Simultaneous-Use = 1 not working
Hello
I do have a free radius. It uses system authentication (unix users)
Heres my radiusd.conf excerpt
nabble_embed
unix {
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them.
#
# For FreeBSD and NetBSD, you do NOT want to enable
# the cache, as it's password lookups are done via a
# database, so set this value to 'no'.
#
# Some systems (e.g. RedHat Linux with pam_pwbd) can
# take *seconds* to check a password, when th passwd
# file containing 1000's of entries. For those systems,
# you should set the cache value to 'yes', and set
# the locations of the 'passwd', 'shadow', and 'group'
# files, below.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
# To force the module to use the system password functions,
# instead of reading the files, leave the following entries
# commented out.
#
# This is required for some systems, like FreeBSD,
# and Mac OSX.
#
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
#
# The location of the wtmp file.
# This should be moved to it's own module soon.
#
# The only use for 'radlast'. If you don't use
# 'radlast', then you can comment out this item.
#
radwtmp = ${logdir}/radwtmp
}
/nabble_embed
and my users file is this:
nabble_embed
DEFAULT Auth-Type = System
Simultaneous-Use = 1,
Fall-Through = 1
/nabble_embed
Ive configured my clients files and has the proper NAS type.
Problem is multiple user can login. How do i resolve that?
Please help
Thanks
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Simultaneous-Use-1-not-working-tp3373045p3373045.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius authentication support for telnet server.
Hello Friends,I want to authenticate telnet users using Free Radius server.nbsp;I have pam_radius_auth.so and configured it for ssh which is working fine.nbsp;For telnet alsonbsp;I have created a file /etc/pam.d/telnet nbsp;and trying to authenticate using freeRadius server. But it is not happening. Kindly let me know how can i authenticate telnet users using freeRadius? Thanks amp; Regards,Vijay S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius implementation for big ISP
Hello, I'm working for big ISP and we have over 150 NASes all over the country and over 200,000 Internet subscribers. currently we are using one of those proprietary Radius servers available in the market. But the problem is current software even with very up-to-date hardware can not support our increasing radius requests from all over the country although we have installed 5 separate server (as our current software does not support spiting database over multiple servers) completely independent from each other and it's is very weak point of our network. As I'm currently using FreeRadius for Login into servers and NAS via telnet and also another instance for backup (this radius server accepts every request from known clients), I decided to study the possibilities of other available radius servers those would be able to address our needs and as I think you already know ended-up to FreeRadius! So I decided to post this in the mailing list to see if any one already have such a big implementation and also ask for help in later states if we go for FreeRadius. Our need are (least) : 1. Handling about 100,000 acc requests and 10,000 auth requests hourly! 2. Accounting 3. Control and limit user traffic. 4. Control and limit user concurrent logins. 5. CoA for changing user speed over different times of day. 6. CoA to disconnect user when the account validation is over (eg. Traffic quota exceeds). 7. Calculate traffic usage differently depending on day-time (ie. our service in nights does not calculate any traffic or some times as half for users). 8. Tracking online users and disconnect user if Accounting packet is not received in prefixed amount of time (currently 10 mins). 9. Spliting database traffic over multiple servers. 10. Designing one interface to manage all users. Do you really suggest to switch to FreeRadius or stick to the current problematic solution ? (sorry for my poor English :) Regards, M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
On Sun, Feb 06, 2011 at 10:06:01AM -, vijay s sheelavantar wrote: I am talking about pam_radius_client. I want this pam_radius_auth.so client to select a particular UDP port to communicate with external radius server. so that server can send authentication responce on the same port back to client. Of course, the server will always send the authentication response back to whatever port the client selected. Your options are: 1. If pam_radius_client doesn't have the ability to bind to a particular port, then you can modify the source code to do so. The call you need is bind() after the socket has been created. Warning: hacking C code in security-sensitive modules (especially those running as root) is a risky business. Get an expert to make this change for you, or become an expert first. (Recommended reading: Unix Network Programming vol 1, and Advanced Programming in the Unix Environment, both by Richard Stevens) 2. I think you said before you only wanted to make sure that the port was 32768. So you can configure your OS so that *all* outbound connections bind to ports 32768. Google linux ephemeral port range for details. On my system: $ cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000 So in fact, all connections from my machine would be =32768 anyway. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Client UDP port selection
On Sun, Feb 06, 2011 at 11:11:58AM +, Brian Candler wrote:
1. If pam_radius_client doesn't have the ability to bind to a particular
port, then you can modify the source code to do so. The call you need is
bind() after the socket has been created.
Ah, it turns out the code to do this is already there: (pam_radius_auth.c)
/*
* Use our process ID as a local port for RADIUS.
*/
local_port = (getpid() 0x7fff) + 1024;
do {
local_port++;
s_in-sin_port = htons(local_port);
} while ((bind(conf-sockfd, salocal, sizeof (struct sockaddr_in)) 0)
(local_port 64000));
if (local_port = 64000) {
close(conf-sockfd);
_pam_log(LOG_ERR, No open port we could bind to.);
return PAM_AUTHINFO_UNAVAIL;
}
As you can see, the initial local_port is currently chosen in the range 1024
to 33791 (1024+32767), essentially at random, and if that one is in use then
it keeps incrementing until it finds a free one under 64000.
Adjust to use whatever range you like.
2. I think you said before you only wanted to make sure that the port was
32768. So you can configure your OS so that *all* outbound connections bind
to ports 32768.
