Re: EAP-TLS problem
On 02/18/2013 06:31 AM, Tobias Hachmer wrote: Hello Muhammad, On 18.02.2013 07:17, Muhammad Nadeem wrote: Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I have configured eap.confg to use EAP-TLS. But i don't know , how to send requests to freeradius server, so that he can authenticate the user using TLS (with digital certificate). Can anyone help me, thanks in advance.. You will need a RADIUS Client, e.g. - wireless access point - lan switch which acts as the RADIUS Client (Authenticator in 802.1X terminology). Both have to support 802.1X and RADIUS. Without you won't be able to test EAP-TLS. I am not aware of a simulator client program. Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hi, Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. eapol_test is VERY powerful.and there are even little test scripts provided in the FreeRADIUS source however, if you want clicky GUI then also look at JRadius Simulator: http://www.coova.org/JRadius/Simulator (but this mailing list isnt a support forum for either of those tools!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 2/18/13, Phil Mayers p.may...@imperial.ac.uk wrote: On 02/18/2013 06:31 AM, Tobias Hachmer wrote: Hello Muhammad, On 18.02.2013 07:17, Muhammad Nadeem wrote: Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I have configured eap.confg to use EAP-TLS. But i don't know , how to send requests to freeradius server, so that he can authenticate the user using TLS (with digital certificate). Can anyone help me, thanks in advance.. You will need a RADIUS Client, e.g. - wireless access point - lan switch which acts as the RADIUS Client (Authenticator in 802.1X terminology). Both have to support 802.1X and RADIUS. Without you won't be able to test EAP-TLS. I am not aware of a simulator client program. Thankfully, this isn't correct. You can use eapol_test which comes with the wpa_supplicant source to test pretty much every EAP type there is, including EAP-TLS. To the OP - download wpa_supplicant sources and build eapol_test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html thanks phill, eapol_test really working . thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AVP EAP-KEY name support in FR
Alan,
We have tried with patch provided.
Here is the Debug log form old (master 2.2.0) and new (latest 2.x.x branch
18/2/2013)
Old one: Here the tls state machine goes from Access-Request to
Access-Challenge and then to Access-Accepted
And New one: Here the tls state machine goes from Access-Request to
Access-Rejected and then ends with segmentation fault
Note: configuration of Client and Switch remains the same in both cases.
What could have gone wrong??
///
Old one:
rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=3, length=1020
Sat Aug 18 03:04:46 2012 : Info: Found Auth-Type = EAP
Sat Aug 18 03:04:46 2012 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Sat Aug 18 03:04:46 2012 : Info: +- entering group authenticate {...}
Sat Aug 18 03:04:46 2012 : Info: [eap] Request found, released from the list
Sat Aug 18 03:04:46 2012 : Info: [eap] EAP/tls
Sat Aug 18 03:04:46 2012 : Info: [eap] processing type tls
Sat Aug 18 03:04:46 2012 : Info: [tls] Authenticate
Sat Aug 18 03:04:46 2012 : Info: [tls] processing EAP-TLS
Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_verify returned 7
Sat Aug 18 03:04:46 2012 : Info: [tls] Done initial handshake
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 05f6],
Certificate
Sat Aug 18 03:04:46 2012 : Info: [tls] chain-depth=1,
Sat Aug 18 03:04:46 2012 : Info: [tls] error=0
Sat Aug 18 03:04:46 2012 : Info: [tls] -- User-Name = testuse...@vitesse.com
Sat Aug 18 03:04:46 2012 : Info: [tls] -- BUF-Name = MACsec Test CA
Sat Aug 18 03:04:46 2012 : Info: [tls] -- subject = /C=FI/O=SafeNet,
Inc./CN=MACsec Test CA
Sat Aug 18 03:04:46 2012 : Info: [tls] -- issuer = /C=FI/O=SafeNet,
Inc./CN=MACsec Test CA
Sat Aug 18 03:04:46 2012 : Info: [tls] -- verify return:1
Sat Aug 18 03:04:46 2012 : Info: [tls] chain-depth=0,
Sat Aug 18 03:04:46 2012 : Info: [tls] error=0
Sat Aug 18 03:04:46 2012 : Info: [tls] -- User-Name = testuse...@vitesse.com
Sat Aug 18 03:04:46 2012 : Info: [tls] -- BUF-Name = test user 2
Sat Aug 18 03:04:46 2012 : Info: [tls] -- verify return:1
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read client
certificate A
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0086],
ClientKeyExchange
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read client key
exchange A
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0086],
CertificateVerify
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read certificate
verify A
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 ChangeCipherSpec [length
0001]
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0010],
Finished
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read finished A
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 ChangeCipherSpec [length
0001]
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 write change
cipher spec A
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS 1.0 Handshake [length 0010],
Finished
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 write finished A
Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 flush data
Sat Aug 18 03:04:46 2012 : Info: [tls] (other): SSL negotiation finished
successfully
Sat Aug 18 03:04:46 2012 : Debug: SSL Connection Established
Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_process returned 13
Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 3 to 10.0.1.10 port 1645
EAP-Message =
0x010c00350d80002b1403010001011603010020f2847b79b15d316feb376cd0294bffca228fb31bcdfd4e3ac450b4b3148c0eda
Message-Authenticator = 0x
State = 0x1bc2fd5d1fcef0fc7198dd89ed915160
Sat Aug 18 03:04:46 2012 : Info: Finished request 4.
