RE: SPAM-LOW: Band-Width Limitation
Yes you need to change the code to return the correct attribute that your NAS supports to limit bandwidth. Then do the same type of calculation as for the Session-Timeout and return that Attribute to your NAS. Regards Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of amr el-saeed Sent: 14 June 2006 05:01 PM To: freeradius-users@lists.freeradius.org Subject: SPAM-LOW: Band-Width Limitation Dear All, i'm using freeradius 1.1.0 . i want to use the monthly counter function of the sqlcounter module. i want to use it to calculate Band-Width not time. i modified it and it is working fine but it sends the remaining allowed bandwidth in the attribute 'Session Timeout' and the associated code of-course. what i want is to change that code !! how can i do something like that ?? thanks for your help -- regards, Amr el-Saeed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple Locations and configuring 2 different methods of Access
James, What gateway are you using? Do you want to allow authentication on some sites and other sites to be free? If so you can just set the free sites up do not perform authentication and just allow users access . Regards Jaco van Tonder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Sent: 19 April 2006 09:43 PM To: FreeRadius users mailing list Subject: Re: Multiple Locations and configuring 2 different methods of Access we are sterring away from the original question here. if there is a way to setup RADIUS to somehow send a message or configuration attribute to the gateway to allow any clients connected to the gateway to access the internet without extra authentication aside from simply connecting to the gateway itself? The short answer is to read the documentation for the gateway software. If it says that the gateway can do this, AND it can be configured through RADIUS, then it SHOULD say which RADIUS attribute, and what value to use. That's exactly the part that I cannot find an answer to Alan, that's why I posted here to see if anyone has anything related to this. That's all the help I will be needing from you , Thank you for your time. now lets keep in mind that there are multiple locations here and therefor are multiple gateways, all I want to know is of there is a way to allow just some of the gateways, not all, to give access without username/password authentication. Now you're disagreeing with yourself again. This confuses the issue, and makes it difficult for anyone to solve the problem, because you keep changing the story about what the problem is. a) people ALWAYS use RADIUS to authenticate before they get on the net. b) people ALWAYS get a pretty web portal before they access the net c) people SOMEHOW get past the web portal to get real net access You want to change (b) so that SOME people get a web portal, sometimes. The paragraph I quoted above says you want to change requirement (a). Which is it? I don't think you're clear on what you're trying to do. Or, you're not describing it in a consistent and clear way. I do admit, I could not make it clear enough for you to understand, but no worries, I gave it a shot anyways. Once again, I do thank you for your time Alan. If there is someone else besides Alan out there who is trying to achieve the same thing, I would love to hear from them. Thank you all and thank you Alan. James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Implimenting Capping with FreeRadius
I have modified the sqlcounter module to not only replying with a Session-Timeout but with another attribute - Recv-Limit in my case as it is supported by my NAS. The counter module then simply does a query on the database during the access request processing and returns the limit allowed for the user based on the maximum - used value set in the radcheck table for the user or radgroupcheck for the user's group. This works better than an external script as it will also limit the user for the current session - and it implies that he will never be able to use more than his allowed maximum Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hamman Sent: 03 April 2006 03:23 PM To: freeradius-users@lists.freeradius.org Subject: Implimenting Capping with FreeRadius Hi, OS: Fedora C4 FR: 1.0.2-2 DB: MySQL 4.1.11-2 I was wondering if anybody has a more elegant solution to implementing capping with FreeRadius than writing a script that totals the bytes in/out in the radacct table every couple of minutes and updates the radcheck table to deny further logins? Shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sqlcounter - Data Download limiting
I would like to use sqlcounter to limit the max number of bytes a user can download via a NAS. My NAS supports this, but I need sqlcounter to return a different attribute (eg. RecvLimit) and not Session-Timeout. I have also seen that this is possible with the counter module but not with sqlcounter Has anyone done this before / or have a patch for the sqlcounter module to enable this Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User accounts that expire and timeout
The Expiration module does exactly what you require. It also calculates the correct session timeout and it is fine grained it uses the format Expiration := 01 Sep 2005 12:00:00 in the radcheck table. What version of freeradius are you using? In older versions the granularity of the time was limited but I am using the version 1.4 with the CVS code for the expiration module compiled in and it works exactly as you require Regards Jaco -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Pipitone Sent: 07 January 2006 08:15 AM To: freeradius-users@lists.freeradius.org Subject: User accounts that expire and timeout Hey all, I'm working to set up a wireless hotspot using mikrotik, freeradius, and mysql. Actually the initial setup went pretty smoothly, so a big thank you to everyone that contributed to the documentation and mailing lists. Right now I'm looking to set up user accounts that are only valid for a certain date range (for instance, from today at noon until tomorrow at noon). In essence I want to set some sort of expiry date on the user account. But, as well, I'd like the session time limit for the user to be set so that the user can't stay logged in after the expire date (i.e. log in just before the expiry time and stay logged in for a few more hours.). During the time when the account is valid (i.e. hasn't expired) the user should be able to log in and out as much as the'd like, or stay logged in for the entire time. In other words, the Session-Timeout ought to be exactly the difference in time from when they log in to when the account expires. I've done a bit of reading through the mailing list archives and the documentation. I wasn't able to get the Expiration attribute to work (i can elaborate if need be), but then even if it did it isn't fine-grained enough (only down to the day) and I still wasn't sure how to automatically adjust the Session-Timeout. I was toying with using a sqlcounter somehow, but I thought it best to ask for ideas before I dive in again. Thanks in advance, Regards, jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to Disable RADIUS user logins if 'Session-Timeout' falls below 0
Use the couter module it does exactly what you want without triggers etc.