Sorry, that won't work here, because the code is choosing its local port
explicitly.
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius implementation for big ISP
On Sun, Feb 06, 2011 at 02:13:40PM +0330, Mohamad A wrote: 1. Handling about 100,000 acc requests and 10,000 auth requests hourly! I know a freeradius installation much bigger than that. You can scale freeradius easily: a multicore machine with lots of RAM will be able to handle hundreds of requests per second (depending on whether it's using in-RAM tables or mysql queries or whatever), and you can scale horizontally by adding more RADIUS servers. For your 200K users you might want to use mysql or LDAP as your source of authorization and authentication data. You can scale that using replication. 2. Accounting Of course. Using something like rlm_log_sql you can write the 'INSERT' statements to a log file, then periodically collect them and push them into your accounting DB. Using that approach, the accounting DB doesn't become a real-time bottleneck. For real-time accounting (i.e. which user is on this IP address right now?) support for Redis has just been added. It should appear in 2.1.11. 3. Control and limit user traffic. That's a function of the NAS. The RADIUS server is not involved, except in sending attributes to control that activity. FreeRADIUS can send whatever attributes you like. 4. Control and limit user concurrent logins. That's a bit trickier but doable. I believe there are example configs for doing this using mysql, and you could use the new Redis support for it too. But (1) it is difficult to scale, because there will have to be a central real-time database updated when people connect and disconnect; and (2) this service is designed to prevent people logging in under certain circumstances, and therefore can become a source of increased user problems and support calls. You have to decide whether the abuse of multiple concurrent logins is outweighed by the risks of accidentally locking out legitimate users (e.g. because of lost accounting packets showing that the users' previous session has ended) IMO a better solution is just to analyse accounting logs periodically, and identify people logging in concurrently. Then you can send them a gentle warning to mend their ways, and if they persist then you terminate them under the TCs of the service you provide them. 5. CoA for changing user speed over different times of day. 6. CoA to disconnect user when the account validation is over (eg. Traffic quota exceeds). radclient can send the CoA packets, but the actual logic of *when* to send them is entirely outside of FreeRADIUS. You would need your own systems to do that. Your NAS might support an attribute to disconnect the user once a certain amount of traffic has been sent or received (similar to Session-Timeout, which disconnects them after a certain number of seconds) 7. Calculate traffic usage differently depending on day-time (ie. our service in nights does not calculate any traffic or some times as half for users). FreeRADIUS doesn't calculate traffic usage. You need to build a system to do that, using accounting records as the raw input. 8. Tracking online users and disconnect user if Accounting packet is not received in prefixed amount of time (currently 10 mins). That seems a strange requirement. If you have configured your NAS to send periodic interim updates, and the NAS hasn't sent one for 2 or 3 times the update interval, then the reason is almost certainly that the user has disconnected anyway. Anyway, this falls into the same as CoA above. You can use radclient to send the disconnect packet (or more standard, use SNMP to do this), but the systems to work out if and when to do this are your own. 9. Spliting database traffic over multiple servers. Yes that's easy. Multiple RADIUS servers can point to different database backends; a single RADIUS server can also share load between multiple database backends using a load-balance section. man unlang for more info. 10. Designing one interface to manage all users. Building user management is your problem. This encompasses everything from CRM (contact info), signup, rating, billing and payment collection, selfcare, mapping products to RADIUS attributes, product upgrades, service termination, and so on. FreeRADIUS doesn't even provide you with a user management API, that's up to you too. For example, if you put your user radius data into a mysql database, you might expose some stored procedures that the higher-level systems can call to add/delete/modify a user; or you might have a separate system which takes SOAP or JSON requests and turns them into mysql inserts and updates. Do you really suggest to switch to FreeRadius or stick to the current problematic solution ? FreeRADIUS is a comprehensive, reliable and flexible toolkit for building RADIUS servers and clients. It can query databases for generating RADIUS responses, but the way you enter and manage that data is out of its scope. Hence depending on what your existing solution does for you, you may find you have to build quite a lot more
Re: radius authentication support for telnet server.
On Sun, Feb 6, 2011 at 5:10 PM, vijay s sheelavantar s_vija...@rediffmail.com wrote: Hello Friends, I want to authenticate telnet users using Free Radius server. I have pam_radius_auth.so and configured it for ssh which is working fine. For telnet also I have created a file /etc/pam.d/telnet and trying to authenticate using freeRadius server. But it is not happening. Kindly let me know how can i authenticate telnet users using freeRadius? I didn't test telnet, but most daemons that use pam (like sshd) has a line @include common-auth so I simply add auth sufficient pam_radius_auth.so on top of /etc/pam.d/common-auth to enable radius auth for everything (including ssh). Note that: - you need to edit pam_radius_auth config file first (when using Ubuntu's package, it's on /etc/pam_radius_auth.conf) - the user needs to exist already on the server (e.g on /etc/passwd, ldap, or whatever method you use to store user accounts on the server) If it still doesn't work, make sure to look at freeradius's debug log ( http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible typo in share/dictionary.dhcp
Hello, if take a look on line 358 of share/dictionary.dhcp you may notice '=': VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38 VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39 Is it possible typo? -- MINO-RIPE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
issue with dialup.conf
Hi
I am having an issue, which may be the way I changed the dialup.conf or
maybe its my logic. This is what I have done am trying to achieve.
freeradius is used to authenticate users at our hotspots, as we are using
different nas devices and we must cater for them all i did this.
