Re: Fail to disable the Simultanous-use, somebody help me.
I don't your problem have anything to deal with simultaneous-use checking... Indeed, when enabled Sim-Use would REJECT NEW users trying to connect to if the login used has reached the limit What you say is that new user (same login) disconnect existing session... This sounds more like something with netscreen for me...eg could be ip allocation pb if managed by netscreen or something like this... May be providing debug of query processing would be more usefull than just the startup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free RADIUS client + CHAP + PAM
Hi there There are a lot of places on the net which talk about how PAM cannot work with CHAP on the RADIUS server. Will an implementation of freeRADIUS client with CHAP and PAM(pam_radius_auth) module work? Please point me to the appropriate link. Thanks -Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in setting up radius database in sql
Hi all,
I want to setup radius database in mysql I browse through wiki and
found an artical SQL How to http://wiki.freeradius.org/SQL_HOWTO I
went through step by step and when in the last i tried to run radiusd ... I
ended up with following error:
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = rlm_sql_mysql
server = localhost
port =
login = root
password = 123
radius_db = radius
read_groups = yes
sqltrace = yes
sqltracefile = /usr/local/var/log/radius/sqltrace.sql
readclients = no
deletestalesessions = yes
num_sql_socks = 5
sql_user_name = %{User-Name}
default_user_profile =
nas_query = SELECT id,nasname,shortname,type,secret FROM nas
authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
accounting_update_query = UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets =
'%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'
accounting_update_query_alt = INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0')
accounting_start_query = INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}',
'', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '0')
accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'
accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'
accounting_stop_query_alt = INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
Re: Problem in setting up radius database in sql
your freeradius seems to be compiled/installed without the mysql extensions rlm_sql_mysql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Re:Re: Fail to disable the Simultanous-use, somebody help me.
It seems like your NAS sends accounting Stop for the previous session (nas-port is different) after receiving the response of of the accounting Start (for the new session)... this would show your NAS ask the radius to notice a disconnection hit has decided... I don't know how netscreen works, but neither Access-Accept nor Accouting request have any Framed-IP-Address or anything ppp related... looks strange to me. This can mean that whereas established the vpn connection doesn't work (you can easily test this) or netscreen is managing ip allocation by its ow, and so you should take a look at its config to see if it's able to offer different IP addresses for one login at the same time (If it tries to give every body the same address, no doubt it won't work unless it disconnects the previous session)... Or you can ask freeradius to handle ip allocation, depending on your config - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-EAP-MD5 failure with freeradius-2.1.1
Hi Alan, Thanks for the pointer to eapol_test. I was able to test radius for PEAP. It worked. Regards Prasad On Tue, Nov 18, 2008 at 6:17 PM, Alan DeKok [EMAIL PROTECTED]wrote: Prasad Parab wrote: Hi Alan, Thanks for yot reply. Bassically i have wireless adapter which has a utility supporting peap-eapmd5 on Windows XP service pack 2. Is there any way to Know whether the supplicant is the problem in case of peap-eap-md5, as with the utility peap-eap-mschapv2 works. Setup as follow: Yes, we understand how wireless setups work. Please stop posting the setup diagram in every message. They don't help. Try another supplicant, such as eapol_test. See my web site for instructions. If eapol_test works and Windows doesn't, I'd say that Windows is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in setting up radius database in sql
I'm sorry but how to compile/install it using mysql extensions rlm_sql_mysql... can u plz guide me.. i cant find any help on internet. Regards, Saeed Akhtar On Thu, Nov 20, 2008 at 1:43 PM, Alexandre Chapellon [EMAIL PROTECTED] wrote: your freeradius seems to be compiled/installed without the mysql extensions rlm_sql_mysql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in setting up radius database in sql
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F Ivan Kalik Kalik Informatika ISP Dana 20/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše: I'm sorry but how to compile/install it using mysql extensions rlm_sql_mysql... can u plz guide me.. i cant find any help on internet. Regards, Saeed Akhtar On Thu, Nov 20, 2008 at 1:43 PM, Alexandre Chapellon [EMAIL PROTECTED] wrote: your freeradius seems to be compiled/installed without the mysql extensions rlm_sql_mysql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: Fail to disable the Simultanous-use, somebody help me.
