tunnel, and one that does the authentication inside of the tunnel. yep - so if you only want to define a policy after successful authentication, you only call the 'perl' routine in the post-auth section - therefore it doesnt get called all the time. As Alan pointed out. You should also ensure that , if this is the case, you only have the post-auth function defined in the perl module and in the perl code. no need to have any other functions enabled. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