in dictionary file I added an attribute called databank, then I created a
perl script to check which type of nas the user is coming from and renaming
databank to the correct attribute, now that works fine. Then on the stop
request I need to update the value associated to databank to be (databank -
(acctinputoctets+acctoutputoctets)). that way limiting users to only as much
data as we stipulated in the begining. my problem is that it doesn't
always update the databank value, I can see how much traffic a users used in
his session (i.e. in the radacct table) so the accounting_stop_query
accounting_stop_query_alt are not failing, its just not updating the
databank value in radcheck.
here are the two queries
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress = '%{NAS-IP-Address}'
accounting_stop_query_alt = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress = '%{NAS-IP-Address}' \
AND radcheck.username= '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank'
does anyone know how this can happen? could it be something to do with
interim-updates (grasping at straws here).
any help would be great.
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
On Sun, Feb 6, 2011 at 9:55 PM, Tyller D tyll...@gmail.com wrote:
I can see how much traffic a users used in
his session (i.e. in the radacct table) so the accounting_stop_query
accounting_stop_query_alt are not failing, its just not updating the
databank value in radcheck.
here are the two queries
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime = '%{Acct-Session-Time}', \
radacct.acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress = '%{NAS-IP-Address}'
My guess is something in your query is wrong.
What happens when you run the query MANUALLY on your SQL server?
When running with debug mode (or sqltrace enabled), you should be able
to see what queries are executed.
Another option you might want to look at is rlm_sqlcounter, which can
be used to limit a user to a certain usage quota (is this what you're
trying to do?)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible typo in share/dictionary.dhcp
Alexander Shikoff wrote: if take a look on line 358 of share/dictionary.dhcp you may notice '=': VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38 VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39 Is it possible typo? I have no idea what you mean. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use = 1 not working
raisedtozero wrote: Hello Ive configured my clients files and has the proper NAS type. Problem is multiple user can login. How do i resolve that? Read doc/Simultaneous-Use Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
Hello Sir, Uh... nonsense. You can't write chinese characters in ASCII. You need to write them in another encoding, such as UTF-8. *SOrry for giving half information Sir,* I even know that I can't write the Chinese characters in ASCII. You have misunderstood me totally sir over here. But the thing is like I just want to know that If I write 現年快樂 just by doing copy paste to users file then will the things gonna work ? users: 現年快樂 Auth-Type := Accept My doubt is How can I write UTF-8 encoded (may be HEX form) in users file. You keep saying hex form. I have no idea what that means, and I suspect, neither do you. As far as the HEX form is concern I mean to say that How that character is internally stored in memory. It has to be in binary form ri8? So You an also interprete as equivalent HEX. *Eg:* *A character *stored in binary as 101001 in memory and HEX equivalent is = 0x29 Same *B* character stored in binary in memory as 101010 and HEX equivalent is = 0x292A. I am asking is I have sored ∞ character in unsigned int array like following in my RADIUS client for sending it to FREE RADIUS server. unsigned int array[0] = '∞'; and I have seen its hex equivalent form by just using printf(HEX form: 0x%x\n,array[0]); I got the print as: *E2 88 9E* * * *That's I am not able to understand that How automatically* *'∞' symbol is stored in memory in its equivalent UTF-8 form: **E2 88 9E* *Who does the conversion, EDITER in linux or Keybord Driver * *itself converts to UTF-8 form?* Because I have did the same in place of Chinese I have written the hex equivalent of ∞ infinity symbol which is also a multilingual character in place of username and sent the request containing hex equivalent of UTF-8 of ∞ infinity symbol. No. You write the UTF-8 characters, and it will work. Your insistence on using some non-existent hex equivalent is why it doesn't work. By Saying write in UTF-8 charcters that means do I need to simply write in users file like following.? *users: * ∞ Auth-Type := Accept - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
karnik jain wrote: I am asking is I have sored ∞ character in unsigned int array like following in my RADIUS client Then this has nothing to do with FreeRADIUS. It's not our role to educate you in internationalization issues, UTF-8, character sets, how RADIUS work, etc. You were told what you had to do in order to make FreeRADIUS handle UTF-8: use a UTF-8 editor when you edit the config files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
OK No probs sir, Thank a lot to Alan and John for guiding me a lot. On Sun, Feb 6, 2011 at 10:58 PM, Alan DeKok al...@deployingradius.comwrote: karnik jain wrote: I am asking is I have sored ∞ character in unsigned int array like following in my RADIUS client Then this has nothing to do with FreeRADIUS. It's not our role to educate you in internationalization issues, UTF-8, character sets, how RADIUS work, etc. You were told what you had to do in order to make FreeRADIUS handle UTF-8: use a UTF-8 editor when you edit the config files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible typo in share/dictionary.dhcp
Alan DeKok al...@deployingradius.com writes: Alexander Shikoff wrote: if take a look on line 358 of share/dictionary.dhcp you may notice '=': VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38 VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39 Is it possible typo? I have no idea what you mean. DHCP-Keep=Alive-Garbage ^ I believe Alexander refers to this '=', which does look a tiny bit suspicious Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
Hi
I will try run the queries manually and see what happens.
rlm_sqlcounter is cool, but this should work right?