Sending Access-Accept of id 148 to 10.249.59.188 port 2155 .. rad_recv: Accounting-Request packet from host 10.249.59.188 port 2155, id=149, length=78 Acct-Status-Type = Start Acct-Session-Id = NS-004a NAS-IP-Address = 10.249.59.188 NAS-Port = 74 NAS-Port-Type = Virtual User-Name = qid0001 Acct-Delay-Time = 0 Acct-Authentic = RADIUS .. rad_recv: Accounting-Request packet from host 10.249.59.188 port 2155, id=150, length=78 Acct-Status-Type = Stop Acct-Session-Id = NS-0046 NAS-IP-Address = 10.249.59.188 NAS-Port = 70 NAS-Port-Type = Virtual User-Name = qid0001 Acct-Delay-Time = 0 Acct-Authentic = RADIUS Your implementation is quite questionable. 1. There is no Service-Type in access request or accept packets. Or any VSA reply attribute in accept packet. Shouldn't there be some kind of authorization there? 2. There is no IP address in the Start packet. Not that unusual when radius doesn't provide it, but there is no update packet with the IP address shortly after. Even if you hardcode IP address on the client NAS should send accounting update when PPP connection is established. 3. There is no Acct-Session-Time or Acct-Termination-Cause in accounting Stop packet, so it is impossible to say how long the session lasted and why was it disconnected. You should look up your NAS documentation to see if this is set up properly. Then debug the NAS to see what is going on. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem in setting up radius database in sql
try 'yum install freeradius-mysql'
Date: Thu, 20 Nov 2008 13:15:42 +0500From: [EMAIL PROTECTED]: [EMAIL
PROTECTED]: Problem in setting up radius database in sql
Hi all,
I want to setup radius database in mysql I browse through wiki and found
an artical SQL How to http://wiki.freeradius.org/SQL_HOWTO I went
through step by step and when in the last i tried to run radiusd ... I ended up
with following error:
Module: Linked to module rlm_sql Module: Instantiating sql sql { driver =
rlm_sql_mysql server = localhost port = login = root password =
123 radius_db = radius read_groups = yes sqltrace = yes sqltracefile =
/usr/local/var/log/radius/sqltrace.sql readclients = no deletestalesessions
= yes num_sql_socks = 5 sql_user_name = %{User-Name} default_user_profile
= nas_query = SELECT id,nasname,shortname,type,secret FROM nas
authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
accounting_update_query = UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets =
'%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName
= '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'
accounting_update_query_alt = INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0') accounting_start_query = INSERT into radacct
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0',
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')
accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query = UPDATE
radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets =
'%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}',
AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}' accounting_stop_query_alt = INSERT
into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress,
NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime,
AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause,
ServiceType,
Re: Problem in setting up radius database in sql
I am using ubuntu 7.04 ... btw link sent by Ivan really worked . thanks
to all.
Regards,
Saeed Akhtar
On Thu, Nov 20, 2008 at 5:58 PM, Saif Aadil [EMAIL PROTECTED] wrote:
try 'yum install freeradius-mysql'
--
Date: Thu, 20 Nov 2008 13:15:42 +0500
From: [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Subject: Problem in setting up radius database in sql
Hi all,
I want to setup radius database in mysql I browse through wiki and
found an artical SQL How to http://wiki.freeradius.org/SQL_HOWTO I
went through step by step and when in the last i tried to run radiusd ... I
ended up with following error:
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = rlm_sql_mysql
server = localhost
port =
login = root
password = 123
radius_db = radius
read_groups = yes
sqltrace = yes
sqltracefile = /usr/local/var/log/radius/sqltrace.sql
readclients = no
deletestalesessions = yes
num_sql_socks = 5
sql_user_name = %{User-Name}
default_user_profile =
nas_query = SELECT id,nasname,shortname,type,secret FROM nas
authorize_check_query = SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
authorize_group_check_query = SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id
authorize_group_reply_query = SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
radgroupreply.id
accounting_onoff_query = UPDATE radacct SET AcctStopTime='%S',
AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime = '%S'
accounting_update_query = UPDATE radacct SET FramedIPAddress =
'%{Framed-IP-Address}', AcctSessionTime = '%{Acct-Session-Time}',
AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets =
'%{Acct-Output-Octets}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND
UserName = '%{SQL-User-Name}' AND NASIPAddress= '%{NAS-IP-Address}'
accounting_update_query_alt = INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
%{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0')
accounting_start_query = INSERT into radacct (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}',
'', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '0')
accounting_start_query_alt = UPDATE radacct SET AcctStartTime = '%S',
AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}'
accounting_stop_query = UPDATE radacct SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress = '%{NAS-IP-Address}'
accounting_stop_query_alt = INSERT into
Problems in TLS
Good day. After testing several options, I got this error: Does anyone have any suggestions? thank you very much. rad_recv: Access-Request packet from host 10.0.31.40 port 1645, id=1, length=136 User-Name = user Framed-MTU = 1400 Called-Station-Id = 0019.2fdb.9e00 Calling-Station-Id = 001f.3c22.44c5 Service-Type = Login-User Message-Authenticator = 0xd3be97c3a6d121a5d734f193b7bf3870 EAP-Message = 0x020100090163657274 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-IP-Address = 10.8.31.40 NAS-Identifier = ap-p +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry cert at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 10.0.31.40 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x6fe46b926fe66623314da1f26c728696 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +152067 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM
Hi all, I'm trying to configurate a basic scenario form EAP-SIM using wpa_supplicant like client, hostapd like access point and freeradius like AAA server. So, I don't know how to configure EAP-SIM in freeradius as default EAP method. Could somebody provide me with a configuration for freeradius? Thanks, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Re: Problem in setting up radius database in sql
I install the freeradius and mysql with the rpm packages, in the default way. nothing special to mention. 在2008-11-20,Saeed Akhtar [EMAIL PROTECTED] 写道: I'm sorry but how to compile/install it using mysql extensions rlm_sql_mysql... can u plz guide me.. i cant find any help on internet. Regards, Saeed Akhtar On Thu, Nov 20, 2008 at 1:43 PM, Alexandre Chapellon [EMAIL PROTECTED] wrote: your freeradius seems to be compiled/installed without the mysql extensions rlm_sql_mysql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems in TLS
Martin Silvero wrote: Good day. After testing several options, I got this error: Does anyone have any suggestions? The NAS or the supplicant is ignoring the response from the RADIUS server. Go fix them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting VLAN based on Certificate Issuer
Edgar Fuß wrote: I thought this was a FAQ but apparently it isn't. I have an 1.1.7 FreeRADIUS server up and running with EAP/TLS. Now, I would like to put clients into different VLANs based on who signed their certificate. Is there a way to set the Tunnel-Private-Group-Id attribute based on the certificate issuer? Is the Rlm_eap module able to export any information on the certificate chain? Switching to 2.1.1 wouldn't be a problem for me I suppose. This isn't supported right now. There is no way to access the certificate chain. There were some patches to enable some of this, but they haven't been integrated into the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How possible is this???
