Re: I will be out of the office
(sorry for $pollution, but this really begs the question:) Sorry, I'm in the office reading an autoresponder out-of-office message - I can't respond to the meaningful and useful messages in my inbox. Kind regards, Jan On 30/05/07, Thor Spruyt [EMAIL PROTECTED] wrote: Hugh Messenger wrote: I will be out of the office from Wednesday May 30 until Monday June 4. What a coincidence! I'll be out of the office during those dates as well ... hunting down and killing everyone who writes broken autoresponders. Sorry, I know I shouldn't increase list pollution by letting myself respond to this, but I just can't help myself. Sorry, I'm in the office so I can't answer mail to my private mail address now. Kind Regards, Thor ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius compatibility questions
One thing to keep in mind is Freeradius is basically just a framework that you chuck plugins into: there are numerous plugins to do most any task included with it to make things easier - and if you don't find what you need, you can make your own (or, if you're lazy, you can build one in a programming language module such as rlm_perl - which, being Perl, you can also do pretty much anything in, including AD, LDAP, custom SQL stuff, or even entirely custom implementations (eg, query an external webserver to authenticate a user - so theoretically, 'ebay integration' is possible!).) It's best not to think of Freeradius as a monolithic product (ie, everything built in, with strict compatibility/functionality limitations, as you'd buy off the shelf), and instead think of it as an unfilled server rack, where you can plug and choose based on your requirements. But yes, as Dennis pointed out, you have quite a bit of reading (and I should also mention testing) to do. It should be trivial to build a very simple test-bed installation of Freeradius once you understand what's going on, then you can figure out what your APs and VPN servers are saying (and wanting in return), from which you can choose and configure modules to suit your needs. Jan On 22/05/07, Dennis Skinner [EMAIL PROTECTED] wrote: Ouahiba MACHANI wrote: Hi, Can anyone give me details about FreeRadius compatibility? My questions are : 1- Dose radius operate easily with Cisco equipments (including firewalls, VPN, … ) and other hardware VPN servers? 2- The same question for software VPN, such as Microsoft Routing and Remote Access Server (RRAS)? 3- the same question for access points? 3- What version or variants of the following standards and methods dose radius support : X802.1X, EAP-X? - Is there available plug-in that allow to interface with ActiveDirectory ? LDAP directories ? Databases (Oracle, MySQL, etc) ? Where can I find the features of the actual version of radius? FreeRADIUS is one of, if not the most widely deployed RADIUS server in the world. I can't speak to the specifics of RRAS, but the answer to most of your questions is yes. I want to develop a plug-in for FreeRadius. This plug-in should be able to handle authentication requests send from a VPN server (either hardware, Cisco or a Software (MS RRAS) implementation) or an AccessPoint. The second requirements, is that this plug-in should be able to interface with the different users Data store including ActiveDirectory, LDAP directories and Databases, to accomplish user authentication. So, you want something to listen for and process requests and then based on that request, do a lookup of some kind to get the user's account information and then do some sort of comparison between them and send an Accept or Reject back. Yep. Sounds exactly like what freeRADIUS does. There are already plugins for LDAP, SQL, Oracle, etc. Time to do some reading I think: http://www.freeradius.org/ http://wiki.freeradius.org/Main_Page http://deployingradius.com/ especially: http://deployingradius.com/documents/protocols/compatibility.html Then grab the tarball and read the files in the doc dir, the man pages, and the comments in the config files. If you still have questions, google+list archive and asking on this list can help. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage counter....
Yeah, I found a method to do this. It involves configuring your NAS to
reauthenticate the user every 20 minutes or so (I use OpenVPN with a NAS
plugin, it does key renegotiation every 20 minutes so this is ideal for me),
and using a Perl script with rlm_perl to do your own calculations. Read
below to see how to make it work with a NAS that doesn't periodically
renegotiate, and supports Packet of Disconnection.
My Perl script does a query to find the bytes used for each user (I also
specify date/time requirements, but this isn't shown here):
SELECT SUM(inputoctets + outputoctets) FROM radacct WHERE
username='$username'';
Then you can make it compare it with the user's user-group attribute, eg:
$result = SELECT SUM(inputoctets + outputoctets) FROM radacct WHERE
username='$username'';
$bytesused = $result[0];
if ($check['user-group' == heavyusers)
{
# give the user full speed service if their byte usage is below 100GB
if $bytesused 1
{
return AUTH_OK;
}
else
{
return AUTH_REJECT;
}
}
...and repeat as neccassary. (note, this is off the top of my head with no
reference to the rlm_perl script I use, so some values will likely be fuzzy
or outright wrong)
This way, I didn't have to hack around with complicated, awkward modules in
FreeRADIUS - all I needed to do was move the functionality and
decisionmaking logic to Perl. This saved me -days- of work, and is very
flexible.
It all depends on what methods you have to enforce user disconnection: I was
lucky enough to be able to ask for the creator of the OpenVPN plugin to add
an 'reauthenticate every 20 minutes' option, which if it failed, booted the
user off the NAS. Read your NAS documentation: specifically, look for
if/when it reauthenticates, and if it supports Packet-Of-Disconnection. If
it does support PoD, then you can easily add this functionality to the Perl
script that runs on accounting, and it'll work just fine without periodic
reauthentications.
Hope this helps!
Jan
On 19/05/07, Trio Yulistianto [EMAIL PROTECTED] wrote:
so.. its mean that freeradius not yet supporting about this limit ?
so i have to ask mikrotik ?
2007/5/18, [EMAIL PROTECTED] [EMAIL PROTECTED]:
With a bit of gymnastics it can be done. You can run an outside program
on accounting updates checking Octet total - if it goes over the limit
it can send PoD (if Mikrotik supports this). But is it worth it? How
much over the limit can they go in one session (you are setting a
monthly limit)? Think about limiting sessions with Session-Timeout as
well.
