date:20130219


On 19/02/13 06:53, Russell Mike wrote:

Hi Phil  Moby,

I am also interested in this solution since experiencing the same
problem.  I liked the solution no1.

But I have no idea where I can get that script but I can modify if I
have one.


It's a pretty simple script. Depending on your SQL database, you just do 
a select from radacct where acctstarttime + acctsessiontime  'now - 2 
hours' or whatever.


It should be a 1-line SQL query.

However - I should emphasise that interim accounting and expiring dead 
SQL sessions is no substitute for a resilient RADIUS service; you should 
really have two servers, and look to use robust accounting *as well* as 
interim acct.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem


On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send Access-Accept packet, but at client, following
error occurs.
 No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike radius@gmail.com wrote:



 On Monday, February 18, 2013, Mobin Yazarlou wrote:



 On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 18/02/13 18:02, Mobin Yazarlou wrote:

 Hi,
   I am using freeradius v2.1.12 with MySQL support and noticed if a user
 disconnect when radius server is down, NAS can not inform radius about
 user being disconnected and radius assume user is still online after
 coming up again. This restricts user from connecting again when you set
 simultaneous-use to 1.
   Is there any solution for this? My NAS is pptpd on Debian 6.


 RADIUS uses UDP, and NASes don't save accounting packets which don't
 get a reply; they usually send 1-5 attempts over a few seconds, then give
 up (or move to the 2nd RADIUS server).

 You need to take this into account.

 Possible solutions include some combination of:

  1. Use interim accounting. Then, use a script to expire any sessions
 which have not seen accounting packets in X*interim-interval; X==3 for
 example

  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
 servers configured. Use one of several configs to write the accounting data
 to a robust, replicated database. One way to do this is with the robust
 accounting that comes with FreeRADIUS.

  3. Use a script to check your NASes active sessions and compare to
 accounting data at a certain interval.

 ...and so on.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html



 Hi,
  That you for the quick reply Phil. The solutions you have provided
 brought new thing into my mind.
  I was thinking about similar scenarios that I found out if NAS crashes,
 same thing will happen. Clients will get disconnected due to NAS
 unavailability and when NAS is unavailable, radius won't be notified about
 users getting disconnected.
  By taking this into consideration, the most effective solution would be
 the first or the third approach you have listed. And between this two
 solutions, the last one seems to be easier to implement.

  Please correct me if I am wrong.

 Thank you,
 Moby


 Hi Phil  Moby,

 I am also interested in this solution since experiencing the same problem.
  I liked the solution no1.

 But I have no idea where I can get that script but I can modify if I have
 one.

 Thanks / RM--



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



Hi Mike,
 Now it is an hour that I am looking for a built-in solution or a
ready-to-use script. The only thing I found was
Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout
attribute.
This problem could be solved if RADIUS was responsible for handling this
attribute but from what I read, it's the NAS's responsibility.

 I hope someone helps us to find the easiest and most effective solution.

Thank you,
Moby
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

On Tue, Feb 19, 2013 at 11:08 AM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 19/02/13 06:53, Russell Mike wrote:

 Hi Phil  Moby,

 I am also interested in this solution since experiencing the same
 problem.  I liked the solution no1.

 But I have no idea where I can get that script but I can modify if I
 have one.


 It's a pretty simple script. Depending on your SQL database, you just do a
 select from radacct where acctstarttime + acctsessiontime  'now - 2
 hours' or whatever.

 It should be a 1-line SQL query.

 However - I should emphasise that interim accounting and expiring dead SQL
 sessions is no substitute for a resilient RADIUS service; you should really
 have two servers, and look to use robust accounting *as well* as interim
 acct.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html



Dear Phil,

Thanks for the guidelines again, maintaing two radius seems to be simple
and right solution, whereas it also offer high availability within the fix.
do you think problem would be solve? if i have two radius configured in
coova config

Thanks / Regards
RM --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

On Tue, Feb 19, 2013 at 11:23 AM, Mobin Yazarlou yazarlo...@gmail.comwrote:


 On Tue, Feb 19, 2013 at 10:23 AM, Russell Mike radius@gmail.comwrote:



 On Monday, February 18, 2013, Mobin Yazarlou wrote:



 On Mon, Feb 18, 2013 at 9:50 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 18/02/13 18:02, Mobin Yazarlou wrote:

 Hi,
   I am using freeradius v2.1.12 with MySQL support and noticed if a
 user
 disconnect when radius server is down, NAS can not inform radius about
 user being disconnected and radius assume user is still online after
 coming up again. This restricts user from connecting again when you set
 simultaneous-use to 1.
   Is there any solution for this? My NAS is pptpd on Debian 6.


