Re: Dynamic Clients with FreeRADIUS
jasoneswan wrote: I'm using sites-available/dynamic-clients config... You posted pretty much a default configuration file. Why? It's not like I don't have access to it. What is happening is when a client connects it doesn't even check database it simply says unknown client And you didn't post the debugging output, as suggested in the FAQ, README, INSTALL, and daily on this list. I also asked for *specifics* of what happens, not a short summary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
aland wrote: jasoneswan wrote: I'm using sites-available/dynamic-clients config... You posted pretty much a default configuration file. Why? It's not like I don't have access to it. What is happening is when a client connects it doesn't even check database it simply says unknown client And you didn't post the debugging output, as suggested in the FAQ, README, INSTALL, and daily on this list. I also asked for *specifics* of what happens, not a short summary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The key here is the ipaddr is 0.0.0.0 and netmask is 0. It SHOULD atleast send an SQL query out when any IP connects but this simply says Ignoring request to authentication address * port 1812 from unknown client 192.168.1.7 Without actually querying the SQL to see if that address is in the list -- View this message in context: http://www.nabble.com/Dynamic-Clients-with-FreeRADIUS-tp19384912p19386429.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
jasoneswan wrote: The key here is the ipaddr is 0.0.0.0 and netmask is 0. It SHOULD atleast send an SQL query out when any IP connects If you've configured it right. Perhaps that's where the problem is? but this simply says Ignoring request to authentication address * port 1812 from unknown client 192.168.1.7 Without actually querying the SQL to see if that address is in the list Really? You've only said that 3 times now. Is there any particular reason you keep repeating yourself, rather than following instructions? And since you've insisted on *not* following instructions, I don't think there's anything more I can do to help you. My help involves things like... instructions. Which you don't follow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
this is how we do it: radius.conf: get user's group from ldap users file: if user is member of groupA assign ip pool1 if user is member of groupB assign ip pool2 here is users file(This is not using ip pools, just limits connection duration and when they can login): DEFAULT LDAP-Group == VPN12, Max-Daily-Session :=43200 Fall-Through = Yes DEFAULT LDAP-GROUP == VPNSALES, Max-Daily-Session :=7200, Login-Time:=Any0730-0830,Any1630-1730 Fall-Through = Yes -Original Message- From: [EMAIL PROTECTED] on behalf of Osvaldo Campos M. - Administrador Red STI Sent: Tue 9/9/2008 2:36 AM To: FreeRadius users mailing list Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!! Hi people: First of all, sorry but my english is not good. I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, FreeRadius and LDAP, to permit vpn user's access. When vpn users connect (with Cisco VPN Client), Radius consult to LDAP if user exist. If exist, then user can connect to vpn. If not, can't connect. This works well. Now, also I should assign IP addresses according to an LDAP attribute. For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 10.0.0.20/24. I try to assign IP addresses with ippool module and filters in the ldap module in FreeRadius, but it doesn't work. How can I work with many ippool's according to a value of LDAP attribute? Where should I ask for the attribute value in order to assign the corresponding ippool?. Please, help me with that. My config is something like that: In the radius.conf file... ldap vpnldap1 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=1)) authtype = ldap set_asuth_type = yes } ldap vpnldap2 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=2)) authtype = ldap set_asuth_type = yes } authorize { files Autz-Type LDAPVPN1 { vpnldap1 } Autz-Type LDAPVPN2 { vpnldap2 } } authentication { Auth-Type LDAPVPN1 { vpnldap1 } Auth-Type LDAPVPN2 { vpnldap2 } } ippool vpnusers1 { range-start= 10.0.0.10 range-stop= 10.0.0.19 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers1-session ip-index= ${raddbdir}/db.vpnusers1-index override= yes } ippool vpnusers2 { range-start= 10.0.0.20 range-stop= 10.0.0.29 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers2-session ip-index= ${raddbdir}/db.vpnusers2-index override= yes } In the user file... (i don`t know how to configure this file to several Ippool I think that here's the problem) DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type :=LDAPVPN1, Pool-Name :=vpnusers1 DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type :=LDAPVPN2, Pool-Name :=vpnusers2 # y.y.y.y= address of VPN Server In the ldap.attrmap... checkItemvpnusers1attribute checkItemvpnusers2attribute Please, help me with this config. Thank's you... Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two radius server on same machine
Hi, what is there to be done if you want a running instance and a standby instance ? virtual servers won't help here. P.S: I only use radius with accounting request ( logging into oracle db ) Mark Tunnell-3 wrote: Nataniel Klug wrote: Hello all, I am trying to find some info about running two freeradius servers (on different ports) in the same machine. Can someone help me? I couldn't find any info... I've actually been running three instances on my servers for quite a while. Basically after installing freeradius I just made three directories, one for firewalls, one for routers and one for switches, copied the /usr/local/etc and /usr/local/var to them, changed the port they listen on in radiusd.conf and fired them all up. Works fine. Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Two-radius-server-on-same-machine-tp19336554p19386698.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