Or simply ask Mikrotik to introduce Mikrotik-Total-Limit VSA. If
enough people request it ...
Ivan Kalik
Kalik Informatika ISP
Dana 18/5/2007, Trio Yulistianto [EMAIL PROTECTED] piše:
yupes you are right... it can't stop user from going over the limit,
but i need to kick while the limit reached as time session...
any body success with this ? please tell me how
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One day user account
...or if you're feeling lazy and know Perl, rlm_perl is an exellent tool to make your own policy decisions (as you can configure perl to talk to your mysql database). Hope this helps, Jan On 11/05/07, Marc Miranda (GOWEX) [EMAIL PROTECTED] wrote: Take a look at rlm_counter/rlm_sqlcounter (I don't know if it's exactly what you are looking for) or if you don't want to complicate, just work with a database logic and change the radius auth queries depending on certain timestamps and NOW(), for example, in the case of MySQL, in sql.conf. I'm not a guru, but it can be useful for starting looking for some of the options… -- *De:* [EMAIL PROTECTED]: [EMAIL PROTECTED] *En nombre de *Aren Chua *Enviado el:* viernes, 11 de mayo de 2007 12:35 *Para:* freeradius-users@lists.freeradius.org *Asunto:* One day user account Hi All, I would like to create a user account which only allow user to use for 1 day. Once the user has been authenticated, the time will be start counting and ended after 24 hours. Although the user didn't fully used up their session time, radius still will reject user to login. Can any expert give me some suggestion on how to create this user account? Thanks Regards, Aren Chua -- Download Messenger. Start an i'm conversation. Support a cause. Join Now!http://im.live.com/messenger/im/home/?source=TAGWL_MAY07 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
You could use the same ip pool across two NAS servers if you were only using one radius server to assign IPs. I recommend you either make one radius server handle only one NAS, so the ip pools don't collide, or used rlm_sqlipool across them both as Peter pointed out. Jan On 12/04/07, Peter Nixon [EMAIL PROTECTED] wrote: On Wed 11 Apr 2007, ann kok wrote: Hi all I am using two radius servers for our DSL clients. but our client has ip conflict issue. it looks like the first radius issues the ip to the A DSL client. but seondary radius doesn't know this ip already allocated and issue this ip to B DSL client. Then two clients have the same ip address and cause the ip conflict. How can we avoid this problem? Any of the following: * Don't use the same pool range on 2 servers (What made you think that this would work?) * Use a share storage backend (sqlippool with shared database) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Packet Simulator
like Radtest, you mean? Jan On 02/04/07, khursheed Ahmed [EMAIL PROTECTED] wrote: Hi All I need a RADIUS Packet simulator, which could simulate RADIUS packet for me, If is there any Plz tell me, As I needed it bcz I m developing a Translation Agent which could translate (convert) RADIS packet in to Diameter Packet. Is there any Idea Plz help me Khursheed Ahmed QAU From: [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 24, Issue 3 Date: Mon, 02 Apr 2007 07:59:28 +0200 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Attributes (Shawn Mitchell) 2. Re: passing Calling-Station-ID (Adil Azmi Bikarbass) 3. Re: Freeradius-Users Digest, Vol 24, Issue 2 (Arran Cudbard-Bell) 4. RE: Attributes [unclas] (Ranner, Frank MR) 5. Re: Attributes [unclas] (Shawn Mitchell) 6. RE: Anyone using dd-wrt for AP? (Aren Chua) 7. EAP-AKA patch for Freeradius 1.1.2 (awaneesh kumar) -- Message: 1 Date: Sun, 01 Apr 2007 16:45:22 -0500 From: Shawn Mitchell [EMAIL PROTECTED] Subject: Re: Attributes To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ok, here's what I'm doing: DEFAULT Client-IP-Address == xx.xx.xx.xx Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip xx.xx.xx.0/24, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, Fall-Through = Yes I turned on logging of reply's, but all I'm seeing it send is: Sun Apr 1 16:31:21 2007 Ascend-Data-Filter = ip in forward tcp est I put this into the 'users' file btw. Alan DeKok wrote: Shawn Mitchell wrote: Where can I say If client is 'x', then also send these attributes to users being authenticated...? In the users file. DEFAULT Client-IP-Address == 1.2.3.4 Reply-Message = You're coming from 1.2.3.4 Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Message: 2 Date: Sun, 01 Apr 2007 22:59:14 + From: Adil Azmi Bikarbass [EMAIL PROTECTED] Subject: Re: passing Calling-Station-ID To: Alan DeKok [EMAIL PROTECTED] Cc: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello All, Do i need to create a whole DB for only one filed that i will pass from one NAS to another? Knowing that my Freeradius is running on Solaris 10 which DB you suggest to use? Thank you Alan DeKok a ?crit : Adil Azmi Bikarbass wrote: The issue is that we want the second NAS to get the calling-station-ID from the someuser session on Radius To do... what? is there a way we can have this to work and pass this attribute from one session to another? Sure. Store the Calling-Station-Id in a database when you receive it from the first NAS, then pull it out of the DB, and send it to the second NAS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -- |-Adil Bikarbass |-IT Manager, MTDS |-tel +212.3.767.4861 |-fax +212.3.767.4863 |-gsm +212.6.139. 4541 |-14, rue 16 novembre |-Rabat, Kingdom of Morocco -- Message: 3 Date: Mon, 02 Apr 2007 00:00:43 +0100 From: Arran Cudbard-Bell [EMAIL PROTECTED] Subject: Re: Freeradius-Users Digest, Vol 24, Issue 2 To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Does anyone have a draft list of which clients actually support the Reply-Message and by which methods they can recieve them? All clients will accept it. Very few will do anything useful with it. The reason why I ask , it during initial tests (using chap) the built in windows CHAP supplicant would display the reply-messages being sent back from the server. Now we've moved on from CHAP to using EAP and the windows supplicant no longer displays the messages. Yes. Am I right in assuming
Re: Freeradius-Users Digest, Vol 24, Issue 5