 RADIUS uses UDP, and NASes don't save accounting packets which don't
 get a reply; they usually send 1-5 attempts over a few seconds, then give
 up (or move to the 2nd RADIUS server).

 You need to take this into account.

 Possible solutions include some combination of:

  1. Use interim accounting. Then, use a script to expire any sessions
 which have not seen accounting packets in X*interim-interval; X==3 for
 example

  2. Setup a 2nd RADIUS accounting server and ensure your NAS has both
 servers configured. Use one of several configs to write the accounting data
 to a robust, replicated database. One way to do this is with the robust
 accounting that comes with FreeRADIUS.

  3. Use a script to check your NASes active sessions and compare to
 accounting data at a certain interval.

 ...and so on.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html



 Hi,
  That you for the quick reply Phil. The solutions you have provided
 brought new thing into my mind.
  I was thinking about similar scenarios that I found out if NAS crashes,
 same thing will happen. Clients will get disconnected due to NAS
 unavailability and when NAS is unavailable, radius won't be notified about
 users getting disconnected.
  By taking this into consideration, the most effective solution would be
 the first or the third approach you have listed. And between this two
 solutions, the last one seems to be easier to implement.

  Please correct me if I am wrong.

 Thank you,
 Moby


 Hi Phil  Moby,

 I am also interested in this solution since experiencing the same
 problem.  I liked the solution no1.

 But I have no idea where I can get that script but I can modify if I have
 one.

 Thanks / RM--



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 Hi Mike,
  Now it is an hour that I am looking for a built-in solution or a
 ready-to-use script. The only thing I found was 
 Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute.
 This problem could be solved if RADIUS was responsible for handling this
 attribute but from what I read, it's the NAS's responsibility.

  I hope someone helps us to find the easiest and most effective solution.

 Thank you,
 Moby



Dear Moby,

That is brilliant, i also read after your advise, and i feel that nothing
can be easiest and effective than this, once Freeraiuds knows the ideal
timeout value, user can be logged out by Freeradius this is what we were
trying to do. Lets use it and see, i trust that it would do.

Great Thanks !! For Helping Community By Sharing Solutions.

Thanks Moby  Phil


Regards --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius


On 19/02/13 11:23, Mobin Yazarlou wrote:


Hi Mike,
  Now it is an hour that I am looking for a built-in solution or a
ready-to-use script. The only thing I found was Idle-Timeout
http://freeradius.org/rfc/rfc2865.html#Idle-Timeout attribute. This
problem could be solved if RADIUS was responsible for handling this
attribute but from what I read, it's the NAS's responsibility.


I think you're confused.

Idle-Timeout serves a specific purpose; it tells the NAS to disconnect 
the client if the client is idle for a certain amount of time.


It's nothing to do with stale/dead accounting sessions.

I've already spelt out the options there, and they revolve entirely 
around trying to make your accounting robust, and dealing with the edge 
cases where it is not.


To repeat:

1. Have two RADIUS servers, and have each NAS talk to both
2. Setup robust accounting-SQL on both RADIUS servers - see the example 
configs that come with the server for this

3. Use interim accounting
4. Use a script to expire sessions without an update in X*interim-interval

That should get you pretty much all the way there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

On Tue, Feb 19, 2013 at 2:38 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 19/02/13 06:53, Russell Mike wrote:

 Hi Phil  Moby,

 I am also interested in this solution since experiencing the same
 problem.  I liked the solution no1.

 But I have no idea where I can get that script but I can modify if I
 have one.


 It's a pretty simple script. Depending on your SQL database, you just do a
 select from radacct where acctstarttime + acctsessiontime  'now - 2
 hours' or whatever.

 It should be a 1-line SQL query.