On Sun, Feb 6, 2011 at 5:28 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Sun, Feb 6, 2011 at 9:55 PM, Tyller D tyll...@gmail.com wrote:
I can see how much traffic a users used in
his session (i.e. in the radacct table) so the accounting_stop_query
accounting_stop_query_alt are not failing, its just not updating the
databank value in radcheck.
here are the two queries
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}'
-
'%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress = '%{NAS-IP-Address}'
My guess is something in your query is wrong.
What happens when you run the query MANUALLY on your SQL server?
When running with debug mode (or sqltrace enabled), you should be able
to see what queries are executed.
Another option you might want to look at is rlm_sqlcounter, which can
be used to limit a user to a certain usage quota (is this what you're
trying to do?)
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
On Sun, Feb 06, 2011 at 04:55:34PM +0200, Tyller D wrote:
freeradius is used to authenticate users at our hotspots, as we are
using different nas devices and we must cater for them all i did this.
in dictionary file I added an attribute called databank, then I created
a perl script to check which type of nas the user is coming from and
renaming databank to the correct attribute, now that works fine.
Not sure what you mean by renaming databank to the correct attribute - are
you actually changing the authentication database? If so that's scary.
If you simply want to send a different attribute based on what type of NAS
they are connecting from, then you can change the response attribute sent,
without modifying the underlying database.
For identifying the NAS: the simplest way is to use the preprocess
module. It reads the huntgroups file which maps NAS-IP-Address to control
attribute Huntgroup-Name, and then you can use a regular users file to add
an appropriate attribute, or do it in unlang:
sql
if ( %{control:Huntgroup-Name} == Foo %{reply:Databank} ) {
update reply {
OtherAttr = %{reply:Databank}
Databank !*
}
}
Or you can do anything in perl of course.
The point is, I don't think you should be updating the database simply to
change which reply attribute is sent based on which NAS they're connecting
from at this instant.
Then
on the stop request I need to update the value associated to databank
to be (databank - (acctinputoctets+acctoutputoctets)). that way
limiting users to only as much data as we stipulated in the begining.
I'm guessing your databank is some sort of data limit attribute, a bit
like a Session-Timeout but for bytes transferred?
my problem is that it doesn't always update the databank value, I can
see how much traffic a users used in his session (i.e. in the radacct
table) so the accounting_stop_query accounting_stop_query_alt are
not failing, its just not updating the databank value in radcheck.
...
here are the two queries
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets=
'%{%{Acct-Input-Gigawords}:-0}' 32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' 32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value -
'%{Acct-Output-Octets}' - '%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress = '%{NAS-IP-Address}'
That's a scary update: updating two independent tables with the same query.
What database are you using? Calling a stored procedure would be a much
cleaner way of doing this, if your database supports it. (I use mysql which
does)
accounting_stop_query = CALL process_stop_packet(...)
Then you can do two separate updates, which I think is what you really want.
does anyone know how this can happen?
Watch radiusd -X until you see it happen. Look at exactly what SQL updates
are being done.
could it be something to do with
interim-updates (grasping at straws here).
Sounds highly unlikely to me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
Sorry, maybe i didn't explain correctly.
Im not updating the database. I am using auth-type perl and when the user
authenticates my perl script looks in the db to see what nas is bieng used
on that IP and then checks the value for databank for the user and then
send the correct attribute with the correct value like so
$RAD_REPLY{'Nomadix-MaxBytesDown'} =
$DATABANK;
(in this example its a nomadix gateway)
That part works perfectly. The issue im having is when the stop request
comes in, it doesn't update the value in the radcheck table, well it does
but only sometimes..
On Sun, Feb 6, 2011 at 8:32 PM, Brian Candler b.cand...@pobox.com wrote:
On Sun, Feb 06, 2011 at 04:55:34PM +0200, Tyller D wrote:
freeradius is used to authenticate users at our hotspots, as we are
using different nas devices and we must cater for them all i did this.
in dictionary file I added an attribute called databank, then I
created
a perl script to check which type of nas the user is coming from and
renaming databank to the correct attribute, now that works fine.
Not sure what you mean by renaming databank to the correct attribute -
are
you actually changing the authentication database? If so that's scary.
If you simply want to send a different attribute based on what type of NAS
they are connecting from, then you can change the response attribute sent,
without modifying the underlying database.
For identifying the NAS: the simplest way is to use the preprocess
module. It reads the huntgroups file which maps NAS-IP-Address to
control
attribute Huntgroup-Name, and then you can use a regular users file to add
an appropriate attribute, or do it in unlang:
sql
if ( %{control:Huntgroup-Name} == Foo %{reply:Databank} ) {
update reply {
OtherAttr = %{reply:Databank}
Databank !*
}
}
Or you can do anything in perl of course.
The point is, I don't think you should be updating the database simply to
change which reply attribute is sent based on which NAS they're connecting
from at this instant.
Then
on the stop request I need to update the value associated to databank
to be (databank - (acctinputoctets+acctoutputoctets)). that way
limiting users to only as much data as we stipulated in the
begining.
I'm guessing your databank is some sort of data limit attribute, a bit
like a Session-Timeout but for bytes transferred?
my problem is that it doesn't always update the databank value, I can
see how much traffic a users used in his session (i.e. in the radacct
table) so the accounting_stop_query accounting_stop_query_alt are
not failing, its just not updating the databank value in radcheck.
...
here are the two queries
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets=
'%{%{Acct-Input-Gigawords}:-0}' 32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' 32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value -
'%{Acct-Output-Octets}' - '%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}',
\
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress = '%{NAS-IP-Address}'
That's a scary update: updating two independent tables with the same query.