Radtest is designed to send RADIUS packets. If you take a look at the manpage you will see that it is based on a small utility that sends raw RADIUS packets, and contains code for retransmission, display of variables, and other things. What do you mean, AVPs? If you're referring to the draft EAP protocol using Diameter, then I have no knowledge of how to send these. You may want to try reading the manpage for radtest, or reading the documentation for radcheck. Jan On 02/04/07, khursheed Ahmed [EMAIL PROTECTED] wrote: Hi Jan like Radtest, But radtest is used for the test of Radius installation Could it will give me AVPs of Radius so that may I convert them for Diameter packets thnx From: [EMAIL PROTECTED] Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 24, Issue 5 Date: Mon, 02 Apr 2007 11:15:13 +0200 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] [snip] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : IP Pool management and Re-authentication
I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. Hope this helps, Jan On 21/03/07, Thibault Le Meur [EMAIL PROTECTED] wrote: Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat vs. Slackware
Redhat is probably the Ford of the linux distributions: it'll get you to where you want to be, it just might not do it as quickly or flashily as other distros. For most installs I recommend CentOS - which is basically Redhat Enterpise 4 but free. You pretty much can't go wrong with any modern, mainstream distro though. Jan On 15/02/07, Gaddis, Jeremy L. [EMAIL PROTECTED] wrote: On Thu, 15 Feb 2007, silvia bogos wrote: please i need to decide what to use RED HAT OR SLACKWARE. Um, use whichever one you want? To the rest of us, the distribution you choose to run really doesn't matter. That said, I moved off of Slackware around 1998 and haven't looked back. -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd servies automaticly die
run radiusd using radiusd -X from the shell, and watch what it does. Does it give an error message? Does this hint at what the problem is? Regards, Jan On 07/02/07, satish patel [EMAIL PROTECTED] wrote: Dear ALL i have some problem of regradig radius service when i start radiusd daemon and after few min its process down or radius service stoped so what is the problem ??? Satish patel -- Here's a new way to find what you're looking for - Yahoo! Answershttp://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check against TWO possible password?
if all else fails, try using rlm_perl to do the authentication (or maybe, compare the password against both elements in the database, then 'rewrite' it as the first if it matches, so rlm_sql recognises it properly. This, of course, is a bit of a hack (but if it works every time and is less complex than a failover implementation, is it bad?). Jan On 03/02/07, Federico Giannici [EMAIL PROTECTED] wrote: Alan DeKok wrote: Federico Giannici wrote: Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative User-Password attributes... Sort of. See doc/configurable_failover. I read it, but I'm a little confused... How can I use it to make the AUTHENTICATE sections to be tried a SECOND time (with a different Cleartext-Password set by an authorization module), if the first time the authentication failed? Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suggestion for prepaid services
I've heard good things about chillispot. Jan On 19/01/07, PD [EMAIL PROTECTED] wrote: Dear all, Is there any solutions for prepaid services such as hotspot ? I look thru the mailing list archieve and only found one unanswered question. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Hoping to be more helpful here, I know how to implement this functionality
in freeradius, but only when using a mysql database backend (which is a good
idea for most setups using more than about 20 users).
I am assuming you want to control user logins to multiple NASes and this is
what you meant by user 'x' can only login to IP addr 'y' and /or 'z'. If
you need to just filter traffic based on real network devices, for example
where Y and Z are IP addresses on your network, you can safely ignore my
first radgroupcheck entry below that restricts NAS choice.
If you get a standard mysql setup working, all you need to do is add the
user's password to radcheck (for table names username,attribute,op,value
you should have bobengineer,User-Password,==,nortel), and add the user to
a group in radgroup (username, group = bobengineer,engineers). then you can
set group-specific policies by putting entries in radgroupcheck and
radgroupreply, such as...:
radgroupcheck: [groupname,attribute,op,value]
engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must do
so from NAS with IP addrss 11.22.33.44)
engineers, Pool-Name,==,engineers_pool (all engineers connecting will be
assigned an IP from the 'engineers' IP pool, which means you can firewall
them off using IPTables (or the Shorewall frontend to iptables, which I
recommend using) or something similar)
Basically this provides you with both tools you will need - the ability to
restrict where users can log into, and the ability to restrict what IP
address users recieve. You'll need to set up rlm_ippool to automatically
assign IPs, and you'll want to make sure your NAS devices send accounting
packets (accounting start/stop are important - also if accounting stop's
aren't sent, you'll run out of IP addresses).
Hope this is a little more helpful than the usually flippent replies on the
mailing list, I was in the same boat before too :-)
thanks,
Jan
On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote:
Yep. Its called a firewall...
-Peter
On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for auth-type in my users file. Is there a simple way to
say that user 'x' can only login to IP addr 'y' and /or 'z'? I have
groups of engrs, admins, and operators and need to discriminate who can
access which device
Scott
-Original Message-
From: Ellis, Scott 1 (N-Comptel Inc.)
Sent: Tuesday, January 02, 2007 11:40 AM
To: 'FreeRadius users mailing list'
Cc: Ellis, Scott 1 (N-Comptel Inc.)
Subject: RE: How to restrict users /PAM to specific NAS devices??
I have looked it over, but I am still not clear. I was thinking that I
could use huntgroups to map devices to specific groups, but then I am
not clear on how to restrict users ('users' file) to those groups. I
know this has probably been done most everywhere in one form or another.
Any examples that show the actual entries in the approp. files?
Thanks,
Scott
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Tuesday, January 02, 2007 9:43 AM
To: FreeRadius users mailing list
Subject: Re: How to restrict users /PAM to specific NAS devices??
Ellis, Scott 1 (N-Comptel Inc.) wrote:
I am using PAM for Auth-Type.