 However - I should emphasise that interim accounting and expiring dead SQL
 sessions is no substitute for a resilient RADIUS service; you should really
 have two servers, and look to use robust accounting *as well* as interim
 acct.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html



 The more I read about this, the more complicated it gets!
 Dear Phil, the first and third solutions you provided will work great but
their implementation is not that easy. As you said above, following the
first approach needs packet monitoring as well, which is not easy to
implement unless there be a log file/table in freeradius for this packets.
And the value for acctsessiontime is 0 until the user disconnects and
freeradius sets the correct value for this field and some other fields in
radacct table.

 I also found that sometimes removing the last accounting record for the
locked user in the radacct table won't work and you need to set
/var/log/freeradius/radutmp to null, to unlock that user.

 I wish there was a table for online users in NAS and we could compare
online user in NAS and online users in RADIUS and decide what to do.

 I am still looking forward for your helpful comments and suggestion on
this topic.

Thank you,
Moby
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

On Tue, Feb 19, 2013 at 4:31 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

On 19/02/13 11:23, Mobin Yazarlou wrote:

Hi Mike,
Now it is an hour that I am looking for a built-in solution or a
ready-to-use script. The only thing I found was Idle-Timeout
http://freeradius.org/rfc/**rfc2865.html#Idle-Timeouthttp://freeradius.org/rfc/rfc2865.html#Idle-Timeout
attribute. This

problem could be solved if RADIUS was responsible for handling this
attribute but from what I read, it's the NAS's responsibility.

I think you're confused.

Idle-Timeout serves a specific purpose; it tells the NAS to disconnect the
client if the client is idle for a certain amount of time.

It's nothing to do with stale/dead accounting sessions.

I've already spelt out the options there, and they revolve entirely around
trying to make your accounting robust, and dealing with the edge cases
where it is not.

To repeat:

1. Have two RADIUS servers, and have each NAS talk to both
2. Setup robust accounting-SQL on both RADIUS servers - see the example
configs that come with the server for this
3. Use interim accounting
4. Use a script to expire sessions without an update in X*interim-interval

That should get you pretty much all the way there.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html

Thanks for your help Phil, your comments helped me a lot on this topic,
But I am not confused :). I am just trying to find the easiest *practical*
approach.

I agree that Idle-Timeout can not help us with this problem and I said *it
could be* a solution if radius was in charge of handling this attribute.
But since NAS takes care of this attribute, it won't help us.

Please read my previous message, I wrote some other tips about fixing this
problem but I didn't come up with the complete solution yet. I would be
thankful if you keep participating until we achieve to a practical solution.

Thank you,
Moby

On Tue, Feb 19, 2013 at 4:22 PM, Russell Mike radius@gmail.com wrote:

Dear Moby,

That is brilliant, i also read after your advise, and i feel that nothing
can be easiest and effective than this, once Freeraiuds knows the ideal
timeout value, user can be logged out by Freeradius this is what we were
trying to do. Lets use it and see, i trust that it would do.

Great Thanks !! For Helping Community By Sharing Solutions.

Thanks Moby Phil

Regards --RM

Hi Mike,
Thank you for showing your interest in this. I wish this could be fixed
using Idle-Timeout attribute but since NAS is responsible for handling it,
It won't help us much.

When NAS handles Idle-Timeout, this attribute won't change anything if
radius is down. But if radius was responsible for checking connections
against Idle-Timeout value, this problem could be fixed even when NAS was
down.

Thank you,
Moby
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

Mobin Yazarlou wrote:
  The more I read about this, the more complicated it gets!

  It's because UDP packets can be lost, and you can't realistically get
information out of the NAS.  The result is that any solution ends up
being complicated, and patchy.

  I also found that sometimes removing the last accounting record for the
 locked user in the radacct table won't work and you need to set
 /var/log/freeradius/radutmp to null, to unlock that user.

  That depends on how you have the system set up.  If you do
Simultaneous-Use checking in SQL, you don't need to use radutmp.

  I wish there was a table for online users in NAS and we could compare
 online user in NAS and online users in RADIUS and decide what to do.

  There should really be a separate table *only* for online users.  The
Simultaneous-Use checking should use that.  The table should also be
used to determine when a session has been closed, even if the NAS isn't
sending packets.

  It shouldn't be hard.  All it requires is for someone to do the work.

  i.e. the table should be similar to the current one, but with a few
fields deleted, and a few fields added.  It needs to track user, NAS,
NAS port, session start time, last update time, and maybe a few other
things.