Regards
Jaco van Tonder
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 17 August 2005 11:28 AM
To: freeradius-users@lists.freeradius.org
Subject: How to Disable RADIUS user logins if 'Session-Timeout' falls below
0
Hi All,
I am using FreeRadius with PostgreSQL and everything is running like a charm
besides a small issue.
I am using session-timeout attribute in radreply table to control user
session time.
I have added a trigger on RADACCT table which subtracts amount of time used
by user from RADREPLY each time when he logs in.
It does work but when time is below 0 or negative I need to stop user from
getting into my system and I am failing to do so.
Here are my RADREPLY Table entries
INSERT INTO radreply (id, username, attribute, op, value) VALUES (2,
'sagar', 'Idle-Timeout', ':=', '300');
INSERT INTO radreply (id, username, attribute, op, value) VALUES (3,
'sagar', 'Reply-Message', ':=', 'You Have Logged in Successfully');
INSERT INTO radreply (id, username, attribute, op, value) VALUES (1,
'sagar', 'Acct-Interim-Interval', ':=', '120');
INSERT INTO radreply (id, username, attribute, op, value) VALUES (4,
'sagar', 'Session-Timeout', ':=', '-904');
The easiest way would be altering Authenticate SQL and adding a condition to
check Session-Timeout to see it doesnt fall below 0
I am not very good in POSTGRES so can someone please let me know how to do
it.
The other way would be using a Function /Procedure to carry out this check
but my question is how to use procedures/functions in postgres.conf
authenticate_query = SELECT Value,Attribute FROM ${authcheck_table}
\
WHERE UserName = '%{User-Name}' AND ( Attribute =
'User-Password' OR Attribute = 'Crypt-Password' ) \
ORDER BY Attribute DESC
Sagar Patil
British Telecommunications plc
Registered office: 81 Newgate Street London EC1A 7AJ
Registered in England no. 180.
This electronic message contains information from British Telecommunications
plc which may
be privileged or confidential. The information is intended to be for the use
of the individual(s) or
entity named above. If you are not the intended recipient be aware that any
disclosure,
copying, distribution or use of the contents of this information is
prohibited. If you have
received this electronic message in error, please notify us by telephone or
email (to the
numbers or address above) immediately.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with 1.1.0-pre0 - CVS Snapshot of 30th of June
When will this be fixed. I would like to user the latest released version 1.0.4 - but I need the Expiration module - which is not included with 1.0.4 What do I need to do to add the expiration module to 1.0.4? Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 July 2005 07:09 AM To: FreeRadius users mailing list Subject: Re: Problem with 1.1.0-pre0 - CVS Snapshot of 30th of June Jaco van Tonder [EMAIL PROTECTED] wrote: Assertion failed in request_list.c, line 724 This ONLY happens for proxied requests. All local requests gets authenticated ok. What can be the problem The code is being updated. Did you not see my response to the previous report of this problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with 1.1.0-pre0 - CVS Snapshot of 30th of June
I have a problem when proxying an auth request to another server. The server crashes with the following error: rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=130, length=69 --- Walking the entire request list --- Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) Threads: total/active/spare threads = 5/1/4 Waking up in 1 seconds... User-Name = [EMAIL PROTECTED] User-Password = jjtest NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '/' in User-Name = [EMAIL PROTECTED], looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module IPASS returns noop for request 0 rlm_realm: Looking up realm JacoTest for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm JacoTest rlm_realm: Proxying request from user jacotest to realm JacoTest rlm_realm: Adding Realm = JacoTest rlm_realm: Preparing to proxy authentication request to realm JacoTest modcall[authorize]: module suffix returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = '[EMAIL PROTECTED]' ??ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = '[EMAIL PROTECTED]' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='[EMAIL PROTECTED]'' rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='[EMAIL PROTECTED]' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User [EMAIL PROTECTED] not found modcall[authorize]: module sql returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module dailycounter returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 modcall[authorize]: module expiration returns noop for request 0 modcall[authorize]: module logintime returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 Assertion failed in request_list.c, line 724 This ONLY happens for proxied requests. All local requests gets authenticated ok. What can be the problem Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expiration - my experiences and a partial solution