I want to be able to either 1) restrict the devices the user has
access to (admins,operators, etc) by username and/or 2) preferably
carve into groups my network gear/NAS devices and then assign users to
groups.
See man rlm_passwd. It's documentation describes how to create
groups like this.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't access Internet?
You may wish to use the radius-tools package (correct me if the package name is wrong, List) which is included with freeradius to send test packets from the test application to the Freeradius server, and it'll show you what the attributes you're sending and what the server replies with. You can then do this again to your AIX server and see how the response is different - this will involve adding your test client machine as a NAS in the AIX machine's clients file. Basically you need to eavesdrop on the connection between the radius client and new/old servers, and compare and contrast the replies. This is the best way to work out What has changed? Hope this helps, Jan On 08/01/07, Tim Tyler [EMAIL PROTECTED] wrote: FreeRadius experts, We are trying to run FreeRadius on a RedHat AS 2.1 system. We use an external password file for authentication defined in the unix system (password = filename) section of radius.conf. This seems to work fine. Modem users can authenticate to our old 3com Total Control modem pool, but users can not access the Internet. They can access all local domain servers on campus, but they can't get off campus. This really should not be a firewall issue as the same ip addresses are still associated with the modem pool. Note: if we go back to our old Lucent Technology radius server running on AIX, everybody is fine and can access the Internet again. I am trying to find out what might cause a modem pool to only work locally (access servers on our campus) after switching to FreeRadius particularly since it seems that the authentication part is working? I know that the 3com Total Control modem pool is rather old but I don't know why it would behave differently from one radius server to another as long as authentication works. I read in one of the FreeRadius archives that some users have experienced a similar problem of either very slow or won't work at all for some customers accessing the Internet via Freeradius authentication until they modified the MTU setting. This is curious to me. Is there a place in FreeRadius that I might change the mtu setting given that I am using an external unix password crypt file for all authentication? If so, what mtu setting might be recommended? Is there another possible explanation that might relate to Freeradius? any thoughts are much appreciated? Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions from a totally ignorant n00b
Freeradius can do this, I believe (please correct me if I'm wrong, List). However, you might want to consider firewalling those certain addresses on your radius server so authentication/accounting packets never reach your existing radius server daemon. Look into iptables, it should be fairly easy to do. It'd also save what is probably an unnecassary change of software for your purposes! Hope this helps, Jan On 21/12/06, Gene Mosley [EMAIL PROTECTED] wrote: I am currently running RADIUS under AIX (the AIX version of RADIUS) and having a problem. It appears that the AIX RADIUS cannot be configured to work around this problem. I was wondering if switching to FreeRADIUS would help? The problem is this: Users are authenticating from systems that they should not be authenticating from - we need to block authentication on a per system (IP address) basis, not a per user basis. Users should be allowed to authenticate from any system that they are using _except_ a certain, specific list of IP addresses which would basically be banned/blocked from authenticating. Is this something that FreeRADIUS can do? I just started reading about it - and if nothing else it looks like exec-program-wait might be used to test the IP address and return an authentication failure? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Send atributes to the client
There are plenty of examples embedded in the users file - also, if you read the manpages it describes precisely how to do this. Jan On 20/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: James: Can you send an example. Saludos y Gracias Francisco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREERADIUS USING IP POOLS
Read the documentation in radiusd.conf, and experimental.conf. It's all there. You need two rlm_ippool modules instantiated, and placed in the postauth and accounting sections of the config file. You also need to add Pool-Name := pool1name in radgroupcheck under the name of group 1, and the same again for pool 2/group 2. Post what you come up with if you need further help - this configuration is in the documentation. Jan On 15/12/06, Tomas Eduardo Lotina Ramos [EMAIL PROTECTED] wrote: HOW CAN I USE IP POOLS WITH FREERADIUS, MY NAS is a cisco Linksys WRT54G now im working with freeradius 1.1.3 and mysql 5.02 in ubuntu drapper and is working fine, i have my users stored in the radcheck table, but i want to divide the users in two groups and assing a different range of ip pools to each group of users dynamically so i want to know how can i create two ippools and assing dinamically this ips to the users of the radcheck table depending if they belong to a group A or a group B. help please! thanks in advance!!! EDUARDO -- Llamadas grátis de PC a PC Haz clic aquí http://g.msn.com/8HMBESMX/2749??PS=47575 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP
insert into radgroupcheck table: id,groupname,attribute,op,value [leave blank],group1,Pool-Name,==,pool1 This will mean that any user that is part of group1, will have Pool-Name set to group1 (which will make IP assignment work properly). radcheck will be just fine authenticating users on its own. Hope this helps, Jan On 09/12/06, Tomas Eduardo Lotina Ramos [EMAIL PROTECTED] wrote: HELP PLEASE hello i need help, if somebody can help me please do it =) i got a freeradius server with mysql, both having comunication, i have an access point cisco which one is working with freeradius server excellent, the authentication is throught the radcheck table in radius database , im using PEAP/MS-CHAV2 and for example i have a laptop with wireless and i enter a username and a password that i already have in the radcheck table and the conexion with freeradius is always sucessful, im running dhcp3 and when radius accept the user, dhcp3 send a ip to the client, everything is fine but i have a problem, i need to create two dynamic ip pools, one for users of a group A and one for users of the group B the problem is that i dont have any idea how can i use the radcheck table for auth the users and in the same time use dhcp3 to recognize those users and assing the ip from the ip pool A or B depending if the user belongs to the group A or B how can i work with mysql and dhcp3??? help me please eduardo I.S.C Tomas Eduardo Lotina Ramosthe Love is the base of the world, and its only hope.. -- Ya tienes la ultima versión de Messenger: Windows Live Messenger en Prodigy/MSN (V.8) Haz clic aquí http://g.msn.com/8HMAESMX/2734??PS=47575 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Global address pool
from what I've seen on the lists, sqlippool is full of bugs and holes. If you're planning to put it into a production environment, I'd strongly suggest booking a coder for a couple of days :-) Such is the nature of open-source I guess. There is no other truly feasable way of leasing IPs over multiple servers, other than Rsync'ing the pool files, or manually assigning different RADIUS servers for different pools - the second means that you are basically splitting your system into multiple independent groups - several NASes to one RADIUS server. However, both of these are hacks. I'm using rlm_ippool at the moment on a multi-nas basis, as I have had both two NASes getting IPs assigned to users from a single shared pool, and also one-pool-per-NAS. Both work fine. It's your choice really - you can always just use one-pool-per-NAS and manually assign each NAS to a RADIUS server responsible for maintaining the pool, while you're getting sqlippool up to production standards. Hope this helps, Jan On 07/12/06, Paul Khavkine [EMAIL PROTECTED] wrote: Hi folks. I'm looking into ways to implement a global address pool for multiple NASes and multiple RADIUS servers. I see that there's 2 possible ways of doing it with FreeRADIUS. 1) use rlm_ippool 2) use rlm_sqlippool I'm leaning towards rlm_sqlippool since it can be used to lease an address to a subscriber for a period of time so they get same ip address for the duration of the lease. Is there any other ways to implement NAS independent address pool and be able to lease same address to a subscriber ? Is anyone using sqlippool in production ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assigning IPs on a per-NAS basis?