  When a session is started, a new row is inserted.  When a session is
stopped, the row is deleted.  The current accounting table can be used
to double-check for lost / delayed packets.

  There should also be a periodic shell script to clean up the table.
If a particular session hasn't seen updates for a long time, the script
should send a fake accounting stop packet to the server.  That lets
the server close the session.

  It's probably more complicated than that, but that's the basic idea.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP howto

Igor Smitran wrote:
...
 But, when i call exec script (phh for example) this array only contains
 last key:
 
 DHCP-Parameter-Request-List = DHCP-TFTP-Server-Name
 
 It is logical that those values will be overwritten but...
 
 Is there a way to work around this problem?

  Use +=, not =

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem


On 19/02/13 14:16, Muhammad Nadeem wrote:


[eap] EAP NAK
[eap] NAK asked for bad type 0


You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius


On 19/02/13 13:28, Mobin Yazarlou wrote:


  The more I read about this, the more complicated it gets!


It's quite simple in principle.


  Dear Phil, the first and third solutions you provided will work great
but their implementation is not that easy. As you said above, following
the first approach needs packet monitoring as well, which is not easy to
implement unless there be a log file/table in freeradius for this


I don't know what this means, I'm afraid.


packets. And the value for acctsessiontime is 0 until the user
disconnects and freeradius sets the correct value for this field and
some other fields in radacct table.


As I said, you need to enable interim accounting. If you do this, the 
NAS should send accounting packets at frequent intervals that update 
acctsessiontime, amongst other things.


If your NAS doesn't support interim accounting, you're stuck.

If it does, you should just need to set the interim interval, either 
statically on the NAS  or dynamically in the Access-Accept, like so:


post-auth {
  ...
  update reply {
# accounting packets every 15 minutes
Acct-Interim-Interval = 900
  }
  ...
}

You also need to ensure the accounting_update_query{,_alt} are 
configured in your sql.conf; this is the default.




  I also found that sometimes removing the last accounting record for
the locked user in the radacct table won't work and you need to set
/var/log/freeradius/radutmp to null, to unlock that user.


Don't use utmp; disable the module if you are using SQL, it's 
unnecessary and bug prone.




  I wish there was a table for online users in NAS and we could compare
online user in NAS and online users in RADIUS and decide what to do.


Some devices do have this. It's vendor-specific, and often accessible 
via SNMP. Consult the docs for your NAS. Since this isn't a RADIUS 
question, it's best to look elsewhere for this.



  I am still looking forward for your helpful comments and suggestion on
this topic.


As above: enable interim accounting. The effects should be obvious if it 
works, and the next steps clear.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Advice on where to look next...

Johnson, Jeffrey wrote:
 rlm_ldap: performing search in dc=cphc,dc=local, with filter
 (sAMAccountName=jpjohnson)
 rlm_ldap: ldap_search() failed: Operations error

  Read the ldap module configuration.  Look for operations error

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

2013-02-19 Thread John Dennis


On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:

On 2/19/13, Phil Mayers p.may...@imperial.ac.uk wrote:

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send Access-Accept packet, but at client, following
error occurs.
 No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator -
dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.


Doesn't look like you actually heeded this advice does it? Hint, look at 
your select statement. You're setting the Auth-Type.



Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID - SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table



Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Passing regexps from SQL to unlang

Maxim S. Denisov wrote:
 Thank you for your reply. There are many NASes in many regions and 
 translation rules for them are different, I wanted make translation 
 configuration using my ERP interface. Using files for this I will have to 
 manage NAS configuration in two places and have a huge policy.conf.

  Well... the server can't use regex's from SQL.

  What you can do instead is to have a script which reads SQL, and
writes a local policy.conf file.  It's not perfect, but it will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

Muhammad Nadeem wrote:
 I suucceed to authenticate the users from a database.
 But when i setup the same setup on another machine, I was failed :(
 The following output is the debug output of the freeradius server. (I
 think EAP NAK,, is creating problems).

  Yes.  Read the debug output.

 [eap] EAP NAK
 [eap] NAK asked for bad type 0
 [eap] Failed in EAP select

  The client is broken.

  Don't blame FreeRADIUS.  Go fix the client.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP howto

2013-02-19 Thread Igor Smitran


On 02/19/2013 03:41 PM, Alan DeKok wrote:

   Use +=, not =

   Alan DeKok.


