Re: 802.1X wireless, FR, and accounting...
Hi, can you send a sample of one such Start and Stop ticket? I suspect the Stop may be more like an update. There's some Cisco feature to send a new Accounting ticket as soon as the client's IP address has been determined... Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X wireless, FR, and accounting...
hi, fwiw, we see many session times of 00:00 sent from our cisco kit. its a pain because a value of 0 isnt valid with the default SQL code and statements (obviously). we can certainly liaise with this issue - some of it, i believe, is due to the way the LWAPP protocol ships clients into mobility states - or if you use VLAN override the client gets bumped to the correct network but its session is classed as new/changed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1X wireless, FR, and accounting...
a.l.m.bu...@lboro.ac.uk wrote:
fwiw, we see many session times of 00:00 sent from our cisco kit.
its a pain because a value of 0 isnt valid with the default
SQL code and statements (obviously).
...
if (Acct-Session-Time != 0) {
sql
}
else {
ok
}
...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius syntax
Hi all, I'm trying to monitor my radius servers using The Dude by Mikrotik. Here, there's not a prebuild check, but there's a radius test, made in UDP on port 1812, where I have to manually set the sent string and the received string. How is a radius request made, or where can I find some docs about it? When I send a request with the default string, on the radius I receive: Wed Jan 14 08:55:45 2009 : Error: WARNING: Malformed RADIUS packet from host xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet Wed Jan 14 08:55:55 2009 : Error: WARNING: Malformed RADIUS packet from host xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet Wed Jan 14 08:56:30 2009 : Error: WARNING: Malformed RADIUS packet from host xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet Thanks, Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius syntax
Andrea Scarso wrote: Hi all, I'm trying to monitor my radius servers using The Dude by Mikrotik. Here, there's not a prebuild check, but there's a radius test, made in UDP on port 1812, where I have to manually set the sent string and the received string. I have no idea what that means. How is a radius request made, or where can I find some docs about it? When I send a request with the default string, on the radius I receive: Wed Jan 14 08:55:45 2009 : Error: WARNING: Malformed RADIUS packet from host xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet The NAS is completely broken. Tell the manufacturer that you want a firmware fix so that it will implement RADIUS correctly, *or* return it for a refund, and buy a real NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius syntax
2009/1/14 Alan DeKok al...@deployingradius.com How is a radius request made, or where can I find some docs about it? When I send a request with the default string, on the radius I receive: Wed Jan 14 08:55:45 2009 : Error: WARNING: Malformed RADIUS packet from host xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet The NAS is completely broken. Tell the manufacturer that you want a firmware fix so that it will implement RADIUS correctly, *or* return it for a refund, and buy a real NAS. Alan DeKok. Thanks, but this is not a NAS. This is a monitor application for various servers (http, ping, smtp, pop3, ...). http://www.mikrotik.com/img/thedude.jpg The problem is that for the radius test, there's not a prebuild test as for other protocols, but I need to specify the string to send to freeradius, to simulate the RADIUS protocol. Do you know if there's some docs about the RADIUS protocol or radius packet syntax? Otherwise, do you know other software to monitor some radius servers? In other words i need a software to simulate a NAS, and if the radius doesn't respond can send a warning mail to me. Thanks, Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius syntax
Andrea Scarso wrote: Thanks, but this is not a NAS. Then it's not doing RADIUS, and telling it to send packets to a RADIUS server is wrong. This is a monitor application for various servers (http, ping, smtp, pop3, ...). http://www.mikrotik.com/img/thedude.jpg The problem is that for the radius test, there's not a prebuild test as for other protocols, As I said, I have no idea what that means. You are coming into a RADIUS mailing list, and using terminology that is specific to a particular product from a particular vendor. I've never used that product from that vendor. Using that terminology here is confusing an unnecessary. but I need to specify the string to send to freeradius, to simulate the RADIUS protocol. If you think you can create a static string to simulate RADIUS... it doesn't work that way. Do you know if there's some docs about the RADIUS protocol or radius packet syntax? The web site is full of documentation. It contains copies of the RADIUS specifications, which explain the protocol in detail. Otherwise, do you know other software to monitor some radius servers? In other words i need a software to simulate a NAS, and if the radius doesn't respond can send a warning mail to me. Perhaps you read the documentation that comes with the server, and the FAQ. It contains examples of using test programs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius syntax
Thanks, but this is not a NAS. This is a monitor application for various servers (http, ping, smtp, pop3, ). So use SNMP to monitor radius server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is possible create coding?
I need a script by recognizing the class of a particular danger to my network, so in this way create a basis for any number of classes that would not and thus deny access. Yes. That what TNC does. But it's a bit more than a script. What is rlm_eap_tnc? Find out first what TNC is. Things will be clearer then. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is possible create coding?
