close and open sessions on a month change
Hello. intro: i'm running freeradius-1.0.1 on a freebsd-5.3R box. my clients have no time restrictions, but they are limited by traffic. radiusd is configured to store accounting information in mysql. i've written php script for my clients so they can see how much of their limit they used so far. when client run out all his traffic to the limit, he can still authorize to the system, but he receive IP address from restricted ip pool, so he can still use inner network services, i.e. provided by mail or web server, but have no access to internet. couple of days ago one of my clients says to me that he cannot open no internet site but still able to see his statistics page. as for radiusd, he has no traffic left, but php script says that he have another 110MB. it's not a bug. when radiusd gets information about user traffic, point of reality is AcctStopTime, and for the script this point is AcctStartTime. no problem, i've edit php script so there is also was AcctStopTime as an reality point. this client have worked 30 november till the night of 1 december. so his entry in accounting table is this one: +-+-+-+-+--+ | AcctStartTime | AcctStopTime| AcctSessionTime | AcctInputOctets | AcctOutputOctets | +-+-+-+-+--+ | 2004-11-30 16:25:05 | 2004-12-01 00:12:51 | 28066 |49882434 | 65886575 | +-+-+-+-+--+ the question is: is there a possibility to radiusd close a session in accounting table and right after that opens a new one for the new day/month? or can i force radiusd to close all sessions in some moment of time? what can be a solution for this situation? -- Alexander Lunyov [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: LDAP and Active Directory
Hello Marc, Sunday, July 4, 2004, 2:32:45 PM, you wrote: MJ Just a last question : MJ I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled, MJ can I remove OpenLDAP or must I keep it running ? I guess you should keep OpenLDAP installation because of freeradius dependency on libldap etc. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with accounting
Hello Szab, Friday, June 4, 2004, 1:56:02 PM, you wrote: SG I have a problem with accounting. If accounting is turn off on AP, then the SG radius is working. If I turn on the accounting on AP, after authentication SG few seconds the AP brakes the connection. I don't know why do this. Maybe I SG should set some attributes for the users? SG I'm using the MySQL database for user authorization, and accounting to. What is in logs? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool not deallocating ip's
Hello freeradius-users, I have a problem with rlm_ippool - it's not deallocating ip's from pool, and i think i'm somewhat close to its solution, but i want to do all things right, that's why i'm here again. FreeBSD 4.8R-p14, freeradius-0.9.3 with cvs version of rlm_ippool (* Version: $Id: rlm_ippool.c,v 1.20.2.2 2003/10/09 01:05:17 phampson Exp $) When radiusd receives request from NAS, like this Calling-Station-Id = 0:50:ba:c1:3:38 Called-Station-Id = pppoe Service-Type = Framed-User User-Name = lan Framed-Protocol = PPP MS-CHAP-Challenge = xx MS-CHAP2-Response = xx NAS-Identifier = zeus.startatom.ru NAS-Port-Type = Ethernet NAS-Port = 1984 rlm_ippool allocates ip address and writes this entry in his db under two keys, NAS address and NAS port: rlm_ippool: Searching for an entry for nas/port: zeus.startatom.ru/1984 rlm_ippool: Allocating ip to nas/port: zeus.startatom.ru/1984 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.253.207 to client on nas zeus.startatom.ru,port 1984 modcall[post-auth]: module legal_pool returns ok for request 0 Then, when this client disconnects, rlm_ippool somehow turning NAS-Identifier to direct ip address instead of FQDN. This is Stop request: rad_recv: Accounting-Request packet from host 62.33.65.2:2107, id=71, length=162 Calling-Station-Id = 0:50:ba:c1:3:38 Called-Station-Id = pppoe Service-Type = Framed-User User-Name = lan Framed-Protocol = PPP Framed-IP-Address = 192.168.253.207 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = zeus.startatom.ru NAS-Port-Type = Ethernet NAS-Port = 1984 Acct-Status-Type = Stop Acct-Session-Id = s-1474470826 Acct-Multi-Session-Id = Acct-Delay-Time = 0 Acct-Input-Octets = 656 Acct-Input-Packets = 2 Acct-Output-Octets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 13 See? NAS-Identifier is the same FQDN, but rlm_ippool thinks differently: rlm_ippool: Searching for an entry for nas/port: 62.33.65.2/1984 rlm_ippool: Entry not found modcall[accounting]: module legal_pool returns ok for request 2 And as a result when client disconnects, his address doesn't deallocates from pool, and after some time radiusd is run out of addresses, and clients cannot connect. I solved this problem by adding simple attr_rewrite entry to post-auth block (before ippool entry): attr_rewrite NAS { attribute = NAS-Identifier searchin = packet searchfor = zeus.startatom.ru replacewith = 62.33.65.2 new_attribute = no } So, it's always direct ip written to db, and when rlm_ippool check entry on Stop request, it successefully deallocates ip address from pool. I think, this workaround will work for me, but are there another way to make rlm_ippool work without that? -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Again custom attributes
Hello Maxim, Tuesday, May 18, 2004, 10:02:56 AM, you wrote: MK I need to extend Radius functionality by adding custom module which MK require a custom attribure. MK e.g. MK user Password = user, My-Attrib := 999, . If this is users file entry, then your module will never have access to My-Attrib - because My-Attrib is a check attribute. My-Attrib should be reply attribute - then your module will see it. At least you will be able to see it in debug output. Read users(5). MK So, the question is: how do i access to the custom attribute from my MK module (accounting part). I don't see it in the logs. Neither i see it MK when traversing request-packet VP's manually... so, where is the attribute ? MK thanx in advance. MK PS. the custom dictionary is created, the users file is updated. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pools Error?