Martin MacLeod-Brown wrote: My current thinking for our wired network is to add the MAC-addresses of all our desktop machines (2500 PC/laptops) into LDAP with the MAC-address being both the user name and password. We would then try FreeRadius and MAC-Authentication - how feasible is this and are there any gotcha's? It's simple. I would suggest the following. Turn on MAC authentication on the swithes, BUT configure FreeRADIUS to allow any MAC. Then, also make it log the MACs. After a week or so, add all of the MACs to the LDAP database, and enable real MAC authentication. Import the Mac addresses into LDAP List the IP of all our edge switches in clients.conf Configure the shared secret Configure radiusd.conf to talk to the LDAP server - partially done Set up switches to query the radius server Are there any good how-to's on radius and mac-auth? Nope. Just configure the username password as the MAC address (if that's what you see in the packet). We are looking to keep things as simple as possible so we can get used to using radius, before thinking about deploying 802.1x and I am desperate to avoid having to use IAS IAS has a lot fewer features than FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/shadow
My current radius installation permits radius daemon read-only access to /etc/shadow. But this introduces security risks. -rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow I have been told to consider MySQL back-end. Is there a way to pull the existing local users/passwords in MySQL? Or I have recreate every user plus password in MySQL? Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/shadow
Norman Zhang wrote: My current radius installation permits radius daemon read-only access to /etc/shadow. But this introduces security risks. Such as? -rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow I have been told to consider MySQL back-end. Is there a way to pull the existing local users/passwords in MySQL? Or I have recreate every user plus password in MySQL? You can manually write a program that runs as root to pull user/password information from /etc/shadow, and copy it to an SQL database. But you will be providing the RADIUS server with... access to the username password. Which is what happens when you let it read /etc/shadow. i.e. If you're worried about letting your RADIUS server read /etc/shadow, you shouldn't be giving it *any* information about users or passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New entry for Interim packet
Hello Our setup is as follows: Centos 5.2 FreeRADIUS Version 2.0.2 MySQL Version: 4.1.20 We are using FreeRadius for our ADSL users and its working fine. Except when it comes to working out the usage stats for each user at the end of each month. Its easy to do with all sessions that started in the previous month and have a Stop status. But it's difficult when a session rolled over to the next month because the status is Alive. We're trying to find a why to make FreeRadius: Enter a new entry into the Radacct table for a session for an Interim update Mark the previous session with a stop Status and update the OctetsIn and OctetsOut for that session with the current value. Set the new session OctetsIn and OctetsOut at zero until the next update and then it starts from the beginning again. However we can't find a way of making FreeRadius: Run 2 sql statements in the same update. Set the new session counter to zero and not roll over the next updates Octets. We have found the following site: http://www.netexpertise.eu/en/freeradius/daily-accounting.html with a way of doing this within MySQL with procedures, but apparently this only works with MySQL 5. Having installed MySQL 5 on a test server and importing our Radius database we tried running the first procedure but get an error: ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DECLARE COUNTER_LIMIT BIGINT(12)' at line 1 mysql SET COUNTER_LIMIT = POW(2,32); ERROR 1193 (HY000): Unknown system variable 'COUNTER_LIMIT Has anyone any ideas on how to do what we require or has anyone had any luck with the instructions on the URL? Thanks in advance. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Make error
Hello all, I am trying again with this issue hoping that someone can take a look at it. I am trying to compile on a RedHat ES5, 64 bits. Any help will be very much appreciated. thanks Olavo Hi again, It didn't make . It has returned errors. .libs/radmin.o: In function `main': /usr/src/freeradius-server-2.1.1/src/main/radmin.c:489: undefined reference to `readline' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:411: undefined reference to `using_history' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:412: undefined reference to `rl_insert' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:412: undefined reference to `rl_bind_key' /usr/src/freeradius-server-2.1.1/src/main/radmin.c:498: undefined reference to `add_history' collect2: ld returned 1 exit status gmake[4]: *** [radmin] Error 1 gmake[4]: Leaving directory `/usr/src/freeradius-server-2.1.1/src/main' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/usr/src/freeradius-server-2.1.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/src/freeradius-server-2.1.1/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/usr/src/freeradius-server-2.1.1' make: *** [all] Error 2 Olavo -Original Message- From: [EMAIL PROTECTED] s.org [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, November 19, 2008 1:14 PM To: FreeRadius users mailing list Subject: Re: configure error Olavo wrote: I downloaded version 2.1 from http://freeradius.org/download.html http://freeradius.org/download.html . When configuring ( ./configure) I got several errors on config.log. The only reason to look at that file is to debug the configure scripts. The log is SUPPOSED to be full of errors, because it's testing for platforms other than the one you're using. Don't look at it. Perhaps you could explain if there are *other* errors. Like maybe you're trying to do something... ? Right now, all it looks like is you're trying to understand the contents of config.log, which is a complete waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/shadow