Hello, Trying to do a very simple task here - create a new check attribute Pool-Name := servername, depending on what NAS sends the request to the RADIUS server (identifiable by IP address or by name or whatever in the request attributes). What's the best way of doing this? Thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS make error
Hello all, After much trouble I've managed to get CVS to download the right version of freeradius (not radiusd-cistron...doh), and now I'm having some problems with making it. From what I can see, there's some problems with EAP (which I happen to not need). Is it possible (or even recommended) to remove EAP from the compilation process? If so, how do I go about doing this? Failing that, if somebody is feeling really nice they could code a fix for CVS :) Regards, Jan /root/installs/radiusd-cvs/radiusd/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c -fPIC -DPIC -o .libs/radeapclient.o radeapclient.c: In function `radlog': radeapclient.c:111: warning: implicit declaration of function `va_start' radeapclient.c:111: warning: nested extern declaration of `va_start' radeapclient.c:113: warning: implicit declaration of function `va_end' radeapclient.c:113: warning: nested extern declaration of `va_end' radeapclient.c: In function `log_debug': radeapclient.c:124: warning: nested extern declaration of `va_start' radeapclient.c:111: warning: redundant redeclaration of 'va_start' radeapclient.c:111: warning: previous implicit declaration of 'va_start' was here radeapclient.c:126: warning: nested extern declaration of `va_end' radeapclient.c:113: warning: redundant redeclaration of 'va_end' radeapclient.c:113: warning: previous implicit declaration of 'va_end' was here radeapclient.c: In function `radlog': radeapclient.c:106: warning: 'ap' might be used uninitialized in this function radeapclient.c: In function `log_debug': radeapclient.c:121: warning: 'ap' might be used uninitialized in this function gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/installs/radiusd-cvs/radiusd/src -Ilibeap -c radeapclient.c -o radeapclient.o /dev/null 21 /root/installs/radiusd-cvs/radiusd/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libeap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libeap.so -lssl -lcrypto -lnsl -lresolv -lpthread -Wl,--rpath -Wl,/usr/local/lib .libs/radeapclient.o(.text+0x13b): In function `radlog': /root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:111: undefined reference to `va_start' .libs/radeapclient.o(.text+0x15a):/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:113: undefined reference to `va_end' .libs/radeapclient.o(.text+0x193): In function `log_debug': /root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:124: undefined reference to `va_start' .libs/radeapclient.o(.text+0x1b2):/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap/radeapclient.c:126: undefined reference to `va_end' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/installs/radiusd-cvs/radiusd/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/installs/radiusd-cvs/radiusd' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Difference between radiusd-cistron and freeradius?
Hello, I'm currently trying to get hold of a CVS snapshot of the latest FreeRADIUS build - but I'm having some real trouble. I've tried looking in the cvs-snapshots subfolder, and found: radiusd-cistron-1.6-snapshot-20061019.tar.gz Is this freeradius? I would like the new functionality that allows me to write to the RAD_CHECK hash from rlm_perl, that's the only reason I want to use CVS. When I attempt to connect to CVS, I get the following: [EMAIL PROTECTED] [~/installs/radiusd-cvs]# cvs -d :pserver:[EMAIL PROTECTED]:/source login Logging in to :pserver:[EMAIL PROTECTED]:2401/source CVS password: [EMAIL PROTECTED] [~/installs/radiusd-cvs]# cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd upon which point it sits there doing nothing for about 20 minutes. I presume this is not normal CVS behaviour? Where do I get the correct CVS snapshot for freeradius? I apologise, this is probably very obvious but I've been trying all day to figure out why the snapshot I had downloaded (see top of email) doesn't read from config files, or accept the radiusd -X switch... Regards, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Difference between radiusd-cistron and freeradius?