The rlm_expiration module in the latest CVS DOES include code to set the session-timeout and it actually works. Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 20 June 2005 06:55 PM To: FreeRadius users mailing list Subject: Re: Expiration - my experiences and a partial solution Tomas 'tt' krag [EMAIL PROTECTED] wrote: Unfortunately as Joachim Bloche pointed out in a mail Session-Timeout not set with pending Expiration on this list, it seems that Freeradius does NOT set the Session-Timeout based on an Expiration date in the future. That's not good. I've fixed the CVS head, and will take a look into doing this in 1.0.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expiration Module
Thanks for the info. Setting it back to 5 did not help. But when I set it to 0 the reject is sent. Thus any value above 0 does not work. Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 15 June 2005 06:53 PM To: FreeRadius users mailing list Subject: Re: Expiration Module Jaco van Tonder [EMAIL PROTECTED] wrote: It is never sent. I use radtest and get no replyradtest simply sends the request again and again... OK. It works for me with the default reject_delay = 5. You've set it to 1, which is something I haven't tested. Try setting it BACK to the default value, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module
I have downloaded the latest CVS snapshot (the 12th of June) and am running it on Redhat 9 with Postgresql. I have configured the expiration module and added an entry in the radgroupcheck table. If I send a radius request to my server for a valid user and the expiration date is set to later than now() - the server issues an access-accept but if the expiration date/time has been reached - the server traps this - but NO reply message is sent. Is there something I am missing? Attached the part of the debug log showing what happens: rlm_expiration: Checking Expiration time: '13 Jun 2005' rlm_expiration: Account has expired radius_xlat: 'Your account has expired, jacotest ' modcall[authorize]: module expiration returns userlock for request 1 modcall: leaving group authorize (returns userlock) for request 1 Invalid user (Account has expired [Expiration 13 Jun 2005]): [jacotest/jjtest] (from client localhost port 0) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Any help will be appreciated Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expiration Module
It is never sent. I use radtest and get no replyradtest simply sends the request again and again... Regards Jaco van Tonder -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 14 June 2005 07:07 PM To: FreeRadius users mailing list Subject: Re: Expiration Module Jaco van Tonder [EMAIL PROTECTED] wrote: if the expiration date/time has been reached - the server traps this - but NO reply message is sent. ... Delaying request 1 for 1 seconds So... is it delayed for 1 second, or is it *never* sent? My tests show it's only delayed for reject_delay time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User Account Expiration
I am using freeradius 0.9.3 running with a Posgres sql db. If I add an Expiration attribute to the radcheck table - it only works for the date and not the time. For example it makes no difference is I enter 19 April 2005 or 19 April 2005 21:00:00 as the expiration value. The server still allows access for the whole day on the 19th. What can be wrong? I have run the server in debug mode but nothing obvious gets logged Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate local - if not found proxy
I would like to know if it is possible to set up freeradius to first authenticate against the local database and if not found proxy the request off to another radius server. I am running freeradius 0.9.3 on a postgres database Jaco van Tonder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add Acct-Interim-Interval to all Access Accept responses
I am running freeradius 0.93 using postgres as the db. I would like toadd the Acct-Interim-Interval attribute to all Access Accept responsesfrom my radius server. How would I go about doing this? Jaco
Re: Add Acct-Interim-Interval to all Access Accept responses
I can add the attribute to the radgroupreply or radreply table but then only for a specific user or group. The attribute is then send through as required - but I would like to be able to send it for all requests to my radius Jaco van Tonder - Original Message - From: Michael Markstaller [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, March 17, 2005 9:22 PM Subject: RE: Add Acct-Interim-Interval to all Access Accept responses I am running freeradius 0.93 using postgres as the db. I would like to add the Acct-Interim-Interval attribute to all Access Accept responses from my radius server. How would I go about doing this? you should be a bit more specific.. now, adding a row to the rad(group)reply table with Attribute := YourValue should do it. or some lines in users -file: DEFAULT Acct-Interim-Interval := 300, Fall-Through = Yes Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