What database are you using? Calling a stored procedure would be a much
cleaner way of doing this, if your database supports it. (I use mysql which
does)
accounting_stop_query = CALL process_stop_packet(...)
Then you can do two separate updates, which I think is what you really
want.
does anyone know how this can happen?
Watch radiusd -X until you see it happen. Look at exactly what SQL updates
are being done.
could it be something to do with
interim-updates (grasping at straws here).
Sounds highly unlikely to me.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
On Sun, Feb 06, 2011 at 09:41:36PM +0200, Tyller D wrote:
Sorry, maybe i didn't explain correctly.
Im not updating the database. I am using auth-type perl and when the
user authenticates my perl script looks in the db to see what nas is
bieng used on that IP and then checks the value for databank for the
user and then send the correct attribute with the correct value like so
$RAD_REPLY{'Nomadix-MaxBytesDown'} = $DATABANK;
(in this example its a nomadix gateway)
Which DB is Perl looking into to find $DATABANK? You mention the radcheck
table. Does that mean you're using rlm_sql for authorization too? In which
case, does the perl code look in a different set of SQL tables, or the same
ones?
Normally, reply attributes would go in radreply not radcheck - although
radcheck is a good place to set control attributes.
Or is all of the database access being done from Perl (in which case
radcheck is just a coincidental name?) I don't think so, because you said
you're using rlm_sql to update your accounting tables.
I think it might be sensible for you to post actual code and configs, and
specifics such as what database you're using. Otherwise we're just playing
a game of twenty questions.
That part works perfectly. The issue im having is when the stop request
comes in, it doesn't update the value in the radcheck table, well it
does but only sometimes..
If sometimes means 99.9% of the time, then that's the sort of bug which
can be hard to debug. If it means 50% of the time, then it should be quite
easy for you to replicate it and nail it down. If your database supports
query logging, turn it on. Then you can see *exactly* what update is being
sent, and whether it's being rejected for some reason at the database side.
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
On Mon, Feb 7, 2011 at 1:08 AM, Tyller D tyll...@gmail.com wrote: Hi I will try run the queries manually and see what happens. rlm_sqlcounter is cool, but this should work right? The idea looks good. However, since you're trying to reimplement what's already available, you might have a hard time trying to get everything right. For example, what happens when a user exceeds their quota? Your setup would accept the user while sending a negative quota (which might or might not work). On my implmentation, I use rlm_sqlcounter, but I changed the way it gets the numbers. I didn't like the way it does a sum() on radacct every time a user logs in (one of the reasons were I want to delete old entries from my radacct table), so I created an additional table to record total usage, and update it using sql trigger. So instead of having to examine thousands of rows when a user logs in, now the db simply has to examine one row, plus update that row when a user logs out. This way I can still make use of rlm_sqlcounter without having to reinvent the whole logic behind it. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius authentication support for telnet server.
Hi Friends, I am trying to authenticate telnet users using free radius. on my system telnet is running as follows.ps -ef | grep xinetdroot 22737 1 0 10:52 ? 00:00:00 /usr/sbin/xinetd -reuseroot 22864 18178 0 10:57 pts/1 00:00:00 grep xinetd I have tried by creating telnet, xinetd files in /etc/pam.d/ folder. I have included auth sufficient pam_radius_auth.so debug in these files. I have added this line to /etc/pam.d/other file also. I don't have /etc/pam.d/common-auth file i think other file is for the same. but i am not getting the request form pam_radius_auth.so client to my radius server running on different machine. when i checked the log files at client side it shows as below. Feb 7 10:53:35 (none) xinetd[22737]: START: telnet pid=22769 from=:::10.1.1.101Feb 7 10:53:44 (none) login(pam_unix)[22770]: account user has password changed in futureFeb 7 10:53:44 (none) login(pam_unix)[22770]: session opened for user user by (uid=0)Feb 7 10:53:44 (none) login[22770]: ROOT LOGIN on `pts/4' from `10.1.1.101' please let me know how can i authenticate telnet users with radius server. Thanks amp; RegardsVijay S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius authentication support for telnet server.
On Mon, Feb 7, 2011 at 8:54 AM, vijay s sheelavantar s_vija...@rediffmail.com wrote: I have tried by creating telnet, xinetd files in /etc/pam.d/ folder. I have included auth sufficient pam_radius_auth.so debug in these files. I have added this line to /etc/pam.d/other file also. I don't have /etc/pam.d/common-auth file i think other file is for the same. but i am not getting the request form pam_radius_auth.so client to my radius server running on different machine. when i checked the log files at client side it shows as below. Feb 7 10:53:35 (none) xinetd[22737]: START: telnet pid=22769 from=:::10.1.1.101 Feb 7 10:53:44 (none) login(pam_unix)[22770]: account user has password changed in future Feb 7 10:53:44 (none) login(pam_unix)[22770]: session opened for user user by (uid=0) Feb 7 10:53:44 (none) login[22770]: ROOT LOGIN on `pts/4' from `10.1.1.101' Try /etc/pam.d/login -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with dialup.conf
Hi
The main reason I am doing it this way to send the correct attributes per
location.