Request from client is this:

DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-NTP-Servers

Freeradius puts everything into ENV. Because of the same key only last 
value is used, other ones are overwritten.

So, ENV in this example will have only this:

DHCP-Parameter-Request-List = DHCP-NTP-Servers

PHP script will be able to read that client asked only for 
DHCP-NTP-Servers value.

This is PHP error or Freeradius error?
Or am i missing something?

Igor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: DHCP howto

Igor Smitran wrote:
 Freeradius puts everything into ENV.

  For running external scripts.

 Because of the same key only last
 value is used, other ones are overwritten.
 So, ENV in this example will have only this:

  Yes.  So don't run a script.  Use the policies in the server.  Or the
Perl module.  Or the Python module.  Or the Ruby module.

 DHCP-Parameter-Request-List = DHCP-NTP-Servers
 
 PHP script will be able to read that client asked only for
 DHCP-NTP-Servers value.
 This is PHP error or Freeradius error?
 Or am i missing something?

  There are limitations when running an external script.  That's why the
server has plugin modules.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius


On 19/02/13 16:09, Russell Mike wrote:


*A.) *Enable interim accounting


Yes


*B.)* Enable
post-auth {
   update reply {
 Acct-Interim-Interval = 900
   }
}


Yes



C.) *You Said:* You also need to ensure the
accounting_update_query{,___alt} are configured in your sql.conf; this
is the default.

C1.) Unclear to this, i have nothing like this in my sql.conf

 $INCLUDE sql/${database}/dialup.conf


See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf


*D.) * *You Said:* I also found that sometimes removing the last
accounting record for the locked user in the radacct table won't work
and you need to set /var/log/freeradius/radutmp to null, to unlock
that user.


No, I didn't say that. Someone else did.



*D1.)* I use radutmp For Simultaneous-Use tracking. Do you mean it
should be disable ?


radutmp is inferior to SQL. There is no point in using both, and radutmp 
has problems.



I am clear with AB. I need more help to tell us more about *C* what
exactly should be added in sql.conf  and *D* how to set null


The default SQL schema and queries that come with the server support 
interim accounting. If you haven't changed them, you don't need to do 
thing for C. Just tell the NAS to send interim accounting, and then 
check using debug/tcpdump/radsniff/whatever that it's actually doing that.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New Server EAP issue

David Peterson wrote:
 I can’t figure out where I went wrong.  The auth never gets to the
 inner-tunnel.
 
 David
 
 root@hafreeradius1://usr/local/etc/raddb# radiusd -Xxx

  PLEASE use radiusd -X.  The extra information with -Xxx isn't
necessary.

 rad_recv: Access-Request packet from host 172.16.4.10 port 1812, id=108,
 length=240
 Tue Feb 19 12:21:37 2013 : Info: Sending duplicate reply to client Test NAS
 port 1812 - ID: 108
 Sending Access-Challenge of id 108 to 172.16.4.10 port 1812

  The NAS isn't seeing the response.  Go fix that.  It's a network
issue.  I don't think it's a FreeRADIUS problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Config question: substitute another attribute for username

Adam Moffett wrote:
 What I'd like to do is actually ignore the username and password they're
 sedning and instead match a vendor specific attribute called
 DAN-CPE-MAC-ADDRESS.

  Sure.  Edit the files configuration, and change the key field to
DAN-CPE-MAC-ADDRESS.

  Then, use the MAC address as the key in the users file:

0a:0b:0c:0d:0e:0f   Foo-Bar = Baz
Reply-Message = wow

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

2013-02-19 Thread Russell Mike

On Tue, Feb 19, 2013 at 5:28 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 19/02/13 16:09, Russell Mike wrote:

  *A.) *Enable interim accounting


 Yes

  *B.)* Enable

 post-auth {
update reply {
  Acct-Interim-Interval = 900
}
 }


 Yes


 C.) *You Said:* You also need to ensure the
 accounting_update_query{,___**alt} are configured in your sql.conf;
 this

 is the default.

 C1.) Unclear to this, i have nothing like this in my sql.conf

  $INCLUDE sql/${database}/dialup.conf


 See the $INCLUDEd file, in this case raddb/sql/mysql/dialup.conf

  *D.) * *You Said:* I also found that sometimes removing the last

 accounting record for the locked user in the radacct table won't work
 and you need to set /var/log/freeradius/radutmp to null, to unlock
 that user.