aland wrote: jasoneswan wrote: The key here is the ipaddr is 0.0.0.0 and netmask is 0. It SHOULD atleast send an SQL query out when any IP connects If you've configured it right. Perhaps that's where the problem is? but this simply says Ignoring request to authentication address * port 1812 from unknown client 192.168.1.7 Without actually querying the SQL to see if that address is in the list Really? You've only said that 3 times now. Is there any particular reason you keep repeating yourself, rather than following instructions? And since you've insisted on *not* following instructions, I don't think there's anything more I can do to help you. My help involves things like... instructions. Which you don't follow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html FreeRADIUS Version 2.1.0, for host i686-pc-linux-gnu, built on Sep 5 2008 at 17:09:43 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-available/dynamic-clients including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5
Re: Two radius server on same machine
andreiv wrote: Hi, what is there to be done if you want a running instance and a standby instance ? There's no such thing as a standby instance. It's either listening on the RADIUS port, or it's not. You're better off using a wrapper to watch the server, such as daemontools, or svtools. Or, installing servers on two independent machines, and configuring both of them on the clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Carlos Eduardo Tavares Terra wrote: Sorry, but maybe I didn't understand how virtual servers really work. raddb/sites-available/README Each virtual server is a RADIUS server, just like in 1.x. The only difference is that you don't need to run multiple processes to get multiple server configurations. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys i.e. in 1.x, you modified the SQL queries in the sql module configuration, for each server. i.e. you were running TWO different instances of the SQL module. I think the problem is that you're trying to use only ONE instance of the SQL module in 2.x. Instead, do this in the modules section: sql sql1 { ... content from 1.x server1, INCLUDING queries } sql sql2 { ... content from 1.x server2, INCLUDING queries } Then, use sql1 in the virtual server for server1, and sql2 in the virtual server for sql2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Norbert Wegener wrote: It seems to me, the log section contains the same items as in 2.0.5. The requests entry is new. It can send logs to different destinations based on dynamic expansions. So I am not sure how to turn logging on for a specific user when the server is running: Yes, that isn't documented there. I've added some text for 2.1.1. In short, you can do: ... update control { Tmp-String-0 = %{debug:2} } ... to set the debug level to 2 for *this* request. That update section can be wrapped in an if, to check for users, groups, realms, etc. 2.1.1 will also have the ability to change the global debug level from radmin. 2.1.2 will have the ability to change the debug level for requests coming from a particular client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote: .. * Debug logs can now be turned on/off while the server is running, for a user, group, realm, etc. See the log section of radiusd.conf. It seems to me, the log section contains the same items as in 2.0.5. So I am not sure how to turn logging on for a specific user when the server is running: log { destination = files file = ${logdir}/radius.log # #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } Maybe I missed something? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
It's a bug in 2.1.0 that will be fixed in 2.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Yes, that isn't documented there. I've added some text for 2.1.1. In short, you can do: ... update control { Tmp-String-0 = %{debug:2} } ... Didn't you alter the parser slightly to allow just: ... %{debug:2} ... Or did you remove it before 2.1.0 ? -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Clients with FreeRADIUS
Sent: 09 September 2008 11:16 AM To: FreeRadius users mailing list Subject: Re: Dynamic Clients with FreeRADIUS It's a bug in 2.1.0 that will be fixed in 2.1.1. Hi, Is the the availibility of Nas-Identendifier to the virtual server thing?? Thanks Johan Meiring Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Arran Cudbard-Bell wrote: Didn't you alter the parser slightly to allow just: ... %{debug:2} ... Err, yes. But that's horrible syntax, and I don't think it will stay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote: Arran Cudbard-Bell wrote: Didn't you alter the parser slightly to allow just: ... %{debug:2} ... Err, yes. But that's horrible syntax, and I don't think it will stay. if (condition) { call debug 2 } Might also be useful for: post-auth { call sql insert into blah ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Phil Mayers wrote: Alan DeKok wrote: Arran Cudbard-Bell wrote: Didn't you alter the parser slightly to allow just: ... %{debug:2} ... Err, yes. But that's horrible syntax, and I don't think it will stay. It's not a horrible syntax it's useful syntax, especially when being used with horrible hacks such as this... makes them less horrible. It's also good for making arbitrary calls to modules when you don't care about the return value, such as sql insert and update statements (if the SQL module supported xlated insert and update statements). Having to wrap the whole thing in an update stanza and having to assign the return value to a temporary string, now that's horrible syntax. if (condition) { call debug 2 } Might also be useful for: post-auth { call sql insert into blah ... } I don't see that extra syntax is required... -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
Johan Meiring wrote: Is the the availibility of Nas-Identendifier to the virtual server thing?? No. Maybe in 2.1.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :) [EMAIL PROTECTED] escreveu: Well, you don't have much say in this because NAS sends it that way: rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = 00:19:79:0f:98:3d User-Password = wireless NAS-IP-Address = 172.30.0.142 NAS-Port = 0 You see what is in the User-Name field? That's how mac authentication works. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. [EMAIL PROTECTED] escreveu: In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