Hopefully this explains whats happening.
perl.pl
.
if ( $device =~ /^nomadix/i ) {
if ($DATABANK != '') {
if ( $DATABANK le 0 ) {
$RAD_REPLY{'Reply-Message'} =
You have no more Data Left;
return RLM_MODULE_REJECT;
}else {
return RLM_MODULE_REJECT;
$RAD_REPLY{'Nomadix-MaxBytesDown'} =
$DATABANK;
}
.
if ( $device =~ /^mikrotik/i ) {
if ($DATABANK != '') {
if ( $DATABANK = 0 ) {
$RAD_REPLY{'Reply-Message'} =
You have no more Data Left;
return RLM_MODULE_REJECT;
}else {
$RAD_REPLY{'Mikrotik-Xmit-Limit'} =
$DATABANK;
}
exctract from radcheck:
+--+--+++--+
| id | username | attribute | op | value|
+--+--+++--+
| 3069 | Joe | databank | := | 52428800 |
| 3068 | Joe | Cleartext-Password | := | Joe123 |
| 3070 | Joe | Auth-Type | := | Perl |
+--+--+++--+
stop query
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress= '%{NAS-IP-Address}'
accounting_stop_query_alt = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime= '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radacct.acctstopdelay= '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress= '%{NAS-IP-Address}' \
AND radcheck.username= '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank'
So the thoery is this, user tries to login, we check the NAS device , check
the databank and get the values and send the reply-attribute that suits the
gateway (else fail). when the user sends the stop query we re-update the the
databank value in the radcheck table.
so the value for databank in the radcheck table should always be equal to
databank - sum(acctoutputoctest + acctinputoctets)
but it not always exectuting stop request correctly because
mysql select sum(acctinputoctets + acctoutputoctets) from radacct where
username='scotty';
+-+
| sum(acctinputoctets + acctoutputoctets) |
+-+
| 1840263628 |
+-+
mysql select value from radcheck where username='scotty' and
attribute='databank';
++
| value |
++
| -302340151 |
++
Do you guys see where I have made an error?
On Mon, Feb 7, 2011 at 12:56 AM, Fajar A. Nugraha l...@fajar.net wrote:
On Mon, Feb 7, 2011 at 1:08 AM, Tyller D tyll...@gmail.com wrote:
Hi
I will try run the queries manually and see what happens.
rlm_sqlcounter is cool, but this should work right?
The idea looks good.
However, since you're trying to reimplement what's already available,
you might have a hard time trying to get
Re: free radius implementation for big ISP
Brian, Thanks for quick reply, considering your information, this is going to be very challenging! but as soon as I get confirmation about installing of FreeRadius from my manger I'll come back to this mailing list with lots of questions. :) Regards M On 6 February 2011 15:09, Brian Candler b.cand...@pobox.com wrote: On Sun, Feb 06, 2011 at 02:13:40PM +0330, Mohamad A wrote: 1. Handling about 100,000 acc requests and 10,000 auth requests hourly! I know a freeradius installation much bigger than that. You can scale freeradius easily: a multicore machine with lots of RAM will be able to handle hundreds of requests per second (depending on whether it's using in-RAM tables or mysql queries or whatever), and you can scale horizontally by adding more RADIUS servers. For your 200K users you might want to use mysql or LDAP as your source of authorization and authentication data. You can scale that using replication. 2. Accounting Of course. Using something like rlm_log_sql you can write the 'INSERT' statements to a log file, then periodically collect them and push them into your accounting DB. Using that approach, the accounting DB doesn't become a real-time bottleneck. For real-time accounting (i.e. which user is on this IP address right now?) support for Redis has just been added. It should appear in 2.1.11. 3. Control and limit user traffic. That's a function of the NAS. The RADIUS server is not involved, except in sending attributes to control that activity. FreeRADIUS can send whatever attributes you like. 4. Control and limit user concurrent logins. That's a bit trickier but doable. I believe there are example configs for doing this using mysql, and you could use the new Redis support for it too. But (1) it is difficult to scale, because there will have to be a central real-time database updated when people connect and disconnect; and (2) this service is designed to prevent people logging in under certain circumstances, and therefore can become a source of increased user problems and support calls. You have to decide whether the abuse of multiple concurrent logins is outweighed by the risks of accidentally locking out legitimate users (e.g. because of lost accounting packets showing that the users' previous session has ended) IMO a better solution is just to analyse accounting logs periodically, and identify people logging in concurrently. Then you can send them a gentle warning to mend their ways, and if they persist then you terminate them under the TCs of the service you provide them. 5. CoA for changing user speed over different times of day. 6. CoA to disconnect user when the account validation is over (eg. Traffic quota exceeds). radclient can send the CoA packets, but the actual logic of *when* to send them is entirely outside of FreeRADIUS. You would need your own systems to do that. Your NAS might support an attribute to disconnect the user once a certain amount of traffic has been sent or received (similar to Session-Timeout, which disconnects them after a certain number of seconds) 7. Calculate traffic usage differently depending on day-time (ie. our service in nights does not calculate any traffic or some times as half for users). FreeRADIUS doesn't calculate traffic usage. You need to build a system to do that, using accounting records as the raw input. 8. Tracking online users and disconnect user if Accounting packet is not received in prefixed amount of time (currently 10 mins). That seems a strange requirement. If you have configured your NAS to send periodic interim updates, and the NAS hasn't sent one for 2 or 3 times the update interval, then the reason is almost certainly that the user has disconnected anyway. Anyway, this falls into the same as CoA above. You can use radclient to send the disconnect packet (or more standard, use SNMP to do this), but the systems to work out if and when to do this are your own. 9. Spliting database traffic over multiple servers. Yes that's easy. Multiple RADIUS servers can point to different database backends; a single RADIUS server can also share load between multiple database backends using a load-balance section. man unlang for more info. 10. Designing one interface to manage all users. Building user management is your problem. This encompasses everything from CRM (contact info), signup, rating, billing and payment collection, selfcare, mapping products to RADIUS attributes, product upgrades, service termination, and so on. FreeRADIUS doesn't even provide you with a user management API, that's up to you too. For example, if you put your user radius data into a mysql database, you might expose some stored procedures that the higher-level systems can call to add/delete/modify a user; or you might have a separate system which takes SOAP or JSON requests and turns them into mysql inserts and updates. Do you really suggest to switch to FreeRadius or
Problem ms-chapv2
Hello.Please help me.I try to setup FreeRadius (FreeBSD 7.2-RELEASE amd64)to
setup as proxy.Windows clients can`t connect this default settings in pppoe
connection (on tab security enabled all auth protocols) server send 691
error.If i disable all protocols except mschapv1 everything works fine without
errors.
