Re: Dynamic Clients with FreeRADIUS
jasoneswan wrote: I'm using sites-available/dynamic-clients config... You posted pretty much a default configuration file. Why? It's not like I don't have access to it. What is happening is when a client connects it doesn't even check database it simply says unknown client And you didn't post the debugging output, as suggested in the FAQ, README, INSTALL, and daily on this list. I also asked for *specifics* of what happens, not a short summary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
aland wrote: jasoneswan wrote: I'm using sites-available/dynamic-clients config... You posted pretty much a default configuration file. Why? It's not like I don't have access to it. What is happening is when a client connects it doesn't even check database it simply says unknown client And you didn't post the debugging output, as suggested in the FAQ, README, INSTALL, and daily on this list. I also asked for *specifics* of what happens, not a short summary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The key here is the ipaddr is 0.0.0.0 and netmask is 0. It SHOULD atleast send an SQL query out when any IP connects but this simply says Ignoring request to authentication address * port 1812 from unknown client 192.168.1.7 Without actually querying the SQL to see if that address is in the list -- View this message in context: http://www.nabble.com/Dynamic-Clients-with-FreeRADIUS-tp19384912p19386429.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
jasoneswan wrote: The key here is the ipaddr is 0.0.0.0 and netmask is 0. It SHOULD atleast send an SQL query out when any IP connects If you've configured it right. Perhaps that's where the problem is? but this simply says Ignoring request to authentication address * port 1812 from unknown client 192.168.1.7 Without actually querying the SQL to see if that address is in the list Really? You've only said that 3 times now. Is there any particular reason you keep repeating yourself, rather than following instructions? And since you've insisted on *not* following instructions, I don't think there's anything more I can do to help you. My help involves things like... instructions. Which you don't follow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
this is how we do it:
radius.conf:
get user's group from ldap
users file:
if user is member of groupA assign ip pool1
if user is member of groupB assign ip pool2
here is users file(This is not using ip pools, just limits connection duration
and when they can login):
DEFAULT LDAP-Group == VPN12, Max-Daily-Session :=43200
Fall-Through = Yes
DEFAULT LDAP-GROUP == VPNSALES, Max-Daily-Session :=7200,
Login-Time:=Any0730-0830,Any1630-1730
Fall-Through = Yes
-Original Message-
From: [EMAIL PROTECTED] on behalf of Osvaldo Campos M. - Administrador Red STI
Sent: Tue 9/9/2008 2:36 AM
To: FreeRadius users mailing list
Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi people:
First of all, sorry but my english is not good.
I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000,
FreeRadius and LDAP, to permit vpn user's access.
When vpn users connect (with Cisco VPN Client), Radius consult to LDAP
if user exist. If exist, then user can connect to vpn. If not, can't
connect. This works well.
Now, also I should assign IP addresses according to an LDAP attribute.
For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign
10.0.0.20/24.
I try to assign IP addresses with ippool module and filters in the
ldap module in FreeRadius, but it doesn't work.
How can I work with many ippool's according to a value of LDAP
attribute? Where should I ask for the attribute value in order to assign
the corresponding ippool?. Please, help me with that.
My config is something like that:
In the radius.conf file...
ldap vpnldap1 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=1))
authtype = ldap
set_asuth_type = yes
}
ldap vpnldap2 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=2))
authtype = ldap
set_asuth_type = yes
}
authorize {
files
Autz-Type LDAPVPN1 {
vpnldap1
}
Autz-Type LDAPVPN2 {
vpnldap2
}
}
authentication {
Auth-Type LDAPVPN1 {
vpnldap1
}
Auth-Type LDAPVPN2 {
vpnldap2
}
}
ippool vpnusers1 {
range-start= 10.0.0.10
range-stop= 10.0.0.19
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers1-session
ip-index= ${raddbdir}/db.vpnusers1-index
override= yes
}
ippool vpnusers2 {
range-start= 10.0.0.20
range-stop= 10.0.0.29
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers2-session
ip-index= ${raddbdir}/db.vpnusers2-index
override= yes
}
In the user file...
(i don`t know how to configure this file to several Ippool I think
that here's the problem)
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server
In the ldap.attrmap...
checkItemvpnusers1attribute
checkItemvpnusers2attribute
Please, help me with this config.
Thank's you...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
winmail.dat-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two radius server on same machine
Hi, what is there to be done if you want a running instance and a standby instance ? virtual servers won't help here. P.S: I only use radius with accounting request ( logging into oracle db ) Mark Tunnell-3 wrote: Nataniel Klug wrote: Hello all, I am trying to find some info about running two freeradius servers (on different ports) in the same machine. Can someone help me? I couldn't find any info... I've actually been running three instances on my servers for quite a while. Basically after installing freeradius I just made three directories, one for firewalls, one for routers and one for switches, copied the /usr/local/etc and /usr/local/var to them, changed the port they listen on in radiusd.conf and fired them all up. Works fine. Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Two-radius-server-on-same-machine-tp19336554p19386698.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
aland wrote:
jasoneswan wrote:
The key here is the ipaddr is 0.0.0.0 and netmask is 0. It SHOULD atleast
send an SQL query out when any IP connects
If you've configured it right. Perhaps that's where the problem is?
but this simply says
Ignoring request to authentication address * port 1812 from unknown
client
192.168.1.7
Without actually querying the SQL to see if that address is in the list
Really? You've only said that 3 times now.