If I understood what you need ... Using Cisco VPN Client, you can define Groups in the Cisco Concentrator ... Configuration - User Management - Groups ... and assign an Address Pool to each group. According the Group used in the Cisco VPN Client, the user will receive an IP addresses from a different Address Pool. Create the Group and upon that create the Address Pool Configuration - User Management - Groups - Address Pools Best Regards, Leonardo Osvaldo Campos M. - Administrador Red STI wrote: Hi people: First of all, sorry but my english is not good. I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, FreeRadius and LDAP, to permit vpn user's access. When vpn users connect (with Cisco VPN Client), Radius consult to LDAP if user exist. If exist, then user can connect to vpn. If not, can't connect. This works well. Now, also I should assign IP addresses according to an LDAP attribute. For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 10.0.0.20/24. I try to assign IP addresses with ippool module and filters in the ldap module in FreeRadius, but it doesn't work. How can I work with many ippool's according to a value of LDAP attribute? Where should I ask for the attribute value in order to assign the corresponding ippool?. Please, help me with that. My config is something like that: In the radius.conf file... ldap vpnldap1 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=1)) authtype = ldap set_asuth_type = yes } ldap vpnldap2 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=2)) authtype = ldap set_asuth_type = yes } authorize { files Autz-Type LDAPVPN1 { vpnldap1 } Autz-Type LDAPVPN2 { vpnldap2 } } authentication { Auth-Type LDAPVPN1 { vpnldap1 } Auth-Type LDAPVPN2 { vpnldap2 } } ippool vpnusers1 { range-start= 10.0.0.10 range-stop= 10.0.0.19 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers1-session ip-index= ${raddbdir}/db.vpnusers1-index override= yes } ippool vpnusers2 { range-start= 10.0.0.20 range-stop= 10.0.0.29 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers2-session ip-index= ${raddbdir}/db.vpnusers2-index override= yes } In the user file... (i don`t know how to configure this file to several Ippool I think that here's the problem) DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type :=LDAPVPN1, Pool-Name :=vpnusers1 DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type :=LDAPVPN2, Pool-Name :=vpnusers2 # y.y.y.y= address of VPN Server In the ldap.attrmap... checkItemvpnusers1attribute checkItemvpnusers2attribute Please, help me with this config. Thank's you... Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Phil Mayers wrote: if (condition) { call debug 2 } Nah. radmin debug file /var/log/radius/bob.log radmin debug condition '(User-Name == bob)' ... radmin debug condition That's better. Very powerful, and very clean. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote: Phil Mayers wrote: if (condition) { call debug 2 } Nah. radmin debug file /var/log/radius/bob.log radmin debug condition '(User-Name == bob)' ... radmin debug condition That's better. Very powerful, and very clean. Nice! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :) You have three options: - fill your database with (useless) data and try to change rlm_sql code and queries in order to match up requests and data. Don't expect much help there - if you want to customize the database you should know what you are doing. It is quite likely that this will render that sql instance (and possibly whole sql module) useless for any other request apart form mac auth. You will need to: rewrite value of User-Name into Calling-Station-Id pull new User-Name from the database (WHERE Attribute='Calling-Sattion-Id' and Value='%{User-Name}) fix code in rlm_sql where this brakes it or: - authenticate with a special script (perl or such). Adjust queries for this type of authentication as much as you like without affecting other authentication types. You can use multiple queries to match up data and request. Easier and more sensible than above. or: - fill your database with correct data - what you expect to come in User-Name field should be used as UserName etc. No adjustments needed. mac auth works together with other authentication types. Take your pick. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius version 1.0.x Vs 2.x.x
Hi, I have been using freeradius 1.0.5 for captive portal authentication in our internal network. I use mysql as backend for radius and using sqlcounter to check monthly usage. I was trying out freeradius version 2.1.0 and found out that check attribute values from radcheck table being replaced by values from radgroupcheck. For example, sqlcounter is using Session-Timeout = 28800 if I use freeradius version 1.0.5 and Session-Timeout = 14400 if I use version 2.1.0. Debug from 1.0.5: rlm_sqlcounter: Authorized user test, check_item=28800, counter=509 rlm_sqlcounter: Sent Reply-Item for user test, Type=Session-Timeout, value=28291 modcall[authorize]: module noresetcounter returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 Debug from 2.1.0: rlm_sqlcounter: Authorized user test, check_item=14400, counter=509 rlm_sqlcounter: Sent Reply-Item for user akj, Type=Session-Timeout, value=13891 ++[noresetcounter] returns ok radcheck table: ++--++++ | id | username | attribute | value | op | ++--++++ | 7 | test | Crypt-Password | $1$WXkDxOPI$hZadd2xez2Xl7k4asVqOG. | := | | 9 | test | Session-Timeout| 28800 | := | ++--++++ radgroupcheck table: ++---+--+---++ | id | groupname | attribute| Value | op | ++---+--+---++ | 1 | test | Session-Timeout | 14400 | := | ++---+--+---++ radusergroup table: +--+---+--+ | username | groupname | priority | +--+---+--+ | test | test |1 | +--+---+--+ sqlcounter: sqlcounter noresetcounter { counter-name = sess_timeout check-name = Session-Timeout reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } I have tested this with version 2.0.5 and got same result. Is this the expected behavior in version 2.x.x? Thanks, Abraham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
another 2.1.0 compile error
