Re: EAP-TLS problem
On 02/18/2013 06:31 AM, Tobias Hachmer wrote: Hello Muhammad, On 18.02.2013 07:17, Muhammad Nadeem wrote: Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I have configured eap.confg to use EAP-TLS. But i don't know , how to send requests to freeradius server, so that he can authenticate the user using TLS (with digital certificate). Can anyone help me, thanks in advance.. You will need a RADIUS Client, e.g. - wireless access point - lan switch which acts as the RADIUS Client (Authenticator in 802.1X terminology). Both have to support 802.1X and RADIUS. Without you won't be able to test EAP-TLS. I am not aware of a simulator client program. Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hi, Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. eapol_test is VERY powerful.and there are even little test scripts provided in the FreeRADIUS source however, if you want clicky GUI then also look at JRadius Simulator: http://www.coova.org/JRadius/Simulator (but this mailing list isnt a support forum for either of those tools!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 2/18/13, Phil Mayers p.may...@imperial.ac.uk wrote: On 02/18/2013 06:31 AM, Tobias Hachmer wrote: Hello Muhammad, On 18.02.2013 07:17, Muhammad Nadeem wrote: Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I have configured eap.confg to use EAP-TLS. But i don't know , how to send requests to freeradius server, so that he can authenticate the user using TLS (with digital certificate). Can anyone help me, thanks in advance.. You will need a RADIUS Client, e.g. - wireless access point - lan switch which acts as the RADIUS Client (Authenticator in 802.1X terminology). Both have to support 802.1X and RADIUS. Without you won't be able to test EAP-TLS. I am not aware of a simulator client program. Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html thanks phill, eapol_test really working . thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AVP EAP-KEY name support in FR
Alan, We have tried with patch provided. Here is the Debug log form old (master 2.2.0) and new (latest 2.x.x branch 18/2/2013) Old one: Here the tls state machine goes from Access-Request to Access-Challenge and then to Access-Accepted And New one: Here the tls state machine goes from Access-Request to Access-Rejected and then ends with segmentation fault Note: configuration of Client and Switch remains the same in both cases. What could have gone wrong?? /// Old one: rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=3, length=1020 Sat Aug 18 03:04:46 2012 : Info: Found Auth-Type = EAP Sat Aug 18 03:04:46 2012 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 03:04:46 2012 : Info: +- entering group authenticate {...} Sat Aug 18 03:04:46 2012 : Info: [eap] Request found, released from the list Sat Aug 18 03:04:46 2012 : Info: [eap] EAP/tls Sat Aug 18 03:04:46 2012 : Info: [eap] processing type tls Sat Aug 18 03:04:46 2012 : Info: [tls] Authenticate Sat Aug 18 03:04:46 2012 : Info: [tls] processing EAP-TLS Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_verify returned 7 Sat Aug 18 03:04:46 2012 : Info: [tls] Done initial handshake Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 05f6], Certificate Sat Aug 18 03:04:46 2012 : Info: [tls] chain-depth=1, Sat Aug 18 03:04:46 2012 : Info: [tls] error=0 Sat Aug 18 03:04:46 2012 : Info: [tls] -- User-Name = testuse...@vitesse.com Sat Aug 18 03:04:46 2012 : Info: [tls] -- BUF-Name = MACsec Test CA Sat Aug 18 03:04:46 2012 : Info: [tls] -- subject = /C=FI/O=SafeNet, Inc./CN=MACsec Test CA Sat Aug 18 03:04:46 2012 : Info: [tls] -- issuer = /C=FI/O=SafeNet, Inc./CN=MACsec Test CA Sat Aug 18 03:04:46 2012 : Info: [tls] -- verify return:1 Sat Aug 18 03:04:46 2012 : Info: [tls] chain-depth=0, Sat Aug 18 03:04:46 2012 : Info: [tls] error=0 Sat Aug 18 03:04:46 2012 : Info: [tls] -- User-Name = testuse...@vitesse.com Sat Aug 18 03:04:46 2012 : Info: [tls] -- BUF-Name = test user 2 Sat Aug 18 03:04:46 2012 : Info: [tls] -- verify return:1 Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read client certificate A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0086], ClientKeyExchange Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read client key exchange A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0086], CertificateVerify Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read certificate verify A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 ChangeCipherSpec [length 0001] Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0010], Finished Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read finished A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 ChangeCipherSpec [length 0001] Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 write change cipher spec