Is there any particular reason you keep repeating yourself, rather
than following instructions?
And since you've insisted on *not* following instructions, I don't
think there's anything more I can do to help you. My help involves
things like... instructions. Which you don't follow.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
FreeRADIUS Version 2.1.0, for host i686-pc-linux-gnu, built on Sep 5 2008
at 17:09:43
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-available/dynamic-clients
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
Re: Two radius server on same machine
andreiv wrote: Hi, what is there to be done if you want a running instance and a standby instance ? There's no such thing as a standby instance. It's either listening on the RADIUS port, or it's not. You're better off using a wrapper to watch the server, such as daemontools, or svtools. Or, installing servers on two independent machines, and configuring both of them on the clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Carlos Eduardo Tavares Terra wrote:
Sorry, but maybe I didn't understand how virtual servers really work.
raddb/sites-available/README
Each virtual server is a RADIUS server, just like in 1.x. The only
difference is that you don't need to run multiple processes to get
multiple server configurations.
I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys
i.e. in 1.x, you modified the SQL queries in the sql module
configuration, for each server. i.e. you were running TWO different
instances of the SQL module.
I think the problem is that you're trying to use only ONE instance of
the SQL module in 2.x. Instead, do this in the modules section:
sql sql1 {
... content from 1.x server1, INCLUDING queries
}
sql sql2 {
... content from 1.x server2, INCLUDING queries
}
Then, use sql1 in the virtual server for server1, and sql2 in the
virtual server for sql2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Norbert Wegener wrote:
It seems to me, the log section contains the same items as in 2.0.5.
The requests entry is new. It can send logs to different
destinations based on dynamic expansions.
So I am not sure how to turn logging on for a specific user when the
server is running:
Yes, that isn't documented there. I've added some text for 2.1.1.
In short, you can do:
...
update control {
Tmp-String-0 = %{debug:2}
}
...
to set the debug level to 2 for *this* request. That update section
can be wrapped in an if, to check for users, groups, realms, etc.
2.1.1 will also have the ability to change the global debug level from
radmin. 2.1.2 will have the ability to change the debug level for
requests coming from a particular client.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote:
..
* Debug logs can now be turned on/off while the server is
running, for a user, group, realm, etc. See the log section
of radiusd.conf.
It seems to me, the log section contains the same items as in 2.0.5.
So I am not sure how to turn logging on for a specific user when the
server is running:
log {
destination = files
file = ${logdir}/radius.log
#
#requests =
${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
Maybe I missed something?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
It's a bug in 2.1.0 that will be fixed in 2.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Yes, that isn't documented there. I've added some text for 2.1.1.
In short, you can do:
...
update control {
Tmp-String-0 = %{debug:2}
}
...
Didn't you alter the parser slightly to allow just:
...
%{debug:2}
...
Or did you remove it before 2.1.0 ?
--
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Clients with FreeRADIUS
Sent: 09 September 2008 11:16 AM To: FreeRadius users mailing list Subject: Re: Dynamic Clients with FreeRADIUS It's a bug in 2.1.0 that will be fixed in 2.1.1. Hi, Is the the availibility of Nas-Identendifier to the virtual server thing?? Thanks Johan Meiring Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Arran Cudbard-Bell wrote:
Didn't you alter the parser slightly to allow just:
...
%{debug:2}
...
Err, yes. But that's horrible syntax, and I don't think it will stay.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Didn't you alter the parser slightly to allow just:
...
%{debug:2}
...
Err, yes. But that's horrible syntax, and I don't think it will stay.
if (condition) {
call debug 2
}
Might also be useful for:
post-auth {
call sql insert into blah ...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Phil Mayers wrote:
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Didn't you alter the parser slightly to allow just:
...
%{debug:2}
...
Err, yes. But that's horrible syntax, and I don't think it will stay.
It's not a horrible syntax it's useful syntax, especially when being
used with horrible hacks such as this... makes them less horrible. It's
also good for making arbitrary calls to modules when you don't care
about the return value, such as sql insert and update statements (if the
SQL module supported xlated insert and update statements).
Having to wrap the whole thing in an update stanza and having to assign
the return value to a temporary string, now that's horrible syntax.
if (condition) {
call debug 2
}
Might also be useful for:
post-auth {
call sql insert into blah ...
}
I don't see that extra syntax is required...
--
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Clients with FreeRADIUS
Johan Meiring wrote: Is the the availibility of Nas-Identendifier to the virtual server thing?? No. Maybe in 2.1.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Can't I change the way it's look into MySQL table? Even this comming with User-Name I can't look for the value in another field? This is a MySQL query, not the way it came... i hope... :) [EMAIL PROTECTED] escreveu: Well, you don't have much say in this because NAS sends it that way: rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, length=69 User-Name = 00:19:79:0f:98:3d User-Password = wireless NAS-IP-Address = 172.30.0.142 NAS-Port = 0 You see what is in the User-Name field? That's how mac authentication works. Ivan Kalik Kalik Informatika ISP Dana 8/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Ivan, I can't use User-Name as MAC becouse this is being used by another systema I run... I just need to change some settings in dialup.conf to meet my requirements, all said in other message. [EMAIL PROTECTED] escreveu: In mac authentication mac address is sent as User-Name not Calling-Station-Id. You don't have to make any changes to dialup.conf - just use database properly: username: AA:AA:AA:AA:AA:AA attribute: Auth-Type op: := Value: Accept or Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att, NATANIEL KLUG [EMAIL PROTECTED] LEIA O DIA-A-DIA DO NATA http://nataklug.blogspot.com/ Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam suscetíveis. Visconde de Taunay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
If I understood what you need ...