Hello m0bius, Friday, November 7, 2003, 4:56:58 PM, you wrote: m I seem to be having a strange error occurring during the past few days m that I think has something to do with the IP Pools Management. We use m two Ascend Lucent MAX 3000 NAS (the one with one PRI while the second m carries two). The problem occurs while there are more than 50 dialup m users in which case the users can't connect and get an error type 738: m Server did not assign an IP address... m I've enabled ippools in radius.conf with the correct start and stop m values and added the main_pool in the accounting and post-auth section m as mentioned. However the weird thing is that I don't seem to have any m logs via the radius of the unsuccessful attempts (either via the m detail/reply logs or the dialup admin) and I can't trace the problem by m debugging mode since the error doesn't happen all the times. It would m look like the nases are blocking the connections. m I believe that it has something to do with the NASes but the strange m thing is that while using the Cistron radius server no such issue had m been observed. I have pretty the same problem here. When i'm testing connection - all working fine. But when there's some users connected - rlm_ippool seems to be not working. In debug mode i've seen that processing of such 'bad' requests are finished right after entering 'post-auth' block, and in these cases ippool is not invoked - radiusd says 'Finished request blah-blah' and then it comes to another request. Maybe, some server tuning should be done? I mean, number of threads, timeouts and such. Tomorrow i will try it. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: IP Pools Error?
Hello Alan, Thursday, May 13, 2004, 5:36:18 PM, you wrote: I have pretty the same problem here. When i'm testing connection - all working fine. But when there's some users connected - rlm_ippool seems to be not working. In debug mode i've seen that processing of such 'bad' requests are finished right after entering 'post-auth' block, and in these cases ippool is not invoked - radiusd says 'Finished request blah-blah' and then it comes to another request. Maybe, some server tuning should be done? I mean, number of threads, timeouts and such. Tomorrow i will try it. AD I would suggest adding more debug statements to the rlm_ippool AD module, so you can see WHY it isn't assigning an IP. Odds are that AD the request doesn't contain enough information for it to assign an IP. Yes, it seems that sometimes NAS-Port-Id is missing. For example: Request is: Service-Type = Framed-User User-Name = bpv89 Framed-Protocol = PPP CHAP-Password = xx CHAP-Challenge = xx NAS-Identifier = zeus.domain.ru NAS-Port-Type = Async And this client is not receiving address, because rlm_ippool return NOOP after NAS port id check. I'm using exppp on freebsd-4.8R-p13 and multiport cards as a NAS, and i found that such requests comes only from some ports/modems (i.e. /dev/cuaa10), and other is doing fine. Why NAS-Port-Id so critical for rlm_ippool? Can i do some workaround for this problem, maybe with some hack of rlm_ippool.c? I mean, do rlm_ippool really need NAS-Port-Id? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: how to create check attribute dinamically?