A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0010], Finished Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 write finished A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 flush data Sat Aug 18 03:04:46 2012 : Info: [tls] (other): SSL negotiation finished successfully Sat Aug 18 03:04:46 2012 : Debug: SSL Connection Established Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_process returned 13 Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns handled Sending Access-Challenge of id 3 to 10.0.1.10 port 1645 EAP-Message = 0x010c00350d80002b1403010001011603010020f2847b79b15d316feb376cd0294bffca228fb31bcdfd4e3ac450b4b3148c0eda Message-Authenticator = 0x State = 0x1bc2fd5d1fcef0fc7198dd89ed915160 Sat Aug 18 03:04:46 2012 : Info: Finished request 4. Sat Aug 18 03:04:46 2012 : Debug: Going to the next request Sat Aug 18 03:04:46 2012 : Debug: Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=4, length=191 Sat Aug 18 03:04:46 2012 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 03:04:46 2012 : Info: +- entering group authorize {...} Sat Aug 18 03:04:46 2012 : Info: ++[preprocess] returns ok Sat Aug 18 03:04:46 2012 : Info: ++[chap] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[mschap] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[digest] returns noop Sat Aug 18 03:04:46 2012 : Info: [suffix] Looking up realm vitesse.com for User-Name = testuse...@vitesse.com Sat Aug 18 03:04:46 2012 : Info: [suffix] No such realm vitesse.com Sat Aug 18 03:04:46 2012 : Info: ++[suffix] returns noop Sat Aug 18 03:04:46 2012 : Info: [eap] EAP packet type response id 12 length 6 Sat Aug 18 03:04:46 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns updated Sat Aug
Re: EAP-TLS problem
On 2/18/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. eapol_test is VERY powerful.and there are even little test scripts provided in the FreeRADIUS source however, if you want clicky GUI then also look at JRadius Simulator: http://www.coova.org/JRadius/Simulator (but this mailing list isnt a support forum for either of those tools!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html thanx A.L.M,,, but actually I am not aware of what to send in request of EAP-TLS. I have followed the README in /raddb/certs/ and make the CA, CLIENT and SERVER certificate. Now I request to the server with eapol_test, with following parameter netwrok={ eap=TLS eapol_flags=0 key_mgmt=IEEE8021X identity=bob ca_cert=/usr/local/etc/raddb/certs/ca.pem client_cert=/usr/local/etc/raddb/certs/client.pem private_kry=/usr/local/etc/raddb/certs/server.key private_key_passwd=whatever } but this request give me a FAILURE response. I have googled a lot to find my appropriate answer, ( what need to send in client request etc etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hi, (but this mailing list isnt a support forum for either of those tools!) I guess you dont read what I post..which means I'm not likely to answer you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 18/02/13 10:57, Muhammad Nadeem wrote: ca_cert=/usr/local/etc/raddb/certs/ca.pem client_cert=/usr/local/etc/raddb/certs/client.pem private_kry=/usr/local/etc/raddb/certs/server.key ^^^ typo - should be client.key This is basic stuff; please read the docs for wpa_supplicant/eapol_test more carefully, and your own configs, before posting questions, particularly as others have pointed out, this is not the eapol_test support list... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 94, Issue 49
On 15-Feb-13 09:19, freeradius-users-requ...@lists.freeradius.org wrote: [SNIP/] I hope someone can point me in the right direction here. I am trying to build FR version 2.1.12 with the option --with-experimental-modules on Debian Linux Squeeze 2.6.32-5-amd64 because I need to build support for Wimax stuff. However I get the following compiling error(s): checking openssl/hmac.h usability... no checking openssl/hmac.h presence... no checking for openssl/hmac.h... no configure: WARNING: silently not building rlm_wimax. configure: WARNING: FAILURE: rlm_wimax requires: openssl/hmac.h. configure: creating ./config.status config.status: creating Makefile you dont have the required headers present to build the code. check you have the openssl devel package installed libssl-dev IIRC ... and that was it. Thanks a lot again Alan. Molla. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
Srinu Bandari wrote: And New one: Here the tls state machine goes from Access-Request to Access-Rejected and then ends with segmentation fault The debug log doesn't show a SEGV... But there was an unrelated issue. Please do git pull for the v2.x.x. branch, and try again. I've fixed the bug that caused the early reject. What could have gone wrong?? Another bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advice on where to look next...