Using Cisco VPN Client, you can define Groups in the Cisco
Concentrator ...
Configuration - User Management - Groups
... and assign an Address Pool to each group. According the Group used
in the Cisco VPN Client, the user will receive an IP addresses from a
different Address Pool.
Create the Group and upon that create the Address Pool
Configuration - User Management - Groups - Address Pools
Best Regards,
Leonardo
Osvaldo Campos M. - Administrador Red STI wrote:
Hi people:
First of all, sorry but my english is not good.
I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server
3000, FreeRadius and LDAP, to permit vpn user's access.
When vpn users connect (with Cisco VPN Client), Radius consult to
LDAP if user exist. If exist, then user can connect to vpn. If not,
can't connect. This works well.
Now, also I should assign IP addresses according to an LDAP attribute.
For example, if attribute==1 assign 10.0.0.10/24, if attribute==2
assign 10.0.0.20/24.
I try to assign IP addresses with ippool module and filters in the
ldap module in FreeRadius, but it doesn't work.
How can I work with many ippool's according to a value of LDAP
attribute? Where should I ask for the attribute value in order to
assign the corresponding ippool?. Please, help me with that.
My config is something like that:
In the radius.conf file...
ldap vpnldap1 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=1))
authtype = ldap
set_asuth_type = yes
}
ldap vpnldap2 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=2))
authtype = ldap
set_asuth_type = yes
}
authorize {
files
Autz-Type LDAPVPN1 {
vpnldap1
}
Autz-Type LDAPVPN2 {
vpnldap2
}
}
authentication {
Auth-Type LDAPVPN1 {
vpnldap1
}
Auth-Type LDAPVPN2 {
vpnldap2
}
}
ippool vpnusers1 {
range-start= 10.0.0.10
range-stop= 10.0.0.19
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers1-session
ip-index= ${raddbdir}/db.vpnusers1-index
override= yes
}
ippool vpnusers2 {
range-start= 10.0.0.20
range-stop= 10.0.0.29
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers2-session
ip-index= ${raddbdir}/db.vpnusers2-index
override= yes
}
In the user file...
(i don`t know how to configure this file to several Ippool I
think that here's the problem)
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server
In the ldap.attrmap...
checkItemvpnusers1attribute
checkItemvpnusers2attribute
Please, help me with this config.
Thank's you...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Phil Mayers wrote:
if (condition) {
call debug 2
}
Nah.
radmin debug file /var/log/radius/bob.log
radmin debug condition '(User-Name == bob)'
...
radmin debug condition
That's better. Very powerful, and very clean.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Alan DeKok wrote:
Phil Mayers wrote:
if (condition) {
call debug 2
}
Nah.
radmin debug file /var/log/radius/bob.log
radmin debug condition '(User-Name == bob)'
...
radmin debug condition
That's better. Very powerful, and very clean.
Nice!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to modify dialup.conf for each virtual server?
Can't I change the way it's look into MySQL table? Even this comming
with User-Name I can't look for the value in another field? This is a
MySQL query, not the way it came... i hope... :)
You have three options:
- fill your database with (useless) data and try to change rlm_sql code
and queries in order to match up requests and data. Don't expect much
help there - if you want to customize the database you should know what
you are doing. It is quite likely that this will render that sql
instance (and possibly whole sql module) useless for any other request
apart form mac auth.
You will need to:
rewrite value of User-Name into Calling-Station-Id
pull new User-Name from the database (WHERE
Attribute='Calling-Sattion-Id' and Value='%{User-Name})
fix code in rlm_sql where this brakes it
or:
- authenticate with a special script (perl or such). Adjust queries for
this type of authentication as much as you like without affecting other
authentication types. You can use multiple queries to match up data and
request. Easier and more sensible than above.
or:
- fill your database with correct data - what you expect to come in
User-Name field should be used as UserName etc. No adjustments needed.
mac auth works together with other authentication types.
Take your pick.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius version 1.0.x Vs 2.x.x
Hi,
I have been using freeradius 1.0.5 for captive portal authentication
in our internal network. I use mysql as backend for radius and using
sqlcounter to check monthly usage.
I was trying out freeradius version 2.1.0 and found out that check
attribute values from radcheck table being replaced by values from
radgroupcheck. For example, sqlcounter is using Session-Timeout =
28800 if I use freeradius version 1.0.5 and Session-Timeout = 14400 if
I use version 2.1.0.
Debug from 1.0.5:
rlm_sqlcounter: Authorized user test, check_item=28800, counter=509
rlm_sqlcounter: Sent Reply-Item for user test, Type=Session-Timeout, value=28291
modcall[authorize]: module noresetcounter returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
Debug from 2.1.0:
rlm_sqlcounter: Authorized user test, check_item=14400, counter=509
rlm_sqlcounter: Sent Reply-Item for user akj, Type=Session-Timeout, value=13891
++[noresetcounter] returns ok
radcheck table:
++--++++
| id | username | attribute | value | op |
++--++++
| 7 | test | Crypt-Password |
$1$WXkDxOPI$hZadd2xez2Xl7k4asVqOG. | := |
| 9 | test | Session-Timeout| 28800
| := |
++--++++
radgroupcheck table:
++---+--+---++
| id | groupname | attribute| Value | op |
++---+--+---++
| 1 | test | Session-Timeout | 14400 | := |
++---+--+---++
radusergroup table:
+--+---+--+
| username | groupname | priority |
+--+---+--+
| test | test |1 |
+--+---+--+
sqlcounter:
sqlcounter noresetcounter {
counter-name = sess_timeout
check-name = Session-Timeout
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'
}
I have tested this with version 2.0.5 and got same result. Is this the
expected behavior in version 2.x.x?