I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/local/src/freeradius-server-2.1.0/src -DHOSTINFO= \x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.0\ -DOPENSSL_NO_KRB5 -c listen.c -fPIC -DPIC -o .libs/listen.o listen.c: In function 'client_listener_find': listen.c:189: warning: assignment discards qualifiers from pointer target type In file included from command.c:26, from listen.c:1046: /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory In file included from command.c:26, from listen.c:1046: /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h: At top level: /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:30: error: expected specifier-qualifier-list before 'lt_dlhandle' gmake[4]: *** [listen.lo] Error 1 gmake[4]: Leaving directory `/local/src/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/local/src/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/local/src/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/local/src/freeradius-server-2.1.0' make: *** [all] Error 2 I realize this isn't a complete enough report to fully debug this, I'm just curious to know if anyone else has seen this one or whether it's something obvious. I also know that the ltdl.h file is actually there in the libltdl subdirectory, so I can probably figure out how to get around this if I have to. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Greg Woods wrote: I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: ... /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory Yeah, I caught that on another system, too. It should be fixed in git.freeradius.org. Part of the issue is that the latest version in source control isn't widely tested until it becomes an official release... at which point lots of people run into issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Alan DeKok wrote: Greg Woods wrote: I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: ... /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory Yeah, I caught that on another system, too. It should be fixed in git.freeradius.org. Part of the issue is that the latest version in source control isn't widely tested until it becomes an official release... at which point lots of people run into issues. I you want to tag and announce -pre I can arrange for it to be built in a bunch of clean buildroots (we maintain such for building our local RPMs) at least for some RedHat/Fedora variants. Or there's buildbot; I might be able to scrounge a server or two to run some VMs on, and host them here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:RE: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Thanks for your answer, but I can't use LDAP groups in this case because I haven'ts groups defined in LDAP according to LDAP attribute. For example, I haven't a group Sales in LDAP with only users with the value attribute=1. And I need to assign addresses according to the value attribute . Other ideas for this, please?? Thanks... Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile Parham Beheshti escribió: this is how we do it: radius.conf: get user's group from ldap users file: if user is member of groupA assign ip pool1 if user is member of groupB assign ip pool2 here is users file(This is not using ip pools, just limits connection duration and when they can login): DEFAULT LDAP-Group == VPN12, Max-Daily-Session :=43200 Fall-Through = Yes DEFAULT LDAP-GROUP == VPNSALES, Max-Daily-Session :=7200, Login-Time:=Any0730-0830,Any1630-1730 Fall-Through = Yes -Original Message- From: [EMAIL PROTECTED] on behalf of Osvaldo Campos M. - Administrador Red STI Sent: Tue 9/9/2008 2:36 AM To: FreeRadius users mailing list Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!! Hi people: First of all, sorry but my english is not good. I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, FreeRadius and LDAP, to permit vpn user's access. When vpn users connect (with Cisco VPN Client), Radius consult to LDAP if user exist. If exist, then user can connect to vpn. If not, can't connect. This works well. Now, also I should assign IP addresses according to an LDAP attribute. For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 10.0.0.20/24. I try to assign IP addresses with ippool module and filters in the ldap module in FreeRadius, but it doesn't work. How can I work with many ippool's according to a value of LDAP attribute? Where should I ask for the attribute value in order to assign the corresponding ippool?. Please, help me with that. My config is something like that: In the radius.conf file... ldap vpnldap1 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=1)) authtype = ldap set_asuth_type = yes } ldap vpnldap2 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=2)) authtype = ldap set_asuth_type = yes } authorize { files Autz-Type LDAPVPN1 { vpnldap1 } Autz-Type LDAPVPN2 { vpnldap2 } } authentication { Auth-Type LDAPVPN1 { vpnldap1 } Auth-Type LDAPVPN2 { vpnldap2 } } ippool vpnusers1 { range-start= 10.0.0.10 range-stop= 10.0.0.19 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers1-session ip-index= ${raddbdir}/db.vpnusers1-index override= yes } ippool vpnusers2 { range-start= 10.0.0.20 range-stop= 10.0.0.29 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers2-session ip-index= ${raddbdir}/db.vpnusers2-index override= yes } In the user file... (i don`t know how to configure this file to several Ippool I think that here's the problem) DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type :=LDAPVPN1, Pool-Name :=vpnusers1 DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type :=LDAPVPN2, Pool-Name :=vpnusers2 # y.y.y.y= address of VPN Server In the ldap.attrmap... checkItemvpnusers1attribute checkItemvpnusers2attribute Please, help me with this config. Thank's you... Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
1.1.7 also requires ltdl (CentOS 5.x) Alan DeKok wrote: Greg Woods wrote: I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: ... /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory Yeah, I caught that on another system, too. It should be fixed in git.freeradius.org. Part of the issue is that the latest version in source control isn't widely tested until it becomes an official release... at which point lots of people run into issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ***SPAM*** Re: How to modify dialup.conf for each virtual server?