Hello Alexander, Monday, April 19, 2004, 1:49:22 PM, you wrote: AL Hello Milver, AL Monday, April 19, 2004, 1:30:05 PM, you wrote: I need to create a check attribute depending on how much seconds or octets user have. Ideal, i would like to equate reply attribute to a newly created check attribute or to turn reply to check attribute. I need this to differentiate users by their limits and give them ip addresses from a different networks, so i can manage their connections with firewall. I already posted this question here (subject different pools for user with and without traffic), but have no answers. All i need is that i could write in 'users' file something like this: DEFAULT Check-Traffic-Limit = 0, Pool-Name := illegal_pool MSN you might want to use groupings with your database. so replies MSN sent depends on the user groups an account belongs to. MSN if an account belongs to subnet1, you could sent them the group attributes MSN such as MSN specific IP for them, traffic limit, framed-mtu, protocol, expiration, MSN compression and more... AL Well, it doesn't matter how it will work. Then i need to split AL users in two groups - one with some traffic left and another AL with zero or negative traffic value and then give them different AL addresses from different pools according to the group names. But AL how can i do it dinamically? I mean, value of traffic is AL calculating when user login, so if he have no octets left, he AL must have address from 192.168.222.0/24 network, and if he have AL some octets left, he must have address from 192.168.111.0/24 AL network. So, the main question is - where and what should i write AL to make this scheme work? Nobody knows, how to do that? Is it possible at all to assign value to check attribute? Maybe rlm_perl (which i never used and have not found any docs)? Please, help me or say it is not possible. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: how to create check attribute dinamically?
Hello Milver, Monday, April 19, 2004, 1:30:05 PM, you wrote: I need to create a check attribute depending on how much seconds or octets user have. Ideal, i would like to equate reply attribute to a newly created check attribute or to turn reply to check attribute. I need this to differentiate users by their limits and give them ip addresses from a different networks, so i can manage their connections with firewall. I already posted this question here (subject different pools for user with and without traffic), but have no answers. All i need is that i could write in 'users' file something like this: DEFAULT Check-Traffic-Limit = 0, Pool-Name := illegal_pool MSN you might want to use groupings with your database. so replies MSN sent depends on the user groups an account belongs to. MSN if an account belongs to subnet1, you could sent them the group attributes MSN such as MSN specific IP for them, traffic limit, framed-mtu, protocol, expiration, MSN compression and more... Well, it doesn't matter how it will work. Then i need to split users in two groups - one with some traffic left and another with zero or negative traffic value and then give them different addresses from different pools according to the group names. But how can i do it dinamically? I mean, value of traffic is calculating when user login, so if he have no octets left, he must have address from 192.168.222.0/24 network, and if he have some octets left, he must have address from 192.168.111.0/24 network. So, the main question is - where and what should i write to make this scheme work? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and CHAP on same system
Hello Bob, Wednesday, April 14, 2004, 8:56:43 PM, you wrote: BR Is it possible for the CHAP server to send the request to the PAP server for BR authentication on the system files? It is not possible by design of CHAP. CHAP stands for this (simplified) scheme: 1. client send request for authentication (often with sending a username) to server 2. server answering to this request with a challenge, which is similar to random string 3. client hashes password with this string in a one-way-hashing manner, typically MD5, so no one can decrypt a password from this hash, even having a challenge string, and then send result to server. 4. server hashes _cleartext_ password with the same challenge string that was passed to client and then compares both resulting strings, and if they match - client receive Accept, otherwise - Reject. So, as you can see, if server does not have a cleartext password - it cannot produce the same result as client did. BR This would eliminate the need for passwords in plain text because all would BR be read in the end from the system files. You have a choice - 1. PAP - passwords can be snifferred from the network, but on a server they are secure. 2. CHAP - passwords cannot be sniffered or decrypted from the line, but on a server they aren't secure. I think you have to use CHAP and take some time to secure your server, because on practice there are many of sniffers and a little of hackers. Of course, then you will have to watch out for a security bulletins on a software you run on a server and all of that anti-hackers stuff. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different pools for user with and without traffic