Thanks,
Abraham
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
another 2.1.0 compile error
I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/local/src/freeradius-server-2.1.0/src -DHOSTINFO= \x86_64-unknown-linux-gnu\ -DRADIUSD_VERSION=\2.1.0\ -DOPENSSL_NO_KRB5 -c listen.c -fPIC -DPIC -o .libs/listen.o listen.c: In function 'client_listener_find': listen.c:189: warning: assignment discards qualifiers from pointer target type In file included from command.c:26, from listen.c:1046: /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory In file included from command.c:26, from listen.c:1046: /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h: At top level: /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:30: error: expected specifier-qualifier-list before 'lt_dlhandle' gmake[4]: *** [listen.lo] Error 1 gmake[4]: Leaving directory `/local/src/freeradius-server-2.1.0/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/local/src/freeradius-server-2.1.0/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/local/src/freeradius-server-2.1.0/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/local/src/freeradius-server-2.1.0' make: *** [all] Error 2 I realize this isn't a complete enough report to fully debug this, I'm just curious to know if anyone else has seen this one or whether it's something obvious. I also know that the ltdl.h file is actually there in the libltdl subdirectory, so I can probably figure out how to get around this if I have to. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Greg Woods wrote: I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: ... /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory Yeah, I caught that on another system, too. It should be fixed in git.freeradius.org. Part of the issue is that the latest version in source control isn't widely tested until it becomes an official release... at which point lots of people run into issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Alan DeKok wrote: Greg Woods wrote: I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: ... /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory Yeah, I caught that on another system, too. It should be fixed in git.freeradius.org. Part of the issue is that the latest version in source control isn't widely tested until it becomes an official release... at which point lots of people run into issues. I you want to tag and announce -pre I can arrange for it to be built in a bunch of clean buildroots (we maintain such for building our local RPMs) at least for some RedHat/Fedora variants. Or there's buildbot; I might be able to scrounge a server or two to run some VMs on, and host them here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:RE: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Thanks for your answer, but I can't use LDAP groups in this case because
I haven'ts groups defined in LDAP according to LDAP attribute. For
example, I haven't a group Sales in LDAP with only users with the
value attribute=1.
And I need to assign addresses according to the value attribute .
Other ideas for this, please??
Thanks...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
Parham Beheshti escribió:
this is how we do it:
radius.conf:
get user's group from ldap
users file:
if user is member of groupA assign ip pool1
if user is member of groupB assign ip pool2
here is users file(This is not using ip pools, just limits connection duration
and when they can login):
DEFAULT LDAP-Group == VPN12, Max-Daily-Session :=43200
Fall-Through = Yes
DEFAULT LDAP-GROUP == VPNSALES, Max-Daily-Session :=7200,
Login-Time:=Any0730-0830,Any1630-1730
Fall-Through = Yes
-Original Message-
From: [EMAIL PROTECTED] on behalf of Osvaldo Campos M. - Administrador Red STI
Sent: Tue 9/9/2008 2:36 AM
To: FreeRadius users mailing list
Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi people:
First of all, sorry but my english is not good.
I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000,
FreeRadius and LDAP, to permit vpn user's access.
When vpn users connect (with Cisco VPN Client), Radius consult to LDAP
if user exist. If exist, then user can connect to vpn. If not, can't
connect. This works well.
Now, also I should assign IP addresses according to an LDAP attribute.
For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign
10.0.0.20/24.
I try to assign IP addresses with ippool module and filters in the
ldap module in FreeRadius, but it doesn't work.
How can I work with many ippool's according to a value of LDAP
attribute? Where should I ask for the attribute value in order to assign
the corresponding ippool?. Please, help me with that.
My config is something like that:
In the radius.conf file...
ldap vpnldap1 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=1))
authtype = ldap
set_asuth_type = yes
}
ldap vpnldap2 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=2))
authtype = ldap
set_asuth_type = yes
}
authorize {
files
Autz-Type LDAPVPN1 {
vpnldap1
}
Autz-Type LDAPVPN2 {
vpnldap2
}
}
authentication {
Auth-Type LDAPVPN1 {
vpnldap1
}
Auth-Type LDAPVPN2 {
vpnldap2
}
}
ippool vpnusers1 {
range-start= 10.0.0.10
range-stop= 10.0.0.19
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers1-session
ip-index= ${raddbdir}/db.vpnusers1-index
override= yes
}
ippool vpnusers2 {
range-start= 10.0.0.20
range-stop= 10.0.0.29
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers2-session
ip-index= ${raddbdir}/db.vpnusers2-index
override= yes
}
In the user file...
(i don`t know how to configure this file to several Ippool I think
that here's the problem)
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server
In the ldap.attrmap...
checkItemvpnusers1attribute
checkItemvpnusers2attribute
Please, help me with this config.