Thanks Ivan. Another question: is there any way to have one database for each virtual server? [EMAIL PROTECTED] escreveu: Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :) You have three options: - fill your database with (useless) data and try to change rlm_sql code and queries in order to match up requests and data. Don't expect much help there - if you want to customize the database you should know what you are doing. It is quite likely that this will render that sql instance (and possibly whole sql module) useless for any other request apart form mac auth. You will need to: rewrite value of User-Name into Calling-Station-Id pull new User-Name from the database (WHERE Attribute='Calling-Sattion-Id' and Value='%{User-Name}) fix code in rlm_sql where this brakes it or: - authenticate with a special script (perl or such). Adjust queries for this type of authentication as much as you like without affecting other authentication types. You can use multiple queries to match up data and request. Easier and more sensible than above. or: - fill your database with correct data - what you expect to come in User-Name field should be used as UserName etc. No adjustments needed. mac auth works together with other authentication types. Take your pick. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 16:53 +0100, [EMAIL PROTECTED] wrote: yep, you havent got all the required development packages installed. libtool-ltdl-devel libtool-ltdl Thanks, that was it. However, I discovered what I think is a bug in yum in the process. I tried yum list *ltdl* and this failed to show these packages; otherwise I might have found this myself. Even yum list libtool* doesn't show them, I had to actually list libtool-ltdl-devel* to see the devel package. After this I ran into the previously-noted issue compiling radmin. In Makefile.inc, define LIBREADLINE as -lreadline -lncurses. Another thing I discovered is that I have to remove the i386 versions of several -devel packages, or I get errors about symbols in wrong format when linking. But I now have 2.1.0 compiled so I can work on setting up dynamic clients, which is a feature we really need here since many of our clients are DHCP-configured workstations. Thanks for the help! --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Marinko Tarlac wrote: 1.1.7 also requires ltdl The only changes made to 1.1.x from now on will be security related. i.e. no new features. no build fixes, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Greg Woods wrote: After this I ran into the previously-noted issue compiling radmin. In Makefile.inc, define LIBREADLINE as -lreadline -lncurses. Which is also fixed in git.freeradius.org. But I now have 2.1.0 compiled so I can work on setting up dynamic clients, which is a feature we really need here since many of our clients are DHCP-configured workstations. The dynamic clients code has a bug. This is fixed in git.freeradius.org. Please checkout and build git.freeradius.org. Unless there are major panics, it will be issued as version 2.1.1 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, Marinko Tarlac wrote: 1.1.7 also requires ltdl The only changes made to 1.1.x from now on will be security related. i.e. no new features. no build fixes, etc. I dont think it was a build fix request - more a comment that 1.1.7 needs ltdl on some platforms due to the way that chosen distro operates. - its a helpful note to others who get caught out by this error. generally, its blindingly obvious when you see something like Error - libfoo.h missing you think, hmmm, i dont have an include. what package provides that include? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 19:50 +0200, Alan DeKok wrote: Please checkout and build git.freeradius.org. If I get time to do this before 2.1.1 comes out, I'll give it a shot, but there are no git packages for CentOS and I've never used it before, so I'll have to install git on my Fedora 9 workstation (where git packages do exist), learn to use it, check out the code, copy it to the CentOS box, etc. All doable if I can find the time. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 18:54 +0100, [EMAIL PROTECTED] wrote: generally, its blindingly obvious when you see something like Error - libfoo.h missing you think, hmmm, i dont have an include. But if libfoo.h actually exists in the source tree (as in the case of ltdl.h), then it's not so blindingly obvious that the problem is a missing -devel package rather than a configuration/compilation issue. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Yes I know... ( Last few weeks I'm trying to build test system for 2.x.x version. I want to test DHCP functions. All systems we have are already in use and I don't have enough space to do some testings :) Alan DeKok wrote: Marinko Tarlac wrote: 1.1.7 also requires ltdl The only changes made to 1.1.x from now on will be security related. i.e. no new features. no build fixes, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 19:50 +0200, Alan DeKok wrote: Please checkout and build git.freeradius.org. OK, I got this done. It configures and makes on my system (CentOS release 5.2 (Final) -- x86_64) with no problems. Now on to some fun with dynamic clients. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Good it's sent in the reply to the nas! Thx But the sqlcounter i setup was supposed to reset every hours , but apparently doesn't... Where can i take a look to find out why? Is it supposed to update the database to reset counters (which seems a bad solution to me) or does freeradius maintain separate counters elsewhere, using accounting database to feed them? Alan DeKok a écrit : Alexandre Chapellon wrote: Here is the full debug outputed during the auth query/reply ... rlm_sqlcounter: Sent Reply-Item for user scott, Type=Session-Traffic-Limit, value=12694 ... Sending Access-Accept of id 201 to 127.0.0.1 port 37792 Session-Traffic-Limit = That's the problem. Looking at dictionary.redback, Session-Traffic-Limit is a string. It's not an integer counter. If you do really want to use Session-Traffic-Limit, you will have to change sqlcounter to use a *different* attribute in the reply, such as Tmp-Integer-0, which is a server-side attribute. Then use unlang in post-auth to copy it to Session-Traffic-Limit: update reply { Session-Traffic-Limit = %{reply:Tmp-Integer-0} } That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 11:24 -0600, Greg Woods wrote: On Tue, 2008-09-09 at 16:53 +0100, [EMAIL PROTECTED] wrote: yep, you havent got all the required development packages installed. libtool-ltdl-devel libtool-ltdl Thanks, that was it. However, I discovered what I think is a bug in yum in the process. I tried yum list *ltdl* and this failed to show these packages; otherwise I might have found this myself. Even yum list libtool* doesn't show them, I had to actually list libtool-ltdl-devel* to see the devel package. Does something a bit more generic like 'yum list *td*' show you a list of installed and available packages? It works for me on CentOS 5.2, 64-bit. The 'list *ltdl*' worked for me on CentOS 52, 32-bit. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 19:43 +0100, John Horne wrote: Does something a bit more generic like 'yum list *td*' show you a list of installed and available packages? It works for me on CentOS 5.2, AAAUGH! I got it figured out. I was in the freeradius-server directory when I tried this, so it turns out that libtool* and *tdl* actually match directory names, so bash wasn't passing the wildcard to yum. Maybe csh wasn't so wrong to always assume an unquoted wildcard meant you were file globbing. Cost me a couple hours of wasted time (not to mention looking like a moron on the list :-) --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: minor prefix problem with 2.1.1 git
Greg Woods wrote: I tried to use a non-default prefix, and it craps out on make install because one of the sql-related files refuses to install in a directory name that didn't end with /usr/local/lib . That's libtool insanity. It drives me crazy. I was able to work around this by using a --prefix like /local/freeradius-git/usr/local instead of just /local/freeradius-git. A minor annoyance but I thought others might want to hear about it. At least the error message was clear enough that coming up with the workaround was easy. Ugh. If *I* say install in /local/foo, or /local/i/hate/libtool, then it should damned well install the libraries there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
John Dennis wrote: I know the freeradius source tree and source tarball contains rpm spec files and some suse and redhat specific info but I wonder if that is the right place for that information, the distribution in question will have up to date spec files specific to their distributions, I'm not sure upstream is the place to go looking for it. The last time I looked at the redhat directory it was way out of date. I've taken occasional looks at the upstream spec files, and pulled changes in. But the integration should be a little stronger. This is one reason I'm dubious upstream is the place to maintain spec files (IMHO it's kinda backwards ;-) Some people want custom installations. Having an almost OK' spec file distributed with the source is often easier than pulling the spec file from elsewhere. Now having said that, I realize there isn't a 2.1.0 rpm spec file in Fedora yet, so you would be right to say how can I consult it?, but I'm willing to bet the current 2.0.5 spec file would be pretty close to what 2.1.0 needs. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ***SPAM*** Re: How to modify dialup.conf for each virtual server?
Yes. Create multiple sql instances. List the name of the instance you want to use in place of sql in appropriate sections (authorize, accounting, post-auth, etc.). Ivan Kalik Kalik Informatika ISP Dana 9/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Thanks Ivan. Another question: is there any way to have one database for each virtual server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, But if libfoo.h actually exists in the source tree (as in the case of ltdl.h), then it's not so blindingly obvious that the problem is a missing -devel package rather than a configuration/compilation issue. but you chose to use the system stuff in the configure stage rather than the supplied version, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, OK, I got this done. It configures and makes on my system (CentOS congrats! - GIT is far nicer than some of the older methods of source retrieval. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, Nah! We've all done things like this more times than we care to admit. Welcome to the club, your turn to bring refreshments next time :-) hey! you cant skip *your* turn! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi... Thanks for your answer Leonardo but, if I define the groups in the Cisco VPN Server, it will be enough with knowing the password of other defined group's to obtain an address from a group to which I don't really belong. I.e., if Sale's user know password of Development group, will can receive an Development address. For this reason it is that I should assign the address according to the value of the attribute LDAP, because this value identifies user's type and, therefore, the address that should have. Other ideas for this, please?? Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile Leonardo Reginin escribió: If I understood what you need ... Using Cisco VPN Client, you can define Groups in the Cisco Concentrator ... Configuration - User Management - Groups ... and assign an Address Pool to each group. According the Group used in the Cisco VPN Client, the user will receive an IP addresses from a different Address Pool. Create the Group and upon that create the Address Pool Configuration - User Management - Groups - Address Pools Best Regards, Leonardo Osvaldo Campos M. - Administrador Red STI wrote: Hi people: First of all, sorry but my english is not good. I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, FreeRadius and LDAP, to permit vpn user's access. When vpn users connect (with Cisco VPN Client), Radius consult to LDAP if user exist. If exist, then user can connect to vpn. If not, can't connect. This works well. Now, also I should assign IP addresses according to an LDAP attribute. For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 10.0.0.20/24. I try to assign IP addresses with ippool module and filters in the ldap module in FreeRadius, but it doesn't work. How can I work with many ippool's according to a value of LDAP attribute? Where should I ask for the attribute value in order to assign the corresponding ippool?. Please, help me with that. My config is something like that: In the radius.conf file... ldap vpnldap1 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=1)) authtype = ldap set_asuth_type = yes } ldap vpnldap2 { server = x.x.x.x identity = cn=Directory Manager password = ** basedn = ou=People, dc:blah, dc=cl filter = ((uid=%u)(attribute=2)) authtype = ldap set_asuth_type = yes } authorize { files Autz-Type LDAPVPN1 { vpnldap1 } Autz-Type LDAPVPN2 { vpnldap2 } } authentication { Auth-Type LDAPVPN1 { vpnldap1 } Auth-Type LDAPVPN2 { vpnldap2 } } ippool vpnusers1 { range-start= 10.0.0.10 range-stop= 10.0.0.19 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers1-session ip-index= ${raddbdir}/db.vpnusers1-index override= yes } ippool vpnusers2 { range-start= 10.0.0.20 range-stop= 10.0.0.29 netmask= 255.255.255.0 cache-size= 10 session-db= ${raddbdir}/db.vpnusers2-session ip-index= ${raddbdir}/db.vpnusers2-index override= yes } In the user file... (i don`t know how to configure this file to several Ippool I think that here's the problem) DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type :=LDAPVPN1, Pool-Name :=vpnusers1 DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type :=LDAPVPN2, Pool-Name :=vpnusers2 # y.y.y.y= address of VPN Server In the ldap.attrmap... checkItemvpnusers1attribute checkItemvpnusers2attribute Please, help me with this config. Thank's you... Osvaldo H. Campos Molina Administrador de Red STI - Univ. de Chile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 15:24 -0400, John Dennis wrote: Wildcards passed to commands must always be quoted or escaped Well, no, not always any more. If I did something like cd /root first, then the yum commands work just fine. It's a bash feature that if the wildcard doesn't actually match anything, then it is passed as an argument verbatim (as opposed to csh, which would have complained no match and not done anything). However, you are correct in the sense that quoting it is the only way to guarantee that it will do what I expect every time. I've just gotten lazy since not quoting it works 99% of the time. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Good it's sent in the reply to the nas! Thx But the sqlcounter i setup was supposed to reset every hours , but apparently doesn't... Where can i take a look to find out why? Check the sql query definition and value of reset in counter.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 15:17 -0400, John Dennis wrote: I'm inclined to think for those people who wish to build from upstream they are better off using the autotools configure script included in the freeradius source distribution and not use rpm mechanisms Yes, but there are still packages that are part of the system that are needed to build freeradius (or any other application). In this case, since the freeradius packages that come with CentOS (and RHEL) are for a very old version, and I'm doing this because I really want a feature that is available only in the latest version (even Fedora 9 doesn't have it yet), I build from freeradius source. But that doesn't mean I want (or need) to build all the libraries that freeradius uses from source, since the ones that come with the system are perfectly adequate for that. It's just that as soon as you want to build something from source, now you need the -devel packages that might not have been installed at system install time. That's fine, I'm used to installing -devel packages the first time I want to compile something from source. I just ran into two issues: the first one was the thing with the wildcards happening to match directory names in the freeradius source tree, so that yum didn't find the packages. So my usual technique of running yum list libtool* didn't list the devel packages because the wildcard matched the libtool directory. So I couldn't figure out which -devel package I needed. Quoting the wildcard or executing the command in a different directory solves that. The second problem is that there are packages for both i386 and x86_64 that are both available when running on an x86_64, and the freeradius build craps out if it tries to link against the i386 version (invalid symbol format), so I actually had to remove the -devel.i386 packages before the build could happen. While this was on CentOS, I expect the same things could bite somebody using RHEL (or any x86_64 system with yum). --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 21:56 +0100, [EMAIL PROTECTED] wrote: but you chose to use the system stuff in the configure stage rather than the supplied version, yes? Much of the time, by the time I get around to wanting to build freeradius, it's been months since the server was installed, so I don't really know what's installed on it unless I check. I do know that when include files are not found, it might mean a -devel package needs to be installed. I just ran into a couple of unusual problems doing that this time. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, CentOS box for configure and make. Just a bit more of a pain than downloading a release tar file. but thats the point...the stuff you want isnt in a release tar just yet - a nightly tarball, i guess, would be what you would prefer for this sort of action? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, Much of the time, by the time I get around to wanting to build freeradius, it's been months since the server was installed, so I don't really know what's installed on it unless I check. I do know that when include files are not found, it might mean a -devel package needs to be installed. I just ran into a couple of unusual problems doing that this time. - ah, what i meant was ./configure --help (you'll see a couple of 'use our version rather than system version) things. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