That explains a lot - thank you. I was certain I was trying to install the wrong thing :) Thanks, Jan On 20/10/06, Alan DeKok [EMAIL PROTECTED] wrote: Jan Mulders [EMAIL PROTECTED] wrote: I've tried looking in the cvs-snapshots subfolder, and found: radiusd-cistron-1.6-snapshot-20061019.tar.gz Is this freeradius? No. upon which point it sits there doing nothing for about 20 minutes. The machine appears to be overloaded, with a disk that's nearly full. I'll see if there's anything I can do. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius error: invalid keyword ATTRIB_NMC
Hi list. I'm having some problems getting the nightly CVS snapshot to work. It compiles fine, I've set relevant log directories, and gotten rid of the old dictionary files, instead using the ones in the CVS. I now get this error when attempting to start radiusd: Wed Oct 18 15:18:43 2006 : Error: Errors reading dictionary: dict_init: /usr/local/share/freeradius/dictionary.usr[56] invalid keyword ATTRIB_NMC The offending file contains the following: # # USR Extensions: USR Vendor-Specific stuff. # # For now in NMC format (whatever that stands for), though the # normal vendor-specific format would work just as well. # # ATTRIB_NMC USR-Last-Number-Dialed-Out 0x0066 string ATTRIB_NMC USR-Last-Number-Dialed-In-DNIS 0x00E8 string ATTRIB_NMC USR-Last-Callers-Number-ANI 0x00E9 string ATTRIB_NMC USR-Channel 0xBF38 integer ATTRIB_NMC USR-Event-Id0xBFBE integer ATTRIB_NMC USR-Event-Date-Time 0xBF2F date ATTRIB_NMC USR-Call-Start-Date-Time0xBFF7 date ATTRIB_NMC USR-Call-End-Date-Time 0xBFF6 date ATTRIB_NMC USR-Default-DTE-Data-Rate 0x005E integer ...and on and on. Is there something I need to do in order to get this to work? Have I made a silly mistake? Thanks all, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CVS: radtest strangeness
Okay, I knew the CVS was weird, but this really takes the cake: [EMAIL PROTECTED] [~]# radtest testuser1 testing localhost 5 SuperSecretPassword Unknown attribute Password radclient: cannot parse Password = testing What on earth? Usage: radtest user passwd radius-server nas-port-id secret [ppphint] [nasname] Have I really missed something obvious? Hopefully someone can clear this up real quick for me. Thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More CVS madness: Radiusd not actually doing anything
Hello, More CVS madness for you all. I'm trying to run radiusd on my server, replacing an existing, working configuration. When I run radiusd (specifying paths or using defaults, it doesn't matter), I get the following: [EMAIL PROTECTED] [/etc/raddb]# radiusd -xx Starting - reading configuration files ... Ready to process requests. [ then I press ctrl-c, as the server isn't doing anything ] CHILD: exit on signal (2) MASTER: accounting process died - exit. [EMAIL PROTECTED] [/etc/raddb]# It does this regardless of the presence of a radiusd.conf file in the /etc/raddb folder. What the hell is going on? Thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS: radtest strangeness
Thank you for the fix. I copied across the new dictionaries, it seems
to have solved the problem.
However radiusd seems to be ignoring the config files placed before it:
[EMAIL PROTECTED] [/etc/raddb.backup]# radiusd -xx
Starting - reading configuration files ...
Ready to process requests.
radrecv: Packet from host 127.0.0.1 code=1, id=222, length=56
User-Name = test
User-Password = \346\242\361\271_s\37\276\225K\\\003Z~\200
NAS-IP-Address = 208.53.158.28
NAS-Port = 4
packet from unknown client/host: localhost
[EMAIL PROTECTED] [/etc/raddb]# radtest test test localhost 4 SecretPassword
Sending request to server localhost, port 1812.
[EMAIL PROTECTED] [/etc/raddb]#
[EMAIL PROTECTED] [/etc/raddb]# ls
./ ippool.512k_low
../ldap.attrmap
0 mssql.conf
1 naslist
2 naspasswd
3 old.users
4 oraclesql.conf
5 otp.conf
6 otppasswd.sample
7 postgresql.conf
8 preproxy_users
9 proxy.conf
acct_users radiusd.conf
attrs radiusd.conf.leet
certs/ radiusd.conf.save
clientsrealms
clients.conf snmp.conf
dictionary speedchooser-final*
eap.conf speedchooser-mysql2.pl*
experimental.conf speedchooser-mysql.pl*
huntgroups speedchooser-nomysql.pl*
ipindex.10m_high speedchooser.pl*
ipindex.10m_lowsql.conf
ipindex.512k_high sqlippool.conf
ipindex.512k_low startup.log
ippool.10m_hightest.pl
ippool.10m_low testuser1.request
ippool.512k_high users
[EMAIL PROTECTED] [/etc/raddb]#
I'm expecting to see loads of SQL debug statements here, when really I
get nothing. It also hasn't read clients.conf (which contains
'localhost' as a client).
Any help getting radiusd to look in the right files would be greatly
appreciated. It is configured with the standard paths (excerpt from
Makefile:)
Here's some excerpts from conf.h and Make.inc from the new and old
installs respectively:
New Install conf.h
/* Default Database File Names */
#define RADIUS_DIR /etc/raddb
#define RADLOG_DIR /var/log
#define RADACCT_DIR (RADLOG_DIR /radacct)
#define RADIUS_DICTIONARY dictionary
#define RADIUS_CLIENTS clients
#define RADIUS_NASLIST naslist
#define RADIUS_USERSusers
#define RADIUS_HOLD holdusers
#define RADIUS_LOG radius.log
#define RADIUS_HINTShints
#define RADIUS_HUNTGROUPS huntgroups
#define RADIUS_REALMS realms
#define RADUTMP (RADLOG_DIR /radutmp)
#define RADWTMP (RADLOG_DIR /radwtmp)
#define RADIUS_PID /var/run/radiusd.pid
#define RADRELAY_PID/var/run/radrelay.pid
Old Install -- conf.h
/* Default Database File Names */
#define RADIUS_DIR RADDBDIR
#define RADACCT_DIR RADIR
#define RADLOG_DIR LOGDIR
#define RADIUS_DICTIONARY dictionary
#define RADIUS_CLIENTS clients
#define RADIUS_NASLIST naslist
#define RADIUS_REALMS realms
#define RADUTMP LOGDIR /radutmp
#define SRADUTMPLOGDIR /sradutmp
#define RADWTMP LOGDIR /radwtmp
#define SRADWTMPLOGDIR /sradwtmp
# Location of files.
Old Install -- Make.inc
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
libdir = ${exec_prefix}/lib
bindir = ${exec_prefix}/bin
sbindir = ${exec_prefix}/sbin
docdir = ${datadir}/doc/freeradius
mandir = ${prefix}/man
datadir = ${prefix}/share
dictdir = $(datadir)/freeradius
logdir = ${localstatedir}/log/radius
raddbdir= /etc/raddb
radacctdir = ${logdir}/radacct
top_builddir= /root/installs/freeradius-1.1.3
top_srcdir = /root/installs/freeradius-1.1.3
I hope this helps - I'm stumped for why it's looking at the wrong
files. Any bright ideas?