Thank's you...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
1.1.7 also requires ltdl (CentOS 5.x) Alan DeKok wrote: Greg Woods wrote: I am running on CentOS 5.2 on an x86_64 architecture. I note a previous report for a similar system here on the list, but this is not the same error. That one was an error compiling radmin, this is an error compiling the server: ... /local/src/freeradius-server-2.1.0/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory Yeah, I caught that on another system, too. It should be fixed in git.freeradius.org. Part of the issue is that the latest version in source control isn't widely tested until it becomes an official release... at which point lots of people run into issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ***SPAM*** Re: How to modify dialup.conf for each virtual server?
Thanks Ivan.
Another question: is there any way to have one database for each virtual
server?
[EMAIL PROTECTED] escreveu:
Can't I change the way it's look into MySQL table? Even this comming
with User-Name I can't look for the value in another field? This is a
MySQL query, not the way it came... i hope... :)
You have three options:
- fill your database with (useless) data and try to change rlm_sql code
and queries in order to match up requests and data. Don't expect much
help there - if you want to customize the database you should know what
you are doing. It is quite likely that this will render that sql
instance (and possibly whole sql module) useless for any other request
apart form mac auth.
You will need to:
rewrite value of User-Name into Calling-Station-Id
pull new User-Name from the database (WHERE
Attribute='Calling-Sattion-Id' and Value='%{User-Name})
fix code in rlm_sql where this brakes it
or:
- authenticate with a special script (perl or such). Adjust queries for
this type of authentication as much as you like without affecting other
authentication types. You can use multiple queries to match up data and
request. Easier and more sensible than above.
or:
- fill your database with correct data - what you expect to come in
User-Name field should be used as UserName etc. No adjustments needed.
mac auth works together with other authentication types.
Take your pick.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Att,
NATANIEL KLUG
[EMAIL PROTECTED]
LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/
Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290
... também os sábios possuem coração tangível e podem, por vezes, usar da ciência
como meio de demonstrar impressões sentimentais de que muitos não os julgam
suscetíveis.
Visconde de Taunay
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 16:53 +0100, [EMAIL PROTECTED] wrote: yep, you havent got all the required development packages installed. libtool-ltdl-devel libtool-ltdl Thanks, that was it. However, I discovered what I think is a bug in yum in the process. I tried yum list *ltdl* and this failed to show these packages; otherwise I might have found this myself. Even yum list libtool* doesn't show them, I had to actually list libtool-ltdl-devel* to see the devel package. After this I ran into the previously-noted issue compiling radmin. In Makefile.inc, define LIBREADLINE as -lreadline -lncurses. Another thing I discovered is that I have to remove the i386 versions of several -devel packages, or I get errors about symbols in wrong format when linking. But I now have 2.1.0 compiled so I can work on setting up dynamic clients, which is a feature we really need here since many of our clients are DHCP-configured workstations. Thanks for the help! --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Marinko Tarlac wrote: 1.1.7 also requires ltdl The only changes made to 1.1.x from now on will be security related. i.e. no new features. no build fixes, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Greg Woods wrote: After this I ran into the previously-noted issue compiling radmin. In Makefile.inc, define LIBREADLINE as -lreadline -lncurses. Which is also fixed in git.freeradius.org. But I now have 2.1.0 compiled so I can work on setting up dynamic clients, which is a feature we really need here since many of our clients are DHCP-configured workstations. The dynamic clients code has a bug. This is fixed in git.freeradius.org. Please checkout and build git.freeradius.org. Unless there are major panics, it will be issued as version 2.1.1 this week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, Marinko Tarlac wrote: 1.1.7 also requires ltdl The only changes made to 1.1.x from now on will be security related. i.e. no new features. no build fixes, etc. I dont think it was a build fix request - more a comment that 1.1.7 needs ltdl on some platforms due to the way that chosen distro operates. - its a helpful note to others who get caught out by this error. generally, its blindingly obvious when you see something like Error - libfoo.h missing you think, hmmm, i dont have an include. what package provides that include? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 19:50 +0200, Alan DeKok wrote: Please checkout and build git.freeradius.org. If I get time to do this before 2.1.1 comes out, I'll give it a shot, but there are no git packages for CentOS and I've never used it before, so I'll have to install git on my Fedora 9 workstation (where git packages do exist), learn to use it, check out the code, copy it to the CentOS box, etc. All doable if I can find the time. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 18:54 +0100, [EMAIL PROTECTED] wrote: generally, its blindingly obvious when you see something like Error - libfoo.h missing you think, hmmm, i dont have an include. But if libfoo.h actually exists in the source tree (as in the case of ltdl.h), then it's not so blindingly obvious that the problem is a missing -devel package rather than a configuration/compilation issue. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Yes I know... ( Last few weeks I'm trying to build test system for 2.x.x version. I want to test DHCP functions. All systems we have are already in use and I don't have enough space to do some testings :) Alan DeKok wrote: Marinko Tarlac wrote: 1.1.7 also requires ltdl The only changes made to 1.1.x from now on will be security related. i.e. no new features. no build fixes, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 19:50 +0200, Alan DeKok wrote: Please checkout and build git.freeradius.org. OK, I got this done. It configures and makes on my system (CentOS release 5.2 (Final) -- x86_64) with no problems. Now on to some fun with dynamic clients. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Good it's sent in the reply to the nas! Thx
But the sqlcounter i setup was supposed to reset every hours , but
apparently doesn't...