here is the counter definition: sqlcounter bytesQuota { counter-name = traffic_quota check-name = Max-Traffic reply-name = Tmp-Integer-0 sqlmod-inst = mysqldb key = User-Name reset = hourly query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' } sounds good to me... what could be the reasn for noreset? query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' You need to add to WHERE one of the statements using %b. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
[EMAIL PROTECTED] a écrit : here is the counter definition: sqlcounter bytesQuota { counter-name = traffic_quota check-name = Max-Traffic reply-name = Tmp-Integer-0 sqlmod-inst = mysqldb key = User-Name reset = hourly query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' } sounds good to me... what could be the reasn for noreset? query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' You need to add to WHERE one of the statements using %b. Ouch i didn't saw that in the example queries... spank my ...! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
so what's the use of the reset parameter if th sql query is managing it all by its own? Alexandre Chapellon a écrit : [EMAIL PROTECTED] a écrit : here is the counter definition: sqlcounter bytesQuota { counter-name = traffic_quota check-name = Max-Traffic reply-name = Tmp-Integer-0 sqlmod-inst = mysqldb key = User-Name reset = hourly query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' } sounds good to me... what could be the reasn for noreset? query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' You need to add to WHERE one of the statements using %b. Ouch i didn't saw that in the example queries... spank my ...! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 22:48 +0100, [EMAIL PROTECTED] wrote: a nightly tarball, i guess, would be what you would prefer for this sort of action? What I generally prefer is to wait for a stable release. For my own needs, I could well have done that this time too. But in this case, Alan asked me if I would try building the current pre-release. Since some of the things supposedly fixed were compile problems on systems similar to mine, I went ahead and went through the extra effort. Hopefully the feedback provided from that was useful. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
reset parameter controls value of %b. Ivan Kalik Kalik Informatika ISP Dana 9/9/2008, Alexandre Chapellon [EMAIL PROTECTED] piše: so what's the use of the reset parameter if th sql query is managing it all by its own? Alexandre Chapellon a écrit : [EMAIL PROTECTED] a écrit : here is the counter definition: sqlcounter bytesQuota { counter-name = traffic_quota check-name = Max-Traffic reply-name = Tmp-Integer-0 sqlmod-inst = mysqldb key = User-Name reset = hourly query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' } sounds good to me... what could be the reasn for noreset? query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' You need to add to WHERE one of the statements using %b. Ouch i didn't saw that in the example queries... spank my ...! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Greg Woods wrote: Hopefully the feedback provided from that was useful. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Looking at the source of rlm_sqlcounter i saw that when a users tries to conect at a time close to the next reset time, the value of the check-item for the next cycle is added to the reply item. I'd like to avoid this behaviour for **some** of my users. Indeed I want to use counters to count traffic and **not** time while rlm_sqlcounter decide it's closed to reset time when check-item - counter (in my case: bytes) is less than the number of second untill reset time. Can i disable this behaviour? how? [EMAIL PROTECTED] a écrit : reset parameter controls value of %b. Ivan Kalik Kalik Informatika ISP Dana 9/9/2008, Alexandre Chapellon [EMAIL PROTECTED] piše: so what's the use of the reset parameter if th sql query is managing it all by its own? Alexandre Chapellon a écrit : [EMAIL PROTECTED] a écrit : here is the counter definition: sqlcounter bytesQuota { counter-name = traffic_quota check-name = Max-Traffic reply-name = Tmp-Integer-0 sqlmod-inst = mysqldb key = User-Name reset = hourly query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' } sounds good to me... what could be the reasn for noreset? query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct WHERE UserName='%{%k}' You need to add to WHERE one of the statements using %b. Ouch i didn't saw that in the example queries... spank my ...! Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
KLIK IKLAN DAPAT RUPIAH LANGSUNG DI BAYAR KE BANK ANDA
Di Klikrupiah, anda akan mendapatkan uang setiap klik iklan. Prosesnya cukup mudah anda cuma klik iklan dan lihat beberapa detik kemudian uang masuk kesaldo anda. Anda tidak membutuhkan keahlian. Yang anda butuhkan hanya lihat iklan dan klik yang ada di website kami. Anda bisa mengajak teman anda untuk bergabung dengan kami. Pembayaran bisa kapan saja dan akan kami proses lewat Bank BCA dan Mandiri. Mimimal pembayaran Rp50.000. Contoh pendapatan » Anda klik 10 iklan per hari = Rp 1000 » 20 referrals klik 10 iklan per hari = Rp 1 » Pendapatan harian anda = Rp 11000 » Pendapatan mingguan= Rp 77000 » Pendapatan bulanan= Rp 33 » Pendapatan pertahun= Rp 396 Mau Join Klik di sini http://klikrupiah.com/register.php?r=fatriyanto http://indoptc.com/news.php?r=fatriyanto http://gedebux.info/register.php?r=fatriyanto Mau nambah penghasilan lagi klik link di bawah ini terbukti membayar http://wwRe: log incorrect login to mysql A . L . M . Buxey Reply via email to