Please tell me what I am doing wrong.All settings in the conf files by default,
changed only proxy.conf and client.conf.
I tried 2.1.10 ,2.1.9 versions.
Auth Fail
-
rad_recv: Access-Request packet from host 127.0.0.1 port 61233, id=68,
length=277
NAS-Identifier = PPPoE.mk.loc
NAS-IP-Address = 172.20.192.4
Message-Authenticator = 0x33297e1e26330d6c0df04a4b015b446c
Acct-Session-Id = 7056520-TA233-3766-144
NAS-Port = 144
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 0022687293f7
NAS-Port-Id = vlan3766
Vendor-12341-Attr-12 = 0x5441322d333736362d313434
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Client-Endpoint:0 = 00:22:68:72:93:f7
User-Name = test-user@moco
MS-CHAP-Challenge = 0xbb1e68bfac6b679afbba56b6670fde86
MS-CHAP2-Response =
0x0100a945a3ba1dad2b9d2e95511c58f8464aaab387818928b6f430030d50fc68517c64c578458737b561
Mon Feb 7 10:28:40 2011 : Info: +- entering group authorize {...}
Mon Feb 7 10:28:40 2011 : Info: ++[preprocess] returns ok
Mon Feb 7 10:28:40 2011 : Info: ++[chap] returns noop
Mon Feb 7 10:28:40 2011 : Info: [mschap] Found MS-CHAP attributes. Setting
'Auth-Type = mschap'
Mon Feb 7 10:28:40 2011 : Info: ++[mschap] returns ok
Mon Feb 7 10:28:40 2011 : Info: ++[digest] returns noop
Mon Feb 7 10:28:40 2011 : Info: [suffix] Looking up realm moco for User-Name
= test-user@moco
Mon Feb 7 10:28:40 2011 : Info: [suffix] Found realm moco
Mon Feb 7 10:28:40 2011 : Info: [suffix] Adding Stripped-User-Name =
test-user
Mon Feb 7 10:28:40 2011 : Info: [suffix] Adding Realm = moco
Mon Feb 7 10:28:40 2011 : Info: [suffix] Proxying request from user test-user
to realm moco
Mon Feb 7 10:28:40 2011 : Info: [suffix] Preparing to proxy authentication
request to realm moco
Mon Feb 7 10:28:40 2011 : Info: ++[suffix] returns updated
Mon Feb 7 10:28:40 2011 : Info: [eap] No EAP-Message, not doing EAP
Mon Feb 7 10:28:40 2011 : Info: ++[eap] returns noop
Mon Feb 7 10:28:40 2011 : Info: [files] users: Matched entry DEFAULT at line
172
Mon Feb 7 10:28:40 2011 : Info: ++[files] returns ok
Mon Feb 7 10:28:40 2011 : Info: ++[expiration] returns noop
Mon Feb 7 10:28:40 2011 : Info: ++[logintime] returns noop
Mon Feb 7 10:28:40 2011 : Info: ++[pap] returns noop
Mon Feb 7 10:28:40 2011 : Info: WARNING: Empty pre-proxy section. Using
default return values.
Sending Access-Request of id 255 to 172.20.192.19 port 1812
NAS-Identifier = PPPoE.mk.loc
NAS-IP-Address = 172.20.192.4
Message-Authenticator = 0x
Acct-Session-Id = 7056520-TA233-3766-144
NAS-Port = 144
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 0022687293f7
NAS-Port-Id = vlan3766
Vendor-12341-Attr-12 = 0x5441322d333736362d313434
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Client-Endpoint:0 = 00:22:68:72:93:f7
User-Name = test-user
MS-CHAP-Challenge = 0xbb1e68bfac6b679afbba56b6670fde86
MS-CHAP2-Response =
0x0100a945a3ba1dad2b9d2e95511c58f8464aaab387818928b6f430030d50fc68517c64c578458737b561
Proxy-State = 0x3638
Mon Feb 7 10:28:40 2011 : Info: Proxying request 65 to home server
172.20.192.19 port 1812
Sending Access-Request of id 255 to 172.20.192.19 port 1812
NAS-Identifier = PPPoE.mk.loc
NAS-IP-Address = 172.20.192.4
Message-Authenticator = 0x
Acct-Session-Id = 7056520-TA233-3766-144
NAS-Port = 144
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 0022687293f7
NAS-Port-Id = vlan3766
Vendor-12341-Attr-12 = 0x5441322d333736362d313434
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Client-Endpoint:0 = 00:22:68:72:93:f7
User-Name = test-user
MS-CHAP-Challenge = 0xbb1e68bfac6b679afbba56b6670fde86
MS-CHAP2-Response =
0x0100a945a3ba1dad2b9d2e95511c58f8464aaab387818928b6f430030d50fc68517c64c578458737b561
Proxy-State = 0x3638
Mon Feb 7 10:28:40 2011 : Debug: Going to the next request
Mon Feb 7 10:28:40 2011 : Debug: Waking up in 0.4 seconds.
rad_recv: Access-Reject packet from host 172.20.192.19 port 1812, id=255,
length=43
Reply-Message = Authorization failed.