I need a script by recognizing the class of a particular danger to my network, so in this way create a basis for any number of classes that would not and thus deny access. What is rlm_eap_tnc? _ Disfrutá los mejores contenidos en MSN Video. http://video.msn.com/?mkt=es-xl- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit access of a SSID to a certain LDAP group
Hello, Maybe I'm just too stupid to figure this one out, but I have been googling around for several days trying to find a solution... I am running freeradius on Mac OS X Server. I have a Cisco WLC runnning several APs with multiple SSIDs. Everything is working fine, except: I have not found a way to limit access of a certain SSID to a certain LDAP group. I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Does anybody have any experience with this? Thanks Qurt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) You can also return group/SSID combination specific attributes there. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
Thanks. I really apprecitate your help. Even though I understand what you are saying, I have no idea where to start looking for the SSID. As far as I can tell, the SSID is not in the request and neither in the NAS-Identifier. A typical log entry looks like this: Wed Jan 14 13:03:20 2009 : Auth: Login OK: [the_user/no User-Password attribute] (from client Cisco 4402 port 29 cli 00-22-69-0A-46-62) Could you clarify that or give me an example? Thanks Qurt On 14.01.2009, at 14:16, t...@kalik.net t...@kalik.net wrote: I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) You can also return group/SSID combination specific attributes there. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
Even though I understand what you are saying, I have no idea where to start looking for the SSID. Access-Request packet. Do radiusd -X debug and request attributes will be displayed. As far as I can tell, the SSID is not in the request and neither in the NAS-Identifier. If it's not in the request - you can't filter by it. Read AP documentation to see how can you get SSID into a radius attribute. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different back end authentication.
Hello All, I would like to know if it's possible to have more then one authenticaton backend with Freeradius. Let's say I have User1 on OpenLDAP and User2 On Microosft Windows Active Directory. I configure my device to send Authentication request (Radius) to Freeradius. User1 and User2 should be able to authentice. I was able to make it work separetly but not both at the same time Thanks for your reply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth limit
Do you mean you when to apply QoS on the sessions or do you mean you want to limit the amount of data a user can xfer during a specified time? Le 13.01.2009 17:48, Gunza a écrit : Dear All, I have installed Mikrotik Router OS server for PPPoE and I have installed Ubuntu Server 8.10 with Freeradius+My Sql server. I want to create user with bandwith limit in mysql database. Anybody please help me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) Interesting, I have a similar situation except that I want to authorize users from one SSID with ActiveDirectory, and from the other SSID with a local mysql. How would I do that? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different back end authentication.
I would like to know if it's possible to have more then one authenticaton backend with Freeradius. Zes. Let's say I have User1 on OpenLDAP and User2 On Microosft Windows Active Directory. No problem. I configure my device to send Authentication request (Radius) to Freeradius User1 and User2 should be able to authentice. I was able to make it work separetly but not both at the same time If you were using ldap as authentication oracle, your problems have nothing to do with where you stored data but with authentication protocol. Ldap won't work with mschap requests (that's clearly stated in ldap module configuration file) while AD integration (ntlm_auth) is configured in mschap module and won't work with pap requests. If you use ldap only as storage (don't set auth type) it will work with mschap requests. If you don't remove ntlm_auth from authenticate section (AD integration documentation suggests that you should) pap will work with AD. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regading h323-ivr-in setting in sippy B2bua
and i want to call control using b2bua_radius.py (sippy http://b2bua.org/wiki/B2BUADocumentation) i.e i want call will disconnect after 30 second and radius will generate Start/Stop Direct your questions to the people who made that script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
Interesting, I have a similar situation except that I want to authorize users from one SSID with ActiveDirectory, and from the other SSID with a local mysql. How would I do that? Freeradius doesn't care where is data coming from. You have to use groups. AD groups will also be in Ldap-Group while sql groups will be in SQL-Group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Handing out duplicate IP addresses
I thought I had this problem licked, but I still suffer from it. Anyone know why FR 2.1.3 with sqlippool (mysql) might decide to hand out the same IP more than once while its processing more than one request at a time? Wed Jan 14 22:05:59 2009 : Info: Allocated IP: 75.119.xxx,211 from IP-Pool (did jarvis cli 00:18:D2:00:3E:63 port 449756 user pcollyer) Wed Jan 14 22:05:59 2009 : Info: Allocated IP: 75.119.xxx.211 from IP-Pool (did jarvis cli 00:18:D2:00:5B:0D port 449755 user jhogeterp) Wed Jan 14 22:05:59 2009 : Info: Allocated IP: 75.119.xxx.211 from IP-Pool (did jarvis cli 00:18:D2:00:2E:C1 port 449752 user mellerpoultry) The requests all came in at the same time, to the second (among others), its like FR took 3 requests and looked at the database at the exact same time, saw it was an available IP and all those 3 requests assigned it. My NAS rejects two of the 3 because the IP is assigned, and Freeradius clears the IP from the ip-pool to be later distributed (even though its still in use) Im open to any suggestions. Its hard to debug! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