Many thanks,
Jan Mulders
On 18/10/06, Alan DeKok [EMAIL PROTECTED] wrote:
Jan Mulders [EMAIL PROTECTED] wrote:
Okay, I knew the CVS was weird, but this really takes the cake:
You are not using the correct dictionaries. Fix your installation.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: block users on-the-fly
I've been through exactly the same hell authenticating a bunch of VPN users. The fundamental problem is that FreeRADIUS is event-driven: ie, it can only do anything when someone sends a RADIUS request to it. This means, for our purposes, that freeradius needs to be *asked* if a user can continue to be connected. I did this by making VPN users be re-authenticated every 30 minutes by the VPN NAS - if the nas recieves an Access-Accept packet, then all is well, it continues to provide service (I also bundle on some max-upload and max-download attributes, so the user's speed can be changed on their gigabyte total, but this is an aside) - however, if it recieves and access-deny, the user is booted from the nas. What you need to do is get your NAS box to re-authenticate the users every n minutes (or hours or whatever you prefer). Depending on how you're authenticating in the first place, this could be done in any number of ways... However, unless your current solution is either software-based or has the functions in it already, it's probably going to be expensive to implement. If your NAS has a 'status list' function and a 'kick user' function (eg, telnet administration interface), you could write a script that connects to the status list, compares the usernames with the MySQL database, and then connects via telnet to the admin interface to issue a 'kill $user' command. I've seen this done before, and in some cases it can be less resource-intensive than the increased amount of RADIUS auth packets. However it's only really any good for 1 or 2 NAS'es - if you want your system to scale to 30-40 nases then you'll probably want to keep it simple to manage and debug, and get radius to handle periodic reauthentication. Hope this helps, Jan On 16/10/06, Guilherme Franco [EMAIL PROTECTED] wrote: Hi, Does anyone already have a program to block freeradius on-the-fly? ie: user has PAID = YES in radcheck table. Whenever I set PAID = NO, the user would no longer authenticate the next time he/ she logs in. OK, this works, but, if the user is already loged in, even if I set PAID = NO, the user would not be rejected (for obvious reasons). This is important because the grand number of Router mode ADSL users, that never logs out. I'm building a program to verify every x minutes the database and if PAID = NO, return a flag to freeradius and then reject the user. Is there any other means to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool + MySQL
Someone needs to do some serious work on sqlippool. I'd do so, but
currently I have no need for SQL-assigned IPs, as I only have one
RADIUS server - and if it fails over, the least thing I have to worry
about is current IP assignments.
I recommend finding someone who is adept at *SQL and buy them a pizza.
Then ask them to 'translate' those queries for you.
Jan
On 16/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does somebody knows how to configure sqlippool with MySQL ?
The sqlippool.conf example is for pgsql. And for MySQL ?
Here is my sqlippool.conf, corrected for MySQL:
sqlippool sqlippool {
#
# SQL connection information
#
sql-instance-name = sql
# lease_duration. fix for lost acc-stop packets
lease-duration = 3600
# Attribute which should be considered unique per NAS
pool-key = %{Acct-Session-Id}
pool-name = mypool
# pool-key = %{Calling-Station-Id}
#
# This series of queries allocates an IP address
#
allocate-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE pool_key = '${pool-key}'
# note the ORDER BY clause of next query, it'll try to allocate IPs
# like Cisco internal pools do - it _trys_ to allocate the same IP-address
# which user had last session...
allocate-find = SELECT FramedIPAddress FROM radippool \
WHERE pool_name = '%{reply:Pool-Name}' AND expiry_time NOW() \
ORDER BY pool_name, (UserName '%{User-Name}'), (CallingStationId
'%{Calling-Station-Id}'), expiry_time \
LIMIT 1 \
FOR UPDATE
allocate-update = UPDATE radippool \
SET NASIPAddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
CallingStationId = '%{Calling-Station-Id}', UserName = '%{User-Name}', \
expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE FramedIPAddress = '%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# START record arrives
#
start-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL %J SECOND \
WHERE NASIPAddress = '%n' AND pool_key = '${pool-key}' AND pool_name =
'%P'
#
# This series of queries frees an IP number when an accounting
# STOP record arrives
#
stop-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees an IP number when an accounting
# ALIVE record arrives
#
alive-update = UPDATE radippool \
SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting ON record arrives
#
on-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
#
# This series of queries frees the IP numbers allocate to a
# NAS when an accounting OFF record arrives
#
off-clear = UPDATE radippool \
SET NASIPAddress = '', pool_key = 0, CallingStationId = '', \
expiry_time = NOW() - INTERVAL 1 SECOND \
WHERE NASIPAddress = '%{NAS-IP-Address}' AND UserName = '%{User-Name}' \
AND CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}'
}
Here is the radiusd -X:
...
Mon Oct 16 17:50:50 2006 : Debug: Processing the post-auth section of
radiusd.conf
Mon Oct 16 17:50:50 2006 : Debug: modcall: entering group post-auth for
request 0
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: calling
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: rlm_sqlippool: Framed-IP-Address
already exists
Mon Oct 16 17:50:50 2006 : Debug: modsingle[post-auth]: returned from
sqlippool (rlm_sqlippool) for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall[post-auth]: module
sqlippool returns noop for request 0
Mon Oct 16 17:50:50 2006 : Debug: modcall: leaving group post-auth
(returns noop) for request 0
...