 No, I didn't say that. Someone else did.


 *D1.)* I use radutmp For Simultaneous-Use tracking. Do you mean it
 should be disable ?


 radutmp is inferior to SQL. There is no point in using both, and radutmp
 has problems.

  I am clear with AB. I need more help to tell us more about *C* what
 exactly should be added in sql.conf  and *D* how to set null


 The default SQL schema and queries that come with the server support
 interim accounting. If you haven't changed them, you don't need to do thing
 for C. Just tell the NAS to send interim accounting, and then check using
 debug/tcpdump/radsniff/**whatever that it's actually doing that.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html




Dear Phil Mayers,

Thank you very much for your kind assistance also being patience with slow
learners. You are so gental man indeed, i have no words to thank you for
helping us out step by step. Everything is clear at this point after
reading your message. i wish to thank once again for attending to us in
your time.

Thanks / REGARDS   --RM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: User disconnects but stays online in radius

Thank you guys. I've learned many useful tips in the last comments.

 Now I know the idea of comparing online users in RADIUS and NAS can be a
good solution but since I use two different NAS types on my network, and I
am almost sure both of them don't have standard API to allow other apps
read their online users, It will be a little bit challenging and maybe time
consuming to implement.

 But whatever it is, I happy that we could come up with a solution in about
24 hours on this mailing list. :)


Thank you,
Moby
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: New Server EAP issue

2013-02-19 Thread David Peterson

Ahh sure...  the issue was that the IP address I needed to use was a secondary.

I put the listener on the IP address but got this:

Tue Feb 19 14:54:23 2013 : Info: [ttls] Authenticate
Tue Feb 19 14:54:23 2013 : Info: [ttls] processing EAP-TLS
Tue Feb 19 14:54:23 2013 : Info: [ttls] Received TLS ACK
Tue Feb 19 14:54:23 2013 : Info: [ttls] ACK handshake is finished
Tue Feb 19 14:54:23 2013 : Info: [ttls] eaptls_verify returned 3
Tue Feb 19 14:54:23 2013 : Info: [ttls] eaptls_process returned 3
Tue Feb 19 14:54:23 2013 : Info: [ttls] Using saved attributes from the 
original Access-Accept
Filter-Id := TestProfile
Session-Timeout := 86400
Segmentation fault (core dumped)

What's the best way to bind to a particular IP address?

David

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: Tuesday, February 19, 2013 2:47 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: New Server EAP issue

David Peterson wrote:
 I can’t figure out where I went wrong.  The auth never gets to the 
 inner-tunnel.
 
 David
 
 root@hafreeradius1://usr/local/etc/raddb# radiusd -Xxx

  PLEASE use radiusd -X.  The extra information with -Xxx isn't necessary.

 rad_recv: Access-Request packet from host 172.16.4.10 port 1812, 
 id=108,
 length=240
 Tue Feb 19 12:21:37 2013 : Info: Sending duplicate reply to client 
 Test NAS port 1812 - ID: 108 Sending Access-Challenge of id 108 to 
 172.16.4.10 port 1812

  The NAS isn't seeing the response.  Go fix that.  It's a network issue.  I 
don't think it's a FreeRADIUS problem.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Config question: substitute another attribute for username

2013-02-19 Thread Adam Moffett

I have a wireless system that can talk to RADIUS to control access for 
the wireless stations.  The AP is a NAS and the stations can be 
programmed with a username and password.  The idea is you reply with 
VSA's that set up QoS policies for the clients.  This is all working 
fine and dandy.


What I'd like to do is actually ignore the username and password they're 
sedning and instead match a vendor specific attribute called 
DAN-CPE-MAC-ADDRESS.


Alternately, they all come with a default username set in them. Will 
there be any harm if I make multiple users with the same name?


cpe1 DAN-CPE-MAC-ADDRESS := 0a:0b:0c:0d:0e:0f

cpe1 DAN-CPE-MAC-ADDRESS := 01:02:03:04:05:06

etc etc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Config question: substitute another attribute for username

2013-02-19 Thread Adam Moffett


   Sure.  Edit the files configuration, and change the key field to
DAN-CPE-MAC-ADDRESS.

Awesome.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New Server EAP issue