Alan DeKok wrote: Norman Zhang wrote: My current radius installation permits radius daemon read-only access to /etc/shadow. But this introduces security risks. Such as? -rw-r--r-- 1 root root 6514 Nov 18 16:52 /etc/shadow I have been told to consider MySQL back-end. Is there a way to pull the existing local users/passwords in MySQL? Or I have recreate every user plus password in MySQL? You can manually write a program that runs as root to pull user/password information from /etc/shadow, and copy it to an SQL database. But you will be providing the RADIUS server with... access to the username password. Which is what happens when you let it read /etc/shadow. i.e. If you're worried about letting your RADIUS server read /etc/shadow, you shouldn't be giving it *any* information about users or passwords. Good point. I guess the security risk is to do with granting others +r access to /etc/shadow. Maybe I can chgrp /etc/shadow shadow and changing radius.conf to user = radius group = shadow would do the trick. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/shadow
Norman Zhang wrote: Good point. I guess the security risk is to do with granting others +r access to /etc/shadow. Maybe I can chgrp /etc/shadow shadow and changing radius.conf to user = radius group = shadow would do the trick. Which is recommended in the comments in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New entry for Interim packet
Except when it comes to working out the usage stats for each user at the end of each month. Its easy to do with all sessions that started in the previous month and have a Stop status. But it's difficult when a session rolled over to the next month because the status is Alive. We're trying to find a why to make FreeRadius: Enter a new entry into the Radacct table for a session for an Interim update Mark the previous session with a stop Status and update the OctetsIn and OctetsOut for that session with the current value. You can't do that on the radius server. Accounting is done by the NAS and it decides when session starts and ends - radius just receives that information. You can do that but it will get undone when next accounting packet with same accounting id arrives. If you are such a nasty provider that won't allow users to roll over unused allowance into the next period even during the existing session - simply disconnect them at the time the counter resets (use Login-Time on users connecting on the last day for instance). Be nasty to the end! If you are prepared to be sensible you should try maths rather then discontinuing sessions. Estimate the usage (if it doesn't *have* to be exact) for the time the session run into the new period and deduct that from the counter limit for each such user. Or be kind to your users and - ignore it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Make error
Olavo wrote: I am trying again with this issue hoping that someone can take a look at it. I am trying to compile on a RedHat ES5, 64 bits. Ah. You probably have 32-bit versions of -lreadline, but not 64-bit versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM
So, I don't know how to configure EAP-SIM in freeradius as default EAP
method.
Don't bother. Whatever is the default method, it will get changed to sim
during the negotiation. AFAIK EAP-SIM is supported by default. Add:
sim {
}
to eap.conf supported eap types (like entries for md5 and leap).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New entry for Interim packet
Create CRON script which starts 5-10 min after midnight (first day in the month) and disconnect all active users. Then you will have AcctStopTime information in your database and you can sum traffic from previous month... Tony Spencer wrote: Hello Our setup is as follows: Centos 5.2 FreeRADIUS Version 2.0.2 MySQL Version: 4.1.20 We are using FreeRadius for our ADSL users and its working fine. Except when it comes to working out the usage stats for each user at the end of each month. Its easy to do with all sessions that started in the previous month and have a Stop status. But it’s difficult when a session rolled over to the next month because the status is Alive. We’re trying to find a why to make FreeRadius: Enter a new entry into the Radacct table for a session for an Interim update Mark the previous session with a stop Status and update the OctetsIn and OctetsOut for that session with the current value. Set the new session OctetsIn and OctetsOut at zero until the next update and then it starts from the beginning again. However we can’t find a way of making FreeRadius: Run 2 sql statements in the same update. Set the new session counter to zero and not roll over the next updates Octets. We have found the following site: http://www.netexpertise.eu/en/freeradius/daily-accounting.html with a way of doing this within MySQL with procedures, but apparently this only works with MySQL 5. Having installed MySQL 5 on a test server and importing our Radius database we tried running the first procedure but get an error: ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DECLARE COUNTER_LIMIT BIGINT(12)' at line 1 mysql SET COUNTER_LIMIT = POW(2,32); ERROR 1193 (HY000): Unknown system variable 'COUNTER_LIMIT Has anyone any ideas on how to do what we require or has anyone had any luck with the instructions on the URL? Thanks in advance. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Make error
Hi, Actually after I get the errors I have tried torpm -e readline-devel-5.1-1.1 --allmatches like another user did and it worked. Then checking my system I can see both libraries 32 and 64 /usr/include/readline /usr/include/mysql/readline.h /usr/lib/libreadline.a /usr/lib/libreadline.so /usr/lib/libreadline.so.5 /usr/lib/libreadline.so.5.1 /usr/lib/perl5/site_perl/5.8.8/POE/Test/Loops/wheel_readline.pm /usr/lib64/libreadline.a /usr/lib64/libreadline.so /usr/lib64/libreadline.so.5 /usr/lib64/libreadline.so.5.1 Is there a way to change the MakeFile and direct it to find the correct libraries ? Thanks Olavo -Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 20, 2008 10:35 AM To: FreeRadius users mailing list Subject: Re: Make error Olavo wrote: I am trying again with this issue hoping that someone can take a look at it. I am trying to compile on a RedHat ES5, 64 bits. Ah. You probably have 32-bit versions of -lreadline, but not 64-bit versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New entry for Interim packet
-Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 20 November 2008 18:30 To: FreeRadius users mailing list Subject: Re: New entry for Interim packet Except when it comes to working out the usage stats for each user at the end of each month. Its easy to do with all sessions that started in the previous month and have a Stop status. But it's difficult when a session rolled over to the next month because the status is Alive. We're trying to find a why to make FreeRadius: Enter a new entry into the Radacct table for a session for an Interim update Mark the previous session with a stop Status and update the OctetsIn and OctetsOut for that session with the current value. You can't do that on the radius server. Accounting is done by the NAS and it decides when session starts and ends - radius just receives that information. You can do that but it will get undone when next accounting packet with same accounting id arrives. If you are such a nasty provider that won't allow users to roll over unused allowance into the next period even during the existing session - simply disconnect them at the time the counter resets (use Login-Time on users connecting on the last day for instance). Be nasty to the end! Its not about being a nasty provider. Its about ensuring users pay for what they use and between them pushing out bandwidth costs higher than what users pay us each month. If you are prepared to be sensible you should try maths rather then discontinuing sessions. Estimate the usage (if it doesn't *have* to be exact) for the time the session run into the new period and deduct that from the counter limit for each such user. I don't think disconnecting about 4,000 users is an ideal solution. Or be kind to your users and - ignore it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New entry for Interim packet
I'd rather not disconnect 4,000 users in one go. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Marinko Tarlac Sent: 20 November 2008 19:02 To: FreeRadius users mailing list Subject: Re: New entry for Interim packet Create CRON script which starts 5-10 min after midnight (first day in the month) and disconnect all active users. Then you will have AcctStopTime information in your database and you can sum traffic from previous month... Tony Spencer wrote: Hello Our setup is as follows: Centos 5.2 FreeRADIUS Version 2.0.2 MySQL Version: 4.1.20 We are using FreeRadius for our ADSL users and its working fine. Except when it comes to working out the usage stats for each user at the end of each month. Its easy to do with all sessions that started in the previous month and have a Stop status. But it's difficult when a session rolled over to the next month because the status is Alive. We're trying to find a why to make FreeRadius: Enter a new entry into the Radacct table for a session for an Interim update Mark the previous session with a stop Status and update the OctetsIn and OctetsOut for that session with the current value. Set the new session OctetsIn and OctetsOut at zero until the next update and then it starts from the beginning again. However we can't find a way of making FreeRadius: Run 2 sql statements in the same update. Set the new session counter to zero and not roll over the next updates Octets. We have found the following site: http://www.netexpertise.eu/en/freeradius/daily-accounting.html with a way of doing this within MySQL with procedures, but apparently this only works with MySQL 5. Having installed MySQL 5 on a test server and importing our Radius database we tried running the first procedure but get an error: ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DECLARE COUNTER_LIMIT BIGINT(12)' at line 1 mysql SET COUNTER_LIMIT = POW(2,32); ERROR 1193 (HY000): Unknown system variable 'COUNTER_LIMIT Has anyone any ideas on how to do what we require or has anyone had any luck with the instructions on the URL? Thanks in advance. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Make error
Olavo wrote: Is there a way to change the MakeFile and direct it to find the correct libraries ? No. The issue is that the configure script asks the linker on your system to do something... and the linkers behavior is different for configure and for make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Make error
Any suggestions ? Olavo -Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 20, 2008 11:17 AM To: FreeRadius users mailing list Subject: Re: Make error Olavo wrote: Is there a way to change the MakeFile and direct it to find the correct libraries ? No. The issue is that the configure script asks the linker on your system to do something... and the linkers behavior is different for configure and for make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle stored procédure
I'm still trying to setup freeradius authentication with oracle stored
procedure.
I have a procedure that return data as i expected it to be returned in
an sqlplus client:
SQL SELECT hss_radcheck_func('[EMAIL PROTECTED]','bas3_SE') FROM DUAL;
HSS_RADCHECK_FUNC('K
CURSOR STATEMENT : 1
CURSOR STATEMENT : 1
ID USERNAME ATTRIBUTES
VALUEOP
-- --
--
1 [EMAIL PROTECTED]Cleartest-Password
mudafuka ==
2 [EMAIL PROTECTED]Simultaneous_Use
1:=
Unfortunatly, when freeradius calls the procedure, it gives me an error
saying:
rlm_sql_oracle: fetch failed in sql_fetch_row: ORA-00932: inconsistent
datatypes: expected CHAR got DTYCWD
What is weird is that we force the procedure to return data as CHAR
(except for ID which is a NUMBER):
here is the nd of the procedure...
OPEN resultSet FOR
SELECT to_number('1') as ID,
to_char(name) as username,
to_char('Cleartest-Password') as attributes,
to_char(password) as value,
to_char('==') as operator
FROM dual
union
SELECT to_number('2') as ID,
to_char(name) as username,
to_char('Simultaneous_Use') as attributes,
to_char(loginlimit) as value,
to_char(':=') as operator
FROM dual
return resultSet;
I know this is very Oracle related but I am totally stuck now wth this
problem, and so trying to find help, where i can...