Sat Aug 18 03:04:46 2012 : Debug: Going to the next request
Sat Aug 18 03:04:46 2012 : Debug: Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=4, length=191
Sat Aug 18 03:04:46 2012 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Sat Aug 18 03:04:46 2012 : Info: +- entering group authorize {...}
Sat Aug 18 03:04:46 2012 : Info: ++[preprocess] returns ok
Sat Aug 18 03:04:46 2012 : Info: ++[chap] returns noop
Sat Aug 18 03:04:46 2012 : Info: ++[mschap] returns noop
Sat Aug 18 03:04:46 2012 : Info: ++[digest] returns noop
Sat Aug 18 03:04:46 2012 : Info: [suffix] Looking up realm vitesse.com for
User-Name = testuse...@vitesse.com
Sat Aug 18 03:04:46 2012 : Info: [suffix] No such realm vitesse.com
Sat Aug 18 03:04:46 2012 : Info: ++[suffix] returns noop
Sat Aug 18 03:04:46 2012 : Info: [eap] EAP packet type response id 12 length 6
Sat Aug 18 03:04:46 2012 : Info: [eap] No EAP Start, assuming it's an on-going
EAP conversation
Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns updated
Sat Aug
Re: EAP-TLS problem
On 2/18/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thankfully, this isn't correct. You can use eapol_test which comes
with the wpa_supplicant source to test pretty much every EAP type
there is, including EAP-TLS.
To the OP - download wpa_supplicant sources and build eapol_test.
eapol_test is VERY powerful.and there are even little test scripts
provided
in the FreeRADIUS source
however, if you want clicky GUI then also look at JRadius Simulator:
http://www.coova.org/JRadius/Simulator
(but this mailing list isnt a support forum for either of those tools!)
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
thanx A.L.M,,, but actually I am not aware of what to send in request
of EAP-TLS.
I have followed the README in /raddb/certs/ and make the CA, CLIENT
and SERVER certificate.
Now I request to the server with eapol_test, with following parameter
netwrok={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity=bob
ca_cert=/usr/local/etc/raddb/certs/ca.pem
client_cert=/usr/local/etc/raddb/certs/client.pem
private_kry=/usr/local/etc/raddb/certs/server.key
private_key_passwd=whatever
}
but this request give me a FAILURE response.