Where can i take a look to find out why?
Is it supposed to update the database to reset counters (which seems a
bad solution to me) or does freeradius maintain separate counters
elsewhere, using accounting database to feed them?
Alan DeKok a écrit :
Alexandre Chapellon wrote:
Here is the full debug outputed during the auth query/reply
...
rlm_sqlcounter: Sent Reply-Item for user scott,
Type=Session-Traffic-Limit, value=12694
...
Sending Access-Accept of id 201 to 127.0.0.1 port 37792
Session-Traffic-Limit =
That's the problem. Looking at dictionary.redback,
Session-Traffic-Limit is a string. It's not an integer counter.
If you do really want to use Session-Traffic-Limit, you will have to
change sqlcounter to use a *different* attribute in the reply, such as
Tmp-Integer-0, which is a server-side attribute. Then use unlang in
post-auth to copy it to Session-Traffic-Limit:
update reply {
Session-Traffic-Limit = %{reply:Tmp-Integer-0}
}
That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 11:24 -0600, Greg Woods wrote: On Tue, 2008-09-09 at 16:53 +0100, [EMAIL PROTECTED] wrote: yep, you havent got all the required development packages installed. libtool-ltdl-devel libtool-ltdl Thanks, that was it. However, I discovered what I think is a bug in yum in the process. I tried yum list *ltdl* and this failed to show these packages; otherwise I might have found this myself. Even yum list libtool* doesn't show them, I had to actually list libtool-ltdl-devel* to see the devel package. Does something a bit more generic like 'yum list *td*' show you a list of installed and available packages? It works for me on CentOS 5.2, 64-bit. The 'list *ltdl*' worked for me on CentOS 52, 32-bit. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 19:43 +0100, John Horne wrote: Does something a bit more generic like 'yum list *td*' show you a list of installed and available packages? It works for me on CentOS 5.2, AAAUGH! I got it figured out. I was in the freeradius-server directory when I tried this, so it turns out that libtool* and *tdl* actually match directory names, so bash wasn't passing the wildcard to yum. Maybe csh wasn't so wrong to always assume an unquoted wildcard meant you were file globbing. Cost me a couple hours of wasted time (not to mention looking like a moron on the list :-) --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: minor prefix problem with 2.1.1 git
Greg Woods wrote: I tried to use a non-default prefix, and it craps out on make install because one of the sql-related files refuses to install in a directory name that didn't end with /usr/local/lib . That's libtool insanity. It drives me crazy. I was able to work around this by using a --prefix like /local/freeradius-git/usr/local instead of just /local/freeradius-git. A minor annoyance but I thought others might want to hear about it. At least the error message was clear enough that coming up with the workaround was easy. Ugh. If *I* say install in /local/foo, or /local/i/hate/libtool, then it should damned well install the libraries there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
John Dennis wrote: I know the freeradius source tree and source tarball contains rpm spec files and some suse and redhat specific info but I wonder if that is the right place for that information, the distribution in question will have up to date spec files specific to their distributions, I'm not sure upstream is the place to go looking for it. The last time I looked at the redhat directory it was way out of date. I've taken occasional looks at the upstream spec files, and pulled changes in. But the integration should be a little stronger. This is one reason I'm dubious upstream is the place to maintain spec files (IMHO it's kinda backwards ;-) Some people want custom installations. Having an almost OK' spec file distributed with the source is often easier than pulling the spec file from elsewhere. Now having said that, I realize there isn't a 2.1.0 rpm spec file in Fedora yet, so you would be right to say how can I consult it?, but I'm willing to bet the current 2.0.5 spec file would be pretty close to what 2.1.0 needs. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ***SPAM*** Re: How to modify dialup.conf for each virtual server?
Yes. Create multiple sql instances. List the name of the instance you want to use in place of sql in appropriate sections (authorize, accounting, post-auth, etc.). Ivan Kalik Kalik Informatika ISP Dana 9/9/2008, Nataniel Klug [EMAIL PROTECTED] piše: Thanks Ivan. Another question: is there any way to have one database for each virtual server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, But if libfoo.h actually exists in the source tree (as in the case of ltdl.h), then it's not so blindingly obvious that the problem is a missing -devel package rather than a configuration/compilation issue. but you chose to use the system stuff in the configure stage rather than the supplied version, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, OK, I got this done. It configures and makes on my system (CentOS congrats! - GIT is far nicer than some of the older methods of source retrieval. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, Nah! We've all done things like this more times than we care to admit. Welcome to the club, your turn to bring refreshments next time :-) hey! you cant skip *your* turn! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi...
Thanks for your answer Leonardo but, if I define the groups in the Cisco
VPN Server, it will be enough with knowing the password of other defined
group's to obtain an address from a group to which I don't really
belong. I.e., if Sale's user know password of Development group, will
can receive an Development address.
For this reason it is that I should assign the address according to the
value of the attribute LDAP, because this value identifies user's type
and, therefore, the address that should have.
Other ideas for this, please??
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
Leonardo Reginin escribió:
If I understood what you need ...
Using Cisco VPN Client, you can define Groups in the Cisco
Concentrator ...
Configuration - User Management - Groups
... and assign an Address Pool to each group. According the Group
used in the Cisco VPN Client, the user will receive an IP addresses
from a different Address Pool.