Hello freeradius-users, I want freeradius to assign different IP addresses (from different networks) according to traffic balance of users. It means that if user have no traffic left for this month, freeradius will give him IP address from 192.168.222.0/24, and if user still have a traffic on a account he will receive 192.168.111.0/24. Algorythm is simple, but i'm stuck with check-reply items. Now i have this in 'users' file: DEFAULT Service-Type == Framed-User Traffic-Limit := `%{expr: %{reply:Rad-Traffic-limit} - %{sql:SELECT sum(AcctInputOctets)+sum(Acc tOutputOctets) FROM radacct WHERE UserName = '%u' AND Month(AcctStopTime) =Month(NOW()) AND Year(Acc tStopTime) = Year(NOW())}}`, Fall-Through = 1 Reply item Rad-Traffic-Limit is coming from LDAP. And if i understanding documentation right, i need something like this: DEFAULT Traffic-Limit 0, Pool-Name := legal_pool Fall-Through = 1 DEFAULT Traffic-Limit = 0, Pool-Name := illegal_pool Fall-Through = 1 But, of course, radiusd blames me for this - '' and '=' is not applicable to reply items. So i think i need to put value of reply attribute Traffic-Limit to some check attribute and then compare it and assign pool name, am i right? And if i am, then - how can i do it? I tried many ways, but have no success. For now those users, who have = 0 of traffic left, just being rejected and that's all, but i need to pass them with harder restrictions. Main idea: they will work with the different ip addresses, and i will configure my firewall in such manner that they will only can use corporative mail, corporative site, all corporative and no outer internet. So if freeradius can assign addresses from different pools - can it assign them according to traffic limits? p.s.: always forgetting to say sorry for my bad English. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: if, then, else with ldap attributes
Hello Kostas, Friday, April 9, 2004, 2:12:37 PM, you wrote: KK On Thu, 8 Apr 2004, Alexander Lunyov wrote: Hello freeradius-users, I need to differentiate users with their traffic limits, so i have common traffic limit digit in LDAP in cn=radprofile,dc=domain,dc=com, and for some users i have set their own traffic limits in their own entries (like uid=lan,ou=users,dc=domain,dc=com). So i need first of all look to user entry, and if there is no traffic limit attribute - get value of a common limit attribute in common entry. KK If you have an overriding operator in the user entry traffic limits then you KK should be fine. rlm_ldap will first set the traffic limit to the common value KK and then set it to the per user value if that is available. You only need to KK make sure that you are using operators in the user limit: KK dn: uid=username,dc=domain,dc=com KK ldaptrafficlimitattribute: := value KK^^^ KK This is the important part I don't understand, where should this part be? In 'users' file or where? Maybe i was not very clear about situation. Let me explain it once again. When i configured in ldap.attrmap to take LDAP limit attribute (radiusTraffifcLimit) and assign its value to variable Rad-Traffic-Limit - it seems that value of an attribute is taking from LDAP, varible Rad-Traffic-Limit seems to have right value, but when i've tried to use it in %{expr:...} block - seems that this variable is empty (though it is not). I've also edit dictionary to make Rad-Traffic-Limit registered variable. But when i use direct %{ldap:} query in %{expr} - i get the value. Maybe it'll be simpler to do it with Rad-Traffic-Limit, but i don't know how :( With this DEFAULT entry in 'users' file variable Rad-Traffic-Limit is coming empty: DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, Traffic-Limit := `%{expr: %{Rad-Traffic-Limit} - %{sql:SELECT sum(AcctInputOctets)+sum(AcctOutputOctets) FROM radacct WHERE UserName = '%u' AND Month(AcctStopTime)=Month(NOW()) AND Year(AcctStopTime) = Year(NOW())}}` While in debug output i see this: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.domain.ru:389, authentication 0 rlm_ldap: bind as cn=root,dc=domain,dc=ru/password to ldap.domain.ru:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=users,dc=domain,dc=ru, with filter (uid=lan) rlm_ldap: checking if remote access for lan is allowed by dialupAccess rlm_ldap: performing search in cn=radprofile,dc=domain,dc=ru, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusSimultaneousUse as Simultaneous-Use, value 1 op=21 rlm_ldap: Adding radiusTrafficLimit as Rad-Traffic-Limit, value 314572800 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: Added password somepass in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user lan authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 175 radius_xlat: Running registered xlat function of module expr for string ' %{Rad-Traffic-limit} - %{sql:SELECT sum(AcctInputOctets)+sum(AcctOutputOctets) FROM radacct WHERE UserName = '%u' AND Month(AcctStopTime)=Month(NOW()) AND Year(AcctStopTime) = Year(NOW())}' radius_xlat: Running registered xlat function of module sql for string 'SELECT sum(AcctInputOctets)+ sum(AcctOutputOctets) FROM radacct WHERE UserName = '%u' AND Month(AcctStopTime) =Month(NOW()) AND Year(AcctStopTime) = Year(NOW())' rlm_sql (sql): - sql_xlat radius_xlat: 'lan' rlm_sql (sql): sql_set_user escaped user -- 'lan' radius_xlat: 'SELECT sum(AcctInputOctets)+sum(AcctOutputOctets) FROM radacct WHERE UserName = 'lan' AND Month(AcctStopTime) =Month(NOW()) AND Year(AcctStopTime) = Year(NOW())' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 3 radius_xlat: ' - 192684935' radius_xlat: '-192684935' ... Sending Access-Accept of id 181 to 62.33.65.2:2957 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Traffic-Limit := 0 Framed-Compression = Van-Jacobson-TCP-IP Rad-Traffic-Limit = 314572800 Framed-Protocol = PPP Service-Type = Framed-User MS-CHAP2-Success = MS-MPPE-Recv-Key = MS-MPPE-Send-Key = MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 I don't understand it... Rad
Re[6]: if, then, else with ldap attributes
Hello Michael, Saturday, April 10, 2004, 1:07:14 AM, you wrote: MG On Fri, 2004-04-09 at 15:05, Alexander Lunyov wrote: 192684935 is a sql query result. But before minus there must be Rad-Traffic-Limit, am i right? Where is it go to? MG I think I see the problem... Try changing your %{expr: block per the MG following: Replace %{Rad-Traffic-Limit} with MG %{reply:Rad-Traffic-Limit}. The problem here is that you're adding the MG Rad-Traffic-Limit to the reply pairs (which is normal), but in the expr MG block, it's looking for it in the request pairs. Adding the reply: in MG front of the attribute name should fix that. Yes, that did a trick, thank you! -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting from alive packets doesn't go to sql
Hello Alexander, Friday, April 2, 2004, 2:10:25 PM, you wrote: AL Hello freeradius-users, AL First of all, i'd like to thank all those people, who helped me last AL time with traffic limiting (thread how can i limit traffic use?), AL and special thanks to Alexander M. Pravking. AL Now, i have freebsd 4.8R-p13, freeradius-0.9.3, exppp-0.2 as a NAS and traffic AL limiting is working with that system. My NAS (exppp) able to send AL alive packets to radius, and when i enable sending alive-packets to AL radius, accounting information shows in AL /var/log/radius/radacct/${nas_ip}/detail but not affecting sql AL accounting to change. Messages appearing in detail file is something AL like: [skip] AL But it's not affecting sql :( And, while this accounting data is not shows up in AL sql, traffic is leaking! While searching message base of this list i found thread accounting_update_query. Is this query in sql.conf responsible for traffic updates (by Alive packets, i mean)? If it so, why default update_query does not include traffic and time update fields? May it be a cause of my problem? -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: accounting from alive packets doesn't go to sql
Hello Alexander, Wednesday, April 7, 2004, 12:10:16 AM, you wrote: While searching message base of this list i found thread accounting_update_query. Is this query in sql.conf responsible for traffic updates (by Alive packets, i mean)? AMP Yes. If it so, why default update_query does not include traffic and time update fields? May it be a cause of my problem? AMP Looks like your sql config is too old, current configs (mysql/pg/oracle) AMP do update Acct*Octets. Current means cvs? I have freeradius-0.9.3 configs. AMP But that's not the main problem, I think: you AMP should have seen at least update of AcctSessionTime. In my case i don't need SessionTime at all, traffic is the main objective. AMP Could you show the debug output for an Alive packet? Well, it looks something like this: Wed Mar 31 18:14:31 2004 Calling-Station-Id = 0:50:ba:c1:3:38 Called-Station-Id = pppoe Service-Type = Framed-User User-Name = lan Framed-Protocol = PPP Framed-IP-Address = 192.168.253.31 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = zeus.domain.ru NAS-Port-Type = Ethernet NAS-Port = 278 Acct-Status-Type = Alive Acct-Session-Id = s-1822761248 Acct-Multi-Session-Id = Acct-Delay-Time = 0 Acct-Input-Octets = 3738134 Acct-Input-Packets = 49861 Acct-Output-Octets = 23941328 Acct-Output-Packets = 82305 Acct-Session-Time = 11996 NAS-IP-Address = z.z.z.z Client-IP-Address = z.z.z.z Acct-Unique-Session-Id = 9e5cc2b82380453a Timestamp = 1080742471 -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: accounting from alive packets doesn't go to sql