Someone who already setup oracle auth may help
thx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Cisco Aironet WAP
Hey, I know this is a bit off-topic, but I was wondering if anyone on the list might be able to help with configuring a Cisco Aironet WAP to authenticate wireless users against a FreeRADIUS server? Thanks in advance! Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Make error
Does anybody know about any Linux distro 64 bits that Freeradius will work for sure ? Thanks Olavo -Original Message- From: [EMAIL PROTECTED] s.org [mailto:[EMAIL PROTECTED] reeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 20, 2008 11:17 AM To: FreeRadius users mailing list Subject: Re: Make error Olavo wrote: Is there a way to change the MakeFile and direct it to find the correct libraries ? No. The issue is that the configure script asks the linker on your system to do something... and the linkers behavior is different for configure and for make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New entry for Interim packet
Hello Tony,
If you set you interim update to 5 or 10min you could then run a script at
midnight to send accounting packets to finalize it in the MySQL DB with the
Acct-Terminate-Cause = Admin-Reset; so next interim packet radius will
automatically start a new one. Now here is where it can get tricky, radius
will not reset the counter in this case but you could write a script to fire
at accounting stop or monthly to subtract the previous months last
accounting packet with Termination cause Admin-Reset from the first
accouting packet of the current month...sorry if I am rambling but this will
work without a huge discrepency; please be careful and write your script
conditions properly(ie: don't subtract from an accounting packet that came
on the first past 12:30am).
Here is an example of a nightly close-session script I run to clean up stale
sessions.
#!/usr/bin/perl
use Authen::Radius;
use DBI;
use DateTime;
use DateTime::Format::Strptime;
getopen();
sub connect_db {
local($radius_name,$radius_user,$radius_passwd) = @_;
$connect_name = connect to db;
$dbh_radius = DBI-connect(DBI:mysql:$radius_name:localhost,
$radius_user, $radius_passwd);
if(!$dbh_radius) {
print Error $connect_name: Cannot connect to $radius_name -
$dbh_radius-errstrBR\n;
exit 2;
}
}
sub disconnect_db {
$dbh_radius-disconnect();
return 1;
}
sub getopen {
$radius_name = radiusdb;
$radius_user = username;
$radius_passwd = password;
my $dtn = DateTime-now();
$date = $dtn-ymd . %;
connect_db($radius_name,$radius_user,$radius_passwd);
$qAccount = qq{SELECT * FROM radacct WHERE AcctStopTime =
\'-00-00 00:00:00\' AND AcctStartTime NOT LIKE \'$date\'};
$sth = $dbh_radius-prepare($qAccount);
$sth-execute() or warn ERROR IN EXECUTE;
if (! defined($sth-rows()) || $sth-rows() == 0 ) {
print NO OPEN SESSIONS\n;
exit 2;
}
$i = 0;
while ($i $sth-rows) {
$test = $sth-fetchrow_hashref();
$nasport=$test-{NASPortId};
$username=$test-{UserName};
$nasporttype=$test-{NASPortType};
if ($test-{AcctSessionTime} eq 0) {
$acctime=1;
} else {
$acctime=$test-{AcctSessionTime};
}
$uniqueid=$test-{AcctUniqueId};
$inoctets=$test-{AcctInputOctets};
$outoctets=$test-{AcctOutputOctets};
$nasip=$test-{NASIPAddress};
$nasid=$test-{NasIdentifier};
$callid=$test-{CallingStationId};
$calledid=$test-{CalledStationId};
$sessid=$test-{AcctSessionId};
$authtype=$test-{AcctAuthentic};
$framedip=$test-{FramedIPAddress};
$realm=$test-{Realm};
$acctstart=$test-{AcctStartTime};
my $parser =
DateTime::Format::Strptime-new( pattern = '%Y-%m-%d
%H:%M:%S' );
my $dt = $parser-parse_datetime($acctstart);
my $dtn = DateTime-now();
$delay = ($dtn-epoch() - $dt-epoch()) -
$test-{AcctSessionTime};
print =\n;
print RadAcctId: $test-{RadAcctId}\n;
print UserName: $test-{UserName}\n;
print AcctStart: . $dt-ymd . ' ' . $dt-hms . \n;
print AcctStop: . $dtn-ymd . ' ' . $dtn-hms . \n;
print AcctSessionTime: $acctime \n;
print AcctStopDelay: $delay\n;
radsend();
sleep 1;
$i++;
}
$sth-finish();
disconnect_db();
}
sub radsend {
my $r = new Authen::Radius(Host = 'localhost:1813', Service =
radacct, Secret = 'SHARESECRET');
Authen::Radius-load_dictionary('/usr/share/freeradius/dictionary');
$r-clear_attributes;
$r-add_attributes (
{ Name = 'User-Name', Value = $username},
{ Name = 'NAS-Port', Value = $nasport},
{ Name = 'NAS-Port-Type', Value = $nasporttype},
{ Name = 'Acct-Session-Time', Value = $acctime},
{ Name = 'Acct-Unique-Session-Id', Value = $uniqueid},
{ Name = 'Acct-Input-Octets', Value = $inoctets},
{ Name = 'Acct-Output-Octets', Value = $outoctets},
{ Name = 'Acct-Terminate-Cause', Value = Admin-Reset},
{ Name = 'Acct-Status-Type', Value = Stop },
{ Name = 'NAS-IP-Address', Value = $nasip},
{ Name = 'NAS-Identifier', Value = $nasid },
{ Name = 'Calling-Station-Id', Value = $callid },
{ Name = 'Called-Station-Id', Value = $calledid },
{ Name = 'Acct-Delay-Time', Value = $delay },
Re[2]: Make error
Здравствуйте, Olavo. Вы писали 20 листопада 2008 р., 22:38:10: Does anybody know about any Linux distro 64 bits that Freeradius will work for sure ? In spring I compiled 2.0.1 on Fedora core 8 - all was OK. Or just use gentoo - it has 2.0.5 in portage tree marked as stable and 2.1.1 marked as untested. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Make error
On Thu, 2008-11-20 at 12:38 -0800, Olavo wrote: Does anybody know about any Linux distro 64 bits that Freeradius will work for sure ? I am using it on CentOS 5.2 x86_64. The freeradius package that comes with CentOS 5 is old though, I compiled freeradius from source. --Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New entry for Interim packet