Create the Group and upon that create the Address Pool
Configuration - User Management - Groups - Address Pools
Best Regards,
Leonardo
Osvaldo Campos M. - Administrador Red STI wrote:
Hi people:
First of all, sorry but my english is not good.
I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server
3000, FreeRadius and LDAP, to permit vpn user's access.
When vpn users connect (with Cisco VPN Client), Radius consult to
LDAP if user exist. If exist, then user can connect to vpn. If not,
can't connect. This works well.
Now, also I should assign IP addresses according to an LDAP
attribute. For example, if attribute==1 assign 10.0.0.10/24, if
attribute==2 assign 10.0.0.20/24.
I try to assign IP addresses with ippool module and filters in the
ldap module in FreeRadius, but it doesn't work.
How can I work with many ippool's according to a value of LDAP
attribute? Where should I ask for the attribute value in order to
assign the corresponding ippool?. Please, help me with that.
My config is something like that:
In the radius.conf file...
ldap vpnldap1 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=1))
authtype = ldap
set_asuth_type = yes
}
ldap vpnldap2 {
server = x.x.x.x
identity = cn=Directory Manager
password = **
basedn = ou=People, dc:blah, dc=cl
filter = ((uid=%u)(attribute=2))
authtype = ldap
set_asuth_type = yes
}
authorize {
files
Autz-Type LDAPVPN1 {
vpnldap1
}
Autz-Type LDAPVPN2 {
vpnldap2
}
}
authentication {
Auth-Type LDAPVPN1 {
vpnldap1
}
Auth-Type LDAPVPN2 {
vpnldap2
}
}
ippool vpnusers1 {
range-start= 10.0.0.10
range-stop= 10.0.0.19
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers1-session
ip-index= ${raddbdir}/db.vpnusers1-index
override= yes
}
ippool vpnusers2 {
range-start= 10.0.0.20
range-stop= 10.0.0.29
netmask= 255.255.255.0
cache-size= 10
session-db= ${raddbdir}/db.vpnusers2-session
ip-index= ${raddbdir}/db.vpnusers2-index
override= yes
}
In the user file...
(i don`t know how to configure this file to several Ippool I
think that here's the problem)
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN1, AUTZ-Type
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = y.y.y.y, Auth-Type :=LDAPVPN2, AUTZ-Type
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server
In the ldap.attrmap...
checkItemvpnusers1attribute
checkItemvpnusers2attribute
Please, help me with this config.
Thank's you...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 15:24 -0400, John Dennis wrote: Wildcards passed to commands must always be quoted or escaped Well, no, not always any more. If I did something like cd /root first, then the yum commands work just fine. It's a bash feature that if the wildcard doesn't actually match anything, then it is passed as an argument verbatim (as opposed to csh, which would have complained no match and not done anything). However, you are correct in the sense that quoting it is the only way to guarantee that it will do what I expect every time. I've just gotten lazy since not quoting it works 99% of the time. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Good it's sent in the reply to the nas! Thx But the sqlcounter i setup was supposed to reset every hours , but apparently doesn't... Where can i take a look to find out why? Check the sql query definition and value of reset in counter.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 15:17 -0400, John Dennis wrote: I'm inclined to think for those people who wish to build from upstream they are better off using the autotools configure script included in the freeradius source distribution and not use rpm mechanisms Yes, but there are still packages that are part of the system that are needed to build freeradius (or any other application). In this case, since the freeradius packages that come with CentOS (and RHEL) are for a very old version, and I'm doing this because I really want a feature that is available only in the latest version (even Fedora 9 doesn't have it yet), I build from freeradius source. But that doesn't mean I want (or need) to build all the libraries that freeradius uses from source, since the ones that come with the system are perfectly adequate for that. It's just that as soon as you want to build something from source, now you need the -devel packages that might not have been installed at system install time. That's fine, I'm used to installing -devel packages the first time I want to compile something from source. I just ran into two issues: the first one was the thing with the wildcards happening to match directory names in the freeradius source tree, so that yum didn't find the packages. So my usual technique of running yum list libtool* didn't list the devel packages because the wildcard matched the libtool directory. So I couldn't figure out which -devel package I needed. Quoting the wildcard or executing the command in a different directory solves that. The second problem is that there are packages for both i386 and x86_64 that are both available when running on an x86_64, and the freeradius build craps out if it tries to link against the i386 version (invalid symbol format), so I actually had to remove the -devel.i386 packages before the build could happen. While this was on CentOS, I expect the same things could bite somebody using RHEL (or any x86_64 system with yum). --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 21:56 +0100, [EMAIL PROTECTED] wrote: but you chose to use the system stuff in the configure stage rather than the supplied version, yes? Much of the time, by the time I get around to wanting to build freeradius, it's been months since the server was installed, so I don't really know what's installed on it unless I check. I do know that when include files are not found, it might mean a -devel package needs to be installed. I just ran into a couple of unusual problems doing that this time. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, CentOS box for configure and make. Just a bit more of a pain than downloading a release tar file. but thats the point...the stuff you want isnt in a release tar just yet - a nightly tarball, i guess, would be what you would prefer for this sort of action? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Hi, Much of the time, by the time I get around to wanting to build freeradius, it's been months since the server was installed, so I don't really know what's installed on it unless I check. I do know that when include files are not found, it might mean a -devel package needs to be installed. I just ran into a couple of unusual problems doing that this time. - ah, what i meant was ./configure --help (you'll see a couple of 'use our version rather than system version) things. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
here is the counter definition:
sqlcounter bytesQuota {
counter-name = traffic_quota
check-name = Max-Traffic
reply-name = Tmp-Integer-0
sqlmod-inst = mysqldb
key = User-Name
reset = hourly
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
}
sounds good to me... what could be the reasn for noreset?