Hello Alexander, Wednesday, April 7, 2004, 12:40:59 AM, you wrote: AMP Could you show the debug output for an Alive packet? Well, it looks something like this: AMP Oh, no. Not the detail'ed entry, but the output from radiusd -X Oops :) Here it is. --- Walking the entire request list --- Cleaning up request 0 ID 27 with timestamp 40731de8 Cleaning up request 1 ID 109 with timestamp 40731de8 Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 1.1.1.1:2719, id=251, length=162 Calling-Station-Id = 0:50:ba:c1:3:38 Called-Station-Id = pppoe Service-Type = Framed-User User-Name = lan Framed-Protocol = PPP Framed-IP-Address = 192.168.253.78 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = zeus.domain.ru NAS-Port-Type = Ethernet NAS-Port = 926 Acct-Status-Type = Alive Acct-Session-Id = s--493869700 Acct-Multi-Session-Id = Acct-Delay-Time = 0 Acct-Input-Octets = 30726 Acct-Input-Packets = 128 Acct-Output-Octets = 32668 --- Walking the entire request list --- Acct-Session-Time = 61 rad_lowerpair: User-Name now 'lan' modcall: entering group preacct for request 2 modcall[preacct]: module preprocess returns noop for request 2 rlm_realm: No '@' in User-Name = lan, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 2 modcall[preacct]: module files returns noop for request 2 modcall: group preacct returns noop for request 2 modcall: entering group accounting for request 2 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 1.1.1.1,NAS-IP-Address = 1.1.1.1,Acct-Session-Id = s--493869700,User-Name = lan' rlm_acct_unique: Acct-Unique-Session-ID = 520327ed9886561d. modcall[accounting]: module acct_unique returns ok for request 2 radius_xlat: '/var/log/radius/radacct/1.1.1.1/detail' rlm_detail: %A/%{Client-IP-Address}/detail expands to /var/log/radius/radacct/1.1.1.1/detail modcall[accounting]: module detail returns ok for request 2 modcall[accounting]: module unix returns noop for request 2 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'lan' modcall[accounting]: module radutmp returns ok for request 2 radius_xlat: 'lan' rlm_sql (sql): sql_set_user escaped user -- 'lan' radius_xlat: 'UPDATE radacct SET FramedIPAddress = '192.168.253.78' WHERE AcctSessionId = 's--493869700' AND UserName = 'lan' AND NASIPAddress= '1.1.1.1' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns ok for request 2 modcall: group accounting returns ok for request 2 Sending Accounting-Response of id 251 to 1.1.1.1:2719 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 251 with timestamp 40731e25 Nothing to do. Sleeping until we see a request. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: accounting from alive packets doesn't go to sql
Hello Jérôme, Friday, April 2, 2004, 7:15:03 PM, you wrote: JW Le ven 02/04/2004 à 12:10, Alexander Lunyov a écrit : Hello freeradius-users, First of all, i'd like to thank all those people, who helped me last time with traffic limiting (thread how can i limit traffic use?), and special thanks to Alexander M. Pravking. Now, i have freebsd 4.8R-p13, freeradius-0.9.3, exppp-0.2 as a NAS and traffic limiting is working with that system. My NAS (exppp) able to send alive packets to radius, and when i enable sending alive-packets to radius, accounting information shows in /var/log/radius/radacct/${nas_ip}/detail but not affecting sql accounting to change. Messages appearing in detail file is something like: [skip] But it's not affecting sql :( And, while this accounting data is not shows up in sql, traffic is leaking! Accounting block in radiusd.conf: accounting { acct_unique detail unix radutmp sql } Or it's not possible? Please, help. JW We are having the exact same problem, see my mail with subject JW FreeRADIUS and PostgreSQL from Wed, 31 Mar 2004 21:44:59 +0200. No, in my case the problem is occures only with Alive packets, and when radius receives Stop packet - it's ok, he put accounting data in sql normally. So i think it's not the same problem. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how can i limit traffic use?
Hello freeradius-users, I'm running FreeRadius 0.9.3 on FreeBSD 4.8R-p13, and now i'm planning to start using radius for authenticating and accounting my Ethernet users via PPPoE. Can you tell me, where to read about 'how to setup traffic limits with freeradius'? Because it seems to be that attributes such as Monthly-Octets-Limit and Daily-Octets-Limit can be used only with IC-Radius, and i didn't found anything about freeradius. -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html