I have googled a lot to find my appropriate answer, ( what need to
send in client request etc etc).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
Hi, (but this mailing list isnt a support forum for either of those tools!) I guess you dont read what I post..which means I'm not likely to answer you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On 18/02/13 10:57, Muhammad Nadeem wrote: ca_cert=/usr/local/etc/raddb/certs/ca.pem client_cert=/usr/local/etc/raddb/certs/client.pem private_kry=/usr/local/etc/raddb/certs/server.key ^^^ typo - should be client.key This is basic stuff; please read the docs for wpa_supplicant/eapol_test more carefully, and your own configs, before posting questions, particularly as others have pointed out, this is not the eapol_test support list... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 94, Issue 49
On 15-Feb-13 09:19, freeradius-users-requ...@lists.freeradius.org wrote: [SNIP/] I hope someone can point me in the right direction here. I am trying to build FR version 2.1.12 with the option --with-experimental-modules on Debian Linux Squeeze 2.6.32-5-amd64 because I need to build support for Wimax stuff. However I get the following compiling error(s): checking openssl/hmac.h usability... no checking openssl/hmac.h presence... no checking for openssl/hmac.h... no configure: WARNING: silently not building rlm_wimax. configure: WARNING: FAILURE: rlm_wimax requires: openssl/hmac.h. configure: creating ./config.status config.status: creating Makefile you dont have the required headers present to build the code. check you have the openssl devel package installed libssl-dev IIRC ... and that was it. Thanks a lot again Alan. Molla. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
Srinu Bandari wrote: And New one: Here the tls state machine goes from Access-Request to Access-Rejected and then ends with segmentation fault The debug log doesn't show a SEGV... But there was an unrelated issue. Please do git pull for the v2.x.x. branch, and try again. I've fixed the bug that caused the early reject. What could have gone wrong?? Another bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Advice on where to look next...
I've configured my server to successfully authenticate against AD using my ldap
module.
However, my users are in multiple OUs, and I can only specify one basedn at a
time. I know that's probably not good directory structure, but I don't manage
our directory. What approach to others use to search multiple basedns?
In case it would help, here is the relevant portions from my ldap module, which
is curently working (I've remved most comments to make it concise:
ldap {
server = xxx
identity = cn=ldapuser,ou=service accounts,dc=cphc,dc=local
password = xxx
basedn = dc=cphc,dc=local ***This doesn't work without a specific
OU. My users are in multiple OUs
#basedn = OU=CHA-Staff (No Folder Redir),DC=cphc,DC=local
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter = (member=%{check:Ldap-UserDn})
groupmembership_attribute = member
#compare_check_items = yes
#do_xlat = yes
access_attr_used_for_allow = yes
}
*One thing that confuses me is that ldapsearch works fine using
basedn=dc=cphc,dc=local.
Any my error output:
[ldap] performing user authorization for jpjohnson
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -
(sAMAccountName=jpjohnson)
[ldap] expand: dc=cphc,dc=local - dc=cphc,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to tch-nt2.cphc.local:389, authentication 0
rlm_ldap: bind as cn=ldapuser,ou=service accounts,dc=cphc,dc=local/xxx to
tch-nt2.cphc.local:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=cphc,dc=local, with filter
(sAMAccountName=jpjohnson)
rlm_ldap: ldap_search() failed: Operations error
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
-Jeff
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to change response type to Access-Challenge from rlm_perl
Hi,
Looking through archives for this exact question, I see a post from 2008 (
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html)
where this exact question was previously asked.
Here is my server version info:
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built
on Feb 17 2013 at 03:34:41
Here's my code:
# Construct HTTP request
my $authresult =
authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'});
radiusd::radlog(L_DBG, Result after authamis call -
$authresult);
if($authresult eq true) {
$RAD_CHECK{'Response-Packet-Type'} = Access-Challenge;
$RAD_REPLY{'Reply-Message'} = authentication successful;
for (keys %RAD_REPLY) {
radiusd::radlog(L_DBG, RAD_REPLY: $_ =
$RAD_REPLY{$_});
}
for (keys %RAD_CHECK) {
radiusd::radlog(L_DBG, RAD_CHECK: $_ =
$RAD_CHECK{$_});
}
for (keys %RAD_CONFIG) {
radiusd::radlog(L_DBG, RAD_CONFIG: $_ =
$RAD_CONFIG{$_});
}
return RLM_MODULE_OK
}
else {
$RAD_REPLY{'Reply-Message'} = authentication failure;
return RLM_MODULE_REJECT;
}
Here is the relevant debug output:
Found Auth-Type = perl
# Executing group from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group perl {...}
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = 42594190
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1
rlm_perl: AMIS request:
http://amis.jdt.com:8080/auth/authenticate/test/42594190
rlm_perl: Result after authamis call - true
rlm_perl: RAD_REPLY: Reply-Message = authentication successful
rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: RAD_CONFIG: Auth-Type = perl
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = 42594190
rlm_perl: Added pair NAS-IP-Address = 192.168.65.1
rlm_perl: Added pair Reply-Message = authentication successful
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
++[perl] returns ok
# Executing section post-auth from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 81 to 192.168.65.1 port 53504
Reply-Message = authentication successful
Finished request 0.