I've configured my server to successfully authenticate against AD using my ldap module. However, my users are in multiple OUs, and I can only specify one basedn at a time. I know that's probably not good directory structure, but I don't manage our directory. What approach to others use to search multiple basedns? In case it would help, here is the relevant portions from my ldap module, which is curently working (I've remved most comments to make it concise: ldap { server = xxx identity = cn=ldapuser,ou=service accounts,dc=cphc,dc=local password = xxx basedn = dc=cphc,dc=local ***This doesn't work without a specific OU. My users are in multiple OUs #basedn = OU=CHA-Staff (No Folder Redir),DC=cphc,DC=local filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = (member=%{check:Ldap-UserDn}) groupmembership_attribute = member #compare_check_items = yes #do_xlat = yes access_attr_used_for_allow = yes } *One thing that confuses me is that ldapsearch works fine using basedn=dc=cphc,dc=local. Any my error output: [ldap] performing user authorization for jpjohnson [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) - (sAMAccountName=jpjohnson) [ldap] expand: dc=cphc,dc=local - dc=cphc,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to tch-nt2.cphc.local:389, authentication 0 rlm_ldap: bind as cn=ldapuser,ou=service accounts,dc=cphc,dc=local/xxx to tch-nt2.cphc.local:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=cphc,dc=local, with filter (sAMAccountName=jpjohnson) rlm_ldap: ldap_search() failed: Operations error [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail -Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to change response type to Access-Challenge from rlm_perl
Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); radiusd::radlog(L_DBG, Result after authamis call - $authresult); if($authresult eq true) { $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; $RAD_REPLY{'Reply-Message'} = authentication successful; for (keys %RAD_REPLY) { radiusd::radlog(L_DBG, RAD_REPLY: $_ = $RAD_REPLY{$_}); } for (keys %RAD_CHECK) { radiusd::radlog(L_DBG, RAD_CHECK: $_ = $RAD_CHECK{$_}); } for (keys %RAD_CONFIG) { radiusd::radlog(L_DBG, RAD_CONFIG: $_ = $RAD_CONFIG{$_}); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = authentication failure; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call - true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = authentication successful Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing regexps from SQL to unlang
Hello, I need to translate calling-station-id to E.164. NAS can send these numbers in several formats, for example number +74951234567 can come as 1234567, 04951234567 or 0074951234567. I think about adding a field in nas table and specify several regexps with delimiter. Can I fetch this field, parse it to several regexps and use them in unlang as regexps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing regexps from SQL to unlang
Maxim S. Denisov wrote: I need to translate calling-station-id to E.164. NAS can send these numbers in several formats, for example number +74951234567 can come as 1234567, 04951234567 or 0074951234567. I think about adding a field in nas table and specify several regexps with delimiter. Can I fetch this field, parse it to several regexps and use them in unlang as regexps? Not really. And it's probably not a good idea, either. Databases are for storing bulk data, not policies. This is the kind of thing you'd do in unlang. Just write 5-6 rules with regexes. They should catch the weird formats, and standardize them. Then, insert the standardized form into the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing regexps from SQL to unlang
Hello Mr. DeKok, Thank you for your reply. There are many NASes in many regions and translation rules for them are different, I wanted make translation configuration using my ERP interface. Using files for this I will have to manage NAS configuration in two places and have a huge policy.conf. Regards, Maxim Denisov 18.02.2013, в 19:53, Alan DeKok al...@deployingradius.com написал(а): Not really. And it's probably not a good idea, either. Databases are for storing bulk data, not policies. This is the kind of thing you'd do in unlang. Just write 5-6 rules with regexes. They should catch the weird formats, and standardize them. Then, insert the standardized form into the database. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clients connecting without group
On 18/02/13 16:43, Michell wrote: Hello all, what would be the best way to not allow the user connection that does not have a group or have a group that does not exist? What does have a group that does not exist mean? How can you be in a group that doesn't exist? Should I create a policy or a check attributes. Does anyone have an example? Since you didn't specify where your groups are stored, it's difficult to help you. I have the problem of authenticating customers without being group and navigating without bandwidth control, as this is defined by the groups in radius. Well, you control the group. You could change your data generation procedures to ensure that someone is *always* in a group. This issue has already been addressed here, but still not getting success. It's too vague. Be more specific. You can easily exclude people not in any group. Presumably, since you will be setting attributes for each group, you just have a final deny all policy. Or you create a group that contains everyone, with low precedence, and set a reject on that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to change response type to Access-Challenge from rlm_perl
To answer my own question, I found that using the return code RLM_MODULE_OK triggers the server to respond back with Access-Accept. If I used RLM_MODULE_HANDLED instead, the response packet type was set to what I expected it to be. This makes sense since I expect the client to exchange several messages with me before I finally trigger the Access-Accept message. On Mon, Feb 18, 2013 at 9:00 AM, Walter Goulet wgou...@gmail.com wrote: Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); radiusd::radlog(L_DBG, Result after authamis call - $authresult); if($authresult eq true) { $RAD_CHECK{'Response-Packet-Type'} = Access-Challenge; $RAD_REPLY{'Reply-Message'} = authentication successful; for (keys %RAD_REPLY) { radiusd::radlog(L_DBG, RAD_REPLY: $_ = $RAD_REPLY{$_}); } for (keys %RAD_CHECK) { radiusd::radlog(L_DBG, RAD_CHECK: $_ = $RAD_CHECK{$_}); } for (keys %RAD_CONFIG) { radiusd::radlog(L_DBG, RAD_CONFIG: $_ = $RAD_CONFIG{$_}); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = authentication failure; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call - true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = authentication successful Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User disconnects but stays online in radius
Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. Thank you, Moby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Phil Mayers wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, Very good elaborated response, it also helped me. Quality of Information was superB. Thanks Man RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Mobin Yazarlou wrote: On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukjavascript:_e({}, 'cvml', 'p.may...@imperial.ac.uk'); wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, That you for the quick reply Phil. The solutions you have provided brought new thing into my mind. I was thinking about similar scenarios that I found out if NAS crashes, same thing will happen. Clients will get disconnected due to NAS unavailability and when NAS is unavailable, radius won't be notified about users getting disconnected. By taking this into consideration, the most effective solution would be the first or the third approach you have listed. And between this two solutions, the last one seems to be easier to implement. Please correct me if I am wrong. Thank you, Moby Hi Phil Moby, I am also interested in this solution since experiencing the same problem. I liked the solution no1. But I have no idea where I can get that script but I can modify if I have one. Thanks / RM-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html