Mon Feb 7
Re: issue with dialup.conf
I think I found the mistake
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}' \
should be
radcheck.value = 'radcheck.value' - '%{Acct-Output-Octets}'
- '%{Acct-Input-Octets}' \
that query wouldn't run before but does after i quote 'radcheck.value'.
Hopefully that fixes the issue.
Thanks
On Mon, Feb 7, 2011 at 8:48 AM, Tyller D tyll...@gmail.com wrote:
Hi
The main reason I am doing it this way to send the correct attributes per
location.
Hopefully this explains whats happening.
perl.pl
.
if ( $device =~ /^nomadix/i ) {
if ($DATABANK != '') {
if ( $DATABANK le 0 ) {
$RAD_REPLY{'Reply-Message'} =
You have no more Data Left;
return RLM_MODULE_REJECT;
}else {
return RLM_MODULE_REJECT;
$RAD_REPLY{'Nomadix-MaxBytesDown'}
= $DATABANK;
}
.
if ( $device =~ /^mikrotik/i ) {
if ($DATABANK != '') {
if ( $DATABANK = 0 ) {
$RAD_REPLY{'Reply-Message'} =
You have no more Data Left;
return RLM_MODULE_REJECT;
}else {
$RAD_REPLY{'Mikrotik-Xmit-Limit'} =
$DATABANK;
}
exctract from radcheck:
+--+--+++--+
| id | username | attribute | op | value|
+--+--+++--+
| 3069 | Joe | databank | := | 52428800 |
| 3068 | Joe | Cleartext-Password | := | Joe123 |
| 3070 | Joe | Auth-Type | := | Perl |
+--+--+++--+
stop query
accounting_stop_query = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime = '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}', \
radacct.acctstopdelay = '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radcheck.username = '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress= '%{NAS-IP-Address}'
accounting_stop_query_alt = \
UPDATE radacct,radcheck SET \
radacct.acctstoptime= '%S', \
radacct.acctsessiontime= '%{Acct-Session-Time}', \
radacct.acctinputoctets= '%{%{Acct-Input-Gigawords}:-0}'
32 | \
'%{%{Acct-Input-Octets}:-0}', \
radacct.acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
32 | \
'%{%{Acct-Output-Octets}:-0}', \
radacct.acctterminatecause = '%{Acct-Terminate-Cause}', \
radacct.acctstopdelay= '%{%{Acct-Delay-Time}:-0}', \
radacct.connectinfo_stop = '%{Connect-Info}', \
radcheck.value = radcheck.value - '%{Acct-Output-Octets}' -
'%{Acct-Input-Octets}' \
WHERE radacct.acctsessionid = '%{Acct-Session-Id}' \
AND radacct.username = '%{SQL-User-Name}' \
AND radacct.nasipaddress= '%{NAS-IP-Address}' \
AND radcheck.username= '%{SQL-User-Name}' \
AND radcheck.attribute = 'databank'
So the thoery is this, user tries to login, we check the NAS device , check
the databank and get the values and send the reply-attribute that suits the
gateway (else fail). when the user sends the stop query we re-update the the
databank value in the radcheck table.
so the value for databank in the radcheck table should always be equal to
databank - sum(acctoutputoctest + acctinputoctets)
but it not always exectuting stop request correctly because
mysql select sum(acctinputoctets + acctoutputoctets) from radacct where
username='scotty';
+-+
| sum(acctinputoctets + acctoutputoctets) |
+-+
| 1840263628 |
+-+
mysql select value from radcheck where username='scotty' and
attribute='databank';
Re: issue with dialup.conf
On Mon, Feb 7, 2011 at 1:48 PM, Tyller D tyll...@gmail.com wrote:
return RLM_MODULE_REJECT;
$RAD_REPLY{'Nomadix-MaxBytesDown'} =
so the value for databank in the radcheck table should always be equal to
databank - sum(acctoutputoctest + acctinputoctets)
but it not always exectuting stop request correctly because
mysql select sum(acctinputoctets + acctoutputoctets) from radacct where
username='scotty';
+-+
| sum(acctinputoctets + acctoutputoctets) |
+-+
| 1840263628 |
+-+
mysql select value from radcheck where username='scotty' and
attribute='databank';
++
| value |
++
| -302340151 |
++
So what error did you find exactly? Is it that it works but I get
negative number on databank?
If yes, then it's normal, cause you only limit downloads
(Nomadix-MaxBytesDown) while in the update calculation during acct
stop you calculate both upload and download.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql + Enterasys management-access
Hi, did you just copy the original example (framed-ip etc?) rather than put your required attributes into the table? ;-) the list should be used to give you the helpful pointer...not do ALL your work for you :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