Going to the next request
Clearly the Access-Challenge setting is not being honored by the server. Is
there another attribute that must be set to configure the response type?
Thanks,
Walter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passing regexps from SQL to unlang
Hello, I need to translate calling-station-id to E.164. NAS can send these numbers in several formats, for example number +74951234567 can come as 1234567, 04951234567 or 0074951234567. I think about adding a field in nas table and specify several regexps with delimiter. Can I fetch this field, parse it to several regexps and use them in unlang as regexps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing regexps from SQL to unlang
Maxim S. Denisov wrote: I need to translate calling-station-id to E.164. NAS can send these numbers in several formats, for example number +74951234567 can come as 1234567, 04951234567 or 0074951234567. I think about adding a field in nas table and specify several regexps with delimiter. Can I fetch this field, parse it to several regexps and use them in unlang as regexps? Not really. And it's probably not a good idea, either. Databases are for storing bulk data, not policies. This is the kind of thing you'd do in unlang. Just write 5-6 rules with regexes. They should catch the weird formats, and standardize them. Then, insert the standardized form into the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passing regexps from SQL to unlang
Hello Mr. DeKok, Thank you for your reply. There are many NASes in many regions and translation rules for them are different, I wanted make translation configuration using my ERP interface. Using files for this I will have to manage NAS configuration in two places and have a huge policy.conf. Regards, Maxim Denisov 18.02.2013, в 19:53, Alan DeKok al...@deployingradius.com написал(а): Not really. And it's probably not a good idea, either. Databases are for storing bulk data, not policies. This is the kind of thing you'd do in unlang. Just write 5-6 rules with regexes. They should catch the weird formats, and standardize them. Then, insert the standardized form into the database. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clients connecting without group
On 18/02/13 16:43, Michell wrote: Hello all, what would be the best way to not allow the user connection that does not have a group or have a group that does not exist? What does have a group that does not exist mean? How can you be in a group that doesn't exist? Should I create a policy or a check attributes. Does anyone have an example? Since you didn't specify where your groups are stored, it's difficult to help you. I have the problem of authenticating customers without being group and navigating without bandwidth control, as this is defined by the groups in radius. Well, you control the group. You could change your data generation procedures to ensure that someone is *always* in a group. This issue has already been addressed here, but still not getting success. It's too vague. Be more specific. You can easily exclude people not in any group. Presumably, since you will be setting attributes for each group, you just have a final deny all policy. Or you create a group that contains everyone, with low precedence, and set a reject on that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to change response type to Access-Challenge from rlm_perl
To answer my own question, I found that using the return code RLM_MODULE_OK
triggers the server to respond back with Access-Accept. If I used
RLM_MODULE_HANDLED instead, the response packet type was set to what I
expected it to be. This makes sense since I expect the client to exchange
several messages with me before I finally trigger the Access-Accept message.
On Mon, Feb 18, 2013 at 9:00 AM, Walter Goulet wgou...@gmail.com wrote:
Hi,
Looking through archives for this exact question, I see a post from 2008 (
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html)
where this exact question was previously asked.