Then create script for virtual disconnection :) Tony Spencer wrote: I'd rather not disconnect 4,000 users in one go. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Marinko Tarlac Sent: 20 November 2008 19:02 To: FreeRadius users mailing list Subject: Re: New entry for Interim packet Create CRON script which starts 5-10 min after midnight (first day in the month) and disconnect all active users. Then you will have AcctStopTime information in your database and you can sum traffic from previous month... Tony Spencer wrote: Hello Our setup is as follows: Centos 5.2 FreeRADIUS Version 2.0.2 MySQL Version: 4.1.20 We are using FreeRadius for our ADSL users and its working fine. Except when it comes to working out the usage stats for each user at the end of each month. Its easy to do with all sessions that started in the previous month and have a Stop status. But it's difficult when a session rolled over to the next month because the status is Alive. We're trying to find a why to make FreeRadius: Enter a new entry into the Radacct table for a session for an Interim update Mark the previous session with a stop Status and update the OctetsIn and OctetsOut for that session with the current value. Set the new session OctetsIn and OctetsOut at zero until the next update and then it starts from the beginning again. However we can't find a way of making FreeRadius: Run 2 sql statements in the same update. Set the new session counter to zero and not roll over the next updates Octets. We have found the following site: http://www.netexpertise.eu/en/freeradius/daily-accounting.html with a way of doing this within MySQL with procedures, but apparently this only works with MySQL 5. Having installed MySQL 5 on a test server and importing our Radius database we tried running the first procedure but get an error: ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DECLARE COUNTER_LIMIT BIGINT(12)' at line 1 mysql SET COUNTER_LIMIT = POW(2,32); ERROR 1193 (HY000): Unknown system variable 'COUNTER_LIMIT Has anyone any ideas on how to do what we require or has anyone had any luck with the instructions on the URL? Thanks in advance. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Cisco Aironet WAP
I can try, I need a little more detail; Model?(1100,1200) and what method of authentication were you thinking? -- Leigh On Thu, Nov 20, 2008 at 3:02 PM, Tim Gustafson [EMAIL PROTECTED] wrote: Hey, I know this is a bit off-topic, but I was wondering if anyone on the list might be able to help with configuring a Cisco Aironet WAP to authenticate wireless users against a FreeRADIUS server? Thanks in advance! Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New entry for Interim packet
If you are such a nasty provider that won't allow users to roll over unused allowance into the next period even during the existing session - simply disconnect them at the time the counter resets (use Login-Time on users connecting on the last day for instance). Be nasty to the end! Its not about being a nasty provider. Its about ensuring users pay for what they use and between them pushing out bandwidth costs higher than what users pay us each month. It is being nasty, my friend. Lets say you have sold them 5GB for the month. They used 4GB. And you won't let them use the portion of 1GB that was left over even if they are on line when counter resets. They could easily see that as a rip off. If you are prepared to be sensible you should try maths rather then discontinuing sessions. Estimate the usage (if it doesn't *have* to be exact) for the time the session run into the new period and deduct that from the counter limit for each such user. I don't think disconnecting about 4,000 users is an ideal solution. Well, tough. You can't break sessions without disconnecting users. Maths it is then. You can run a perl script on Stop packets that will adjust counter check attribute value if the counter was reset during the session. This should work with default counter value in radgroupcheck and individual in radcheck (group attribute takes presedance but this can be fixed with a little bit of unlang gymnastics). You will need to wipe those in radcheck when counter resets next month. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: oracle stored procédure
Try fixing obvious errors:
to_char('Cleartest-Password') as attributes,
Cleartext-Password
to_char(password) as value,
to_char('==') as operator
should be :=
FROM dual
union
SELECT to_number('2') as ID,
to_char(name) as username,
to_char('Simultaneous_Use') as attributes,
Simultaneous-Use
to_char(loginlimit) as value,
to_char(':=') as operator
FROM dual
return resultSet;
Not sure if it will help, but will make it work properly later.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Cisco Aironet WAP
See: http://wiki.freeradius.org/index.php/Cisco#IOS_12.x It's for wired but shouldn't be far off. Ivan Kalik Kalik Informatika ISP Dana 20/11/2008, Tim Gustafson [EMAIL PROTECTED] piše: Hey, I know this is a bit off-topic, but I was wondering if anyone on the list might be able to help with configuring a Cisco Aironet WAP to authenticate wireless users against a FreeRADIUS server? Thanks in advance! Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New entry for Interim packet
Tony Spencer wrote: I'd rather not disconnect 4,000 users in one go. In fact, this thing should be done with BRAS functionality. For example, some BRAS'es has support of restarting of accounting at least, also there is a prepaid feature, that could be helpful for you. Also you can use CoA functions of your BRAS. -- With best regards, Evgeniy Kozhuhovskiy Leader of Services group, MGTS, RUE Beltelecom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New entry for Interim packet
Hi Leigh
Your script is most useful.