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
You need to add to WHERE one of the statements using %b.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
[EMAIL PROTECTED] a écrit :
here is the counter definition:
sqlcounter bytesQuota {
counter-name = traffic_quota
check-name = Max-Traffic
reply-name = Tmp-Integer-0
sqlmod-inst = mysqldb
key = User-Name
reset = hourly
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
}
sounds good to me... what could be the reasn for noreset?
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
You need to add to WHERE one of the statements using %b.
Ouch i didn't saw that in the example queries... spank my ...!
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
so what's the use of the reset parameter if th sql query is managing it
all by its own?
Alexandre Chapellon a écrit :
[EMAIL PROTECTED] a écrit :
here is the counter definition:
sqlcounter bytesQuota {
counter-name = traffic_quota
check-name = Max-Traffic
reply-name = Tmp-Integer-0
sqlmod-inst = mysqldb
key = User-Name
reset = hourly
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
}
sounds good to me... what could be the reasn for noreset?
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
You need to add to WHERE one of the statements using %b.
Ouch i didn't saw that in the example queries... spank my ...!
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
On Tue, 2008-09-09 at 22:48 +0100, [EMAIL PROTECTED] wrote: a nightly tarball, i guess, would be what you would prefer for this sort of action? What I generally prefer is to wait for a stable release. For my own needs, I could well have done that this time too. But in this case, Alan asked me if I would try building the current pre-release. Since some of the things supposedly fixed were compile problems on systems similar to mine, I went ahead and went through the extra effort. Hopefully the feedback provided from that was useful. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
reset parameter controls value of %b.
Ivan Kalik
Kalik Informatika ISP
Dana 9/9/2008, Alexandre Chapellon [EMAIL PROTECTED] piše:
so what's the use of the reset parameter if th sql query is managing it
all by its own?
Alexandre Chapellon a écrit :
[EMAIL PROTECTED] a écrit :
here is the counter definition:
sqlcounter bytesQuota {
counter-name = traffic_quota
check-name = Max-Traffic
reply-name = Tmp-Integer-0
sqlmod-inst = mysqldb
key = User-Name
reset = hourly
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
}
sounds good to me... what could be the reasn for noreset?
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
You need to add to WHERE one of the statements using %b.
Ouch i didn't saw that in the example queries... spank my ...!
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: another 2.1.0 compile error
Greg Woods wrote: Hopefully the feedback provided from that was useful. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounters for traffic
Looking at the source of rlm_sqlcounter i saw that when a users tries to
conect at a time close to the next reset time, the value of the
check-item for the next cycle is added to the reply item.
I'd like to avoid this behaviour for **some** of my users. Indeed I want
to use counters to count traffic and **not** time while rlm_sqlcounter
decide it's closed to reset time when check-item - counter (in my case:
bytes) is less than the number of second untill reset time.
Can i disable this behaviour? how?
[EMAIL PROTECTED] a écrit :
reset parameter controls value of %b.
Ivan Kalik
Kalik Informatika ISP
Dana 9/9/2008, Alexandre Chapellon [EMAIL PROTECTED] piše:
so what's the use of the reset parameter if th sql query is managing it
all by its own?
Alexandre Chapellon a écrit :
[EMAIL PROTECTED] a écrit :
here is the counter definition:
sqlcounter bytesQuota {
counter-name = traffic_quota
check-name = Max-Traffic
reply-name = Tmp-Integer-0
sqlmod-inst = mysqldb
key = User-Name
reset = hourly
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
}
sounds good to me... what could be the reasn for noreset?
query = SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}'
You need to add to WHERE one of the statements using %b.
Ouch i didn't saw that in the example queries... spank my ...!
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/usershtml
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
KLIK IKLAN DAPAT RUPIAH LANGSUNG DI BAYAR KE BANK ANDA
Di Klikrupiah, anda akan mendapatkan uang setiap klik iklan. Prosesnya cukup mudah anda cuma klik iklan dan lihat beberapa detik kemudian uang masuk kesaldo anda. Anda tidak membutuhkan keahlian. Yang anda butuhkan hanya lihat iklan dan klik yang ada di website kami. Anda bisa mengajak teman anda untuk bergabung dengan kami. Pembayaran bisa kapan saja dan akan kami proses lewat Bank BCA dan Mandiri. Mimimal pembayaran Rp50.000. Contoh pendapatan » Anda klik 10 iklan per hari = Rp 1000 » 20 referrals klik 10 iklan per hari = Rp 1 » Pendapatan harian anda = Rp 11000 » Pendapatan mingguan= Rp 77000 » Pendapatan bulanan= Rp 33 » Pendapatan pertahun= Rp 396 Mau Join Klik di sini http://klikrupiah.com/register.php?r=fatriyanto http://indoptc.com/news.php?r=fatriyanto http://gedebux.info/register.php?r=fatriyanto Mau nambah penghasilan lagi klik link di bawah ini terbukti membayar http://wwRe: log incorrect login to mysql A . L . M . Buxey Reply via email to