Here is my server version info:
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu,
built on Feb 17 2013 at 03:34:41
Here's my code:
# Construct HTTP request
my $authresult =
authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'});
radiusd::radlog(L_DBG, Result after authamis call -
$authresult);
if($authresult eq true) {
$RAD_CHECK{'Response-Packet-Type'} = Access-Challenge;
$RAD_REPLY{'Reply-Message'} = authentication successful;
for (keys %RAD_REPLY) {
radiusd::radlog(L_DBG, RAD_REPLY: $_ =
$RAD_REPLY{$_});
}
for (keys %RAD_CHECK) {
radiusd::radlog(L_DBG, RAD_CHECK: $_ =
$RAD_CHECK{$_});
}
for (keys %RAD_CONFIG) {
radiusd::radlog(L_DBG, RAD_CONFIG: $_ =
$RAD_CONFIG{$_});
}
return RLM_MODULE_OK
}
else {
$RAD_REPLY{'Reply-Message'} = authentication failure;
return RLM_MODULE_REJECT;
}
Here is the relevant debug output:
Found Auth-Type = perl
# Executing group from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group perl {...}
rlm_perl: RAD_REQUEST: User-Name = test
rlm_perl: RAD_REQUEST: User-Password = 42594190
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1
rlm_perl: AMIS request:
http://amis.jdt.com:8080/auth/authenticate/test/42594190
rlm_perl: Result after authamis call - true
rlm_perl: RAD_REPLY: Reply-Message = authentication successful
rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: RAD_CONFIG: Auth-Type = perl
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = 42594190
rlm_perl: Added pair NAS-IP-Address = 192.168.65.1
rlm_perl: Added pair Reply-Message = authentication successful
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
++[perl] returns ok
# Executing section post-auth from file
/opt/app/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 81 to 192.168.65.1 port 53504
Reply-Message = authentication successful
Finished request 0.
Going to the next request
Clearly the Access-Challenge setting is not being honored by the server.
Is there another attribute that must be set to configure the response type?
Thanks,
Walter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User disconnects but stays online in radius
Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. Thank you, Moby - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Phil Mayers wrote: On 18/02/13 18:02, Mobin Yazarlou wrote: Hi, I am using freeradius v2.1.12 with MySQL support and noticed if a user disconnect when radius server is down, NAS can not inform radius about user being disconnected and radius assume user is still online after coming up again. This restricts user from connecting again when you set simultaneous-use to 1. Is there any solution for this? My NAS is pptpd on Debian 6. RADIUS uses UDP, and NASes don't save accounting packets which don't get a reply; they usually send 1-5 attempts over a few seconds, then give up (or move to the 2nd RADIUS server). You need to take this into account. Possible solutions include some combination of: 1. Use interim accounting. Then, use a script to expire any sessions which have not seen accounting packets in X*interim-interval; X==3 for example 2. Setup a 2nd RADIUS accounting server and ensure your NAS has both servers configured. Use one of several configs to write the accounting data to a robust, replicated database. One way to do this is with the robust accounting that comes with FreeRADIUS. 3. Use a script to check your NASes active sessions and compare to accounting data at a certain interval. ...and so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hi, Very good elaborated response, it also helped me. Quality of Information was superB. Thanks Man RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User disconnects but stays online in radius
On Monday, February 18, 2013, Mobin Yazarlou wrote:
On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers
p.may...@imperial.ac.ukjavascript:_e({}, 'cvml',
'p.may...@imperial.ac.uk');
wrote:
On 18/02/13 18:02, Mobin Yazarlou wrote:
Hi,
I am using freeradius v2.1.12 with MySQL support and noticed if a user
disconnect when radius server is down, NAS can not inform radius about
user being disconnected and radius assume user is still online after
coming up again. This restricts user from connecting again when you set
simultaneous-use to 1.
Is there any solution for this? My NAS is pptpd on Debian 6.
RADIUS uses UDP, and NASes don't save accounting packets which don't
get a reply; they usually send 1-5 attempts over a few seconds, then give
up (or move to the 2nd RADIUS server).
You need to take this into account.
Possible solutions include some combination of:
1. Use interim accounting. Then, use a script to expire any sessions
which have not seen accounting packets in X*interim-interval; X==3 for
example
2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
servers configured. Use one of several configs to write the accounting data
to a robust, replicated database. One way to do this is with the robust
accounting that comes with FreeRADIUS.
3. Use a script to check your NASes active sessions and compare to
accounting data at a certain interval.
...and so on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
Hi,
That you for the quick reply Phil. The solutions you have provided
brought new thing into my mind.
I was thinking about similar scenarios that I found out if NAS crashes,
same thing will happen. Clients will get disconnected due to NAS
unavailability and when NAS is unavailable, radius won't be notified about
users getting disconnected.
By taking this into consideration, the most effective solution would be
the first or the third approach you have listed. And between this two
solutions, the last one seems to be easier to implement.
Please correct me if I am wrong.
Thank you,
Moby
Hi Phil Moby,
I am also interested in this solution since experiencing the same problem.
I liked the solution no1.
But I have no idea where I can get that script but I can modify if I have
one.
Thanks / RM--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