We have interim updates every 2 hours and hadn't implemented anything to
close stale sessions.
So now I've modified your script and will run it every night to look for
sessions where the AcctStatus = Alive and where the updated column, that we
have added to see when the last interim update was, isn't today's date.
I've taken onboard your suggestion of setting Alive sessions to Stop and
then working out the Octet difference from the new session and the
Admin-Rest session and I've tested it on a test account we have. However
after setting the session to Stop with an Admin-Reset AcctStatus the new
update indeed did put a new entry in radacct, but there is no way to tie the
forced Stop session with the new session. The AcctSessionId and AcctUniqueId
are different across the 2 sessions.
Any ideas?
Tony
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of Leigh Martell
Sent: 20 November 2008 20:41
To: FreeRadius users mailing list
Subject: Re: New entry for Interim packet
Hello Tony,
If you set you interim update to 5 or 10min you could then run a script at
midnight to send accounting packets to finalize it in the MySQL DB with the
Acct-Terminate-Cause = Admin-Reset; so next interim packet radius will
automatically start a new one. Now here is where it can get tricky, radius
will not reset the counter in this case but you could write a script to fire
at accounting stop or monthly to subtract the previous months last
accounting packet with Termination cause Admin-Reset from the first
accouting packet of the current month...sorry if I am rambling but this will
work without a huge discrepency; please be careful and write your script
conditions properly(ie: don't subtract from an accounting packet that came
on the first past 12:30am).
Here is an example of a nightly close-session script I run to clean up stale
sessions.
#!/usr/bin/perl
use Authen::Radius;
use DBI;
use DateTime;
use DateTime::Format::Strptime;
getopen();
sub connect_db {
local($radius_name,$radius_user,$radius_passwd) = @_;
$connect_name = connect to db;
$dbh_radius = DBI-connect(DBI:mysql:$radius_name:localhost,
$radius_user, $radius_passwd);
if(!$dbh_radius) {
print Error $connect_name: Cannot connect to $radius_name -
$dbh_radius-errstrBR\n;
exit 2;
}
}
sub disconnect_db {
$dbh_radius-disconnect();
return 1;
}
sub getopen {
$radius_name = radiusdb;
$radius_user = username;
$radius_passwd = password;
my $dtn = DateTime-now();
$date = $dtn-ymd . %;
connect_db($radius_name,$radius_user,$radius_passwd);
$qAccount = qq{SELECT * FROM radacct WHERE AcctStopTime =
\'-00-00 00:00:00\' AND AcctStartTime NOT LIKE \'$date\'};
$sth = $dbh_radius-prepare($qAccount);
$sth-execute() or warn ERROR IN EXECUTE;
if (! defined($sth-rows()) || $sth-rows() == 0 ) {
print NO OPEN SESSIONS\n;
exit 2;
}
$i = 0;
while ($i $sth-rows) {
$test = $sth-fetchrow_hashref();
$nasport=$test-{NASPortId};
$username=$test-{UserName};
$nasporttype=$test-{NASPortType};
if ($test-{AcctSessionTime} eq 0) {
$acctime=1;
} else {
$acctime=$test-{AcctSessionTime};
}
$uniqueid=$test-{AcctUniqueId};
$inoctets=$test-{AcctInputOctets};
$outoctets=$test-{AcctOutputOctets};
$nasip=$test-{NASIPAddress};
$nasid=$test-{NasIdentifier};
$callid=$test-{CallingStationId};
$calledid=$test-{CalledStationId};
$sessid=$test-{AcctSessionId};
$authtype=$test-{AcctAuthentic};
$framedip=$test-{FramedIPAddress};
$realm=$test-{Realm};
$acctstart=$test-{AcctStartTime};
my $parser =
DateTime::Format::Strptime-new( pattern = '%Y-%m-%d
%H:%M:%S' );
my $dt = $parser-parse_datetime($acctstart);
my $dtn = DateTime-now();
$delay = ($dtn-epoch() - $dt-epoch()) -
$test-{AcctSessionTime};
print =\n;
print RadAcctId: $test-{RadAcctId}\n;
print UserName: $test-{UserName}\n;
print AcctStart: . $dt-ymd . ' ' . $dt-hms . \n;
print AcctStop: . $dtn-ymd . ' ' . $dtn-hms . \n;
print AcctSessionTime: $acctime \n;
print AcctStopDelay: $delay\n;
radsend();
sleep 1;
$i++;
}
$sth-finish();
disconnect_db();
}
sub radsend {
my $r = new Authen::Radius(Host = 'localhost:1813', Service =
Re: Re: Problem in setting up radius database in sql
I agree but in my case it was because a package mysql-dev was missing... when i installed it. everthing went good. Regards, Saeed Akhtar 2008/11/20 dgluoyun [EMAIL PROTECTED] I install the freeradius and mysql with the rpm packages, in the default way. nothing special to mention. 在2008-11-20,Saeed Akhtar [EMAIL PROTECTED] 写道: I'm sorry but how to compile/install it using mysql extensions rlm_sql_mysql... can u plz guide me.. i cant find any help on internet. Regards, Saeed Akhtar On Thu, Nov 20, 2008 at 1:43 PM, Alexandre Chapellon [EMAIL PROTECTED] wrote: your freeradius seems to be compiled/installed without the mysql extensions rlm_sql_mysql - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- [广告] 金秋最关注楼盘-房不胜房 http://popme.163.com/link/003985_1010_7027.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