...
Mon Oct 16 17:50:50 2006 : Debug: modsingle[accounting]: calling
sqlippool (rlm_sqlippool) for request 1
Mon Oct 16 17:50:50 2006 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'BEGIN'
Mon Oct 16 17:50:50 2006 : Debug: radius_xlat: 'UPDATE radippool SET
expiry_time = NOW() + INTERVAL 3600 SECOND WHERE NASIPAddress =
'xx.xx.xx.xx' AND pool_key = '4533F0AA608100' AND pool_name =
Inserting attributes into the check table from Perl?
Hello all, I've just finished writing a perl program to give a user a different speed of service based on their accounting total for the last month in MySQL, and I'd like to also assign these users an IP based on this usage too. I wanted to do this by setting the Pool-Name check value from my script, after it's figured out what group the user being authenticated falls under. However, apparently the $RAD_CHECK hash is read-only. How do I write to the Check table from perl? Is it possible? Is there a way of invoking ip_pools from perl? thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decisionmaking in FreeRADIUS Check/Reply Items
Hello list,
I am trying to use the 'files' module of Freeradius to do
decisionmaking, based on information pulled in from the sql module,
and the sqlcounter thing.
First off, is this the right way of doing this? I want to assign users
a different Pool-Name for each assigned speed, and send
Max-Download-Speed and Max-Upload-Speed vendor-specific variables to
the client on each request.
My actual problem relates to the following errors, pulled from radiusd -X:
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
[/etc/raddb/users]:214 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:214 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:214 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:220 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:220 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:220 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:226 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:226 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:226 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:232 WARNING! Check item Pool-Name ?found in reply
item list for user DEFAULT. ?This attribute MUST go on the first
line with the other check items
[/etc/raddb/users]:232 WARNING! Check item Max-Download-Rate ?found
in reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
[/etc/raddb/users]:232 WARNING! Check item Max-Upload-Rate ?found in
reply item list for user DEFAULT. ?This attribute MUST go on the
first line with the other check items
Module: Instantiated files (files)
radiusd.conf: files modules aren't allowed in 'post-auth' sections
-- they have no such method.
radiusd.conf[327] Failed to parse post-auth section.
[EMAIL PROTECTED] [/etc/raddb]#
The offending rules are in users:
DEFAULT User-Bytes-Used 21474836480 , Group == 512k
# user gets high speed service if under 20gb
Pool-Name := 512k_high,
Max-Download-Rate := 524288,
Max-Upload-Rate := 262144
DEFAULT User-Bytes-Used 21474836480 , Group == 512k
# user gets low speed service if under 20gb
Pool-Name := 512k_low,
Max-Download-Rate := 262144,
Max-Upload-Rate := 131072
DEFAULT User-Bytes-Used 53687091200 , Group == 10m
# user gets high speed service if under 50gb
Pool-Name := 10m_high,
Max-Download-Rate := 10485760,
Max-Upload-Rate := 10485760
DEFAULT User-Bytes-Used 53687091200 , Group == 10m
# user gets low speed service if over 50gb
Pool-Name := 10m_low,
Max-Download-Rate := 1048576,
Max-Upload-Rate := 1048576
But... but... the bottom 3 attributes *aren't* check attributes! I
want to *set* them! Or am I getting entirely the wrong end of the
stick here?
Can somebody point out how these rules are meant to be arranged, and
perhaps how I could do this in sql? It's all quite confusing.
# radiusd.conf - important bits ##
sqlcounter monthlybytecounter {
counter-name = User-Bytes-Used
check-name = Max-User-Bytes
sqlmod-inst = sql
key = User-Name
reset = monthly
# this query is awesome in every way.
# it selects the traffic used by the user since they
last paid for their subscription
# and adds up the input and output bytes together to
get a composite usage figure.
query = SELECT SUM(AcctInputOcte..
}
instantiate {
monthlybytecounter
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
# acct_unique
}
accounting {
#acct_unique
#detail
radutmp # ?
512k_high
512k_low
Re: Reversibly encrypted passwords in SQL
I'd also like to do this - although non-reversable encryption (like
MD5) would suit us - eg, password is encrypted in the table, and is
encrypted and compared when a user's password is checked.
How is encryption meant to be done in the MySQL module at all?
Jan
On 09/10/06, Stefan Winter [EMAIL PROTECTED] wrote:
Hello,
is there any way of using reversibly encrypted passwords together with a mySQL
backend? Currently, our passwords are stored as User-Password in clear text.
I'd like to move on to using something like
Crypt-Password := {algo-prefix}blablabla
with an algorithm that encrypts reversibly. I failed to see a list of
supported algorithms in the docs, a pointer would be nice...
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checking attributes in MySQL 'radgroupcheck'?
Hello, I'm trying to assign users a different speed of service based on how much data they've used on the service. I found the following in the experimental.conf information on sqlcounter: # # DEFAULT Max-Daily-Session 3600, Auth-Type = Reject # Reply-Message = You've used up more than one hour today # How do I do a similar thing in MySQL? There aren't enough fields to do this. Am I overlooking something, or is this not actually possible? Regards, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two or more ippool
You're using the wrong syntax for including the pools in each section.
Here's an example from my own config...
modules {
ippool 512k_high {
# range-start,range-stop: The start and end ip
# addresses for the ip pool
range-start =x.x.x.6
range-stop =x.x.x.66
# netmask: The network mask used for the ip's
netmask = 255.255.255.0
# cache-size: The gdbm cache size for the db
# files. Should be equal to the number of ip's
# available in the ip pool
cache-size = 60
# session-db: The main db file used to allocate ip's to clients
session-db = ${raddbdir}/ippool.512k_high
# ip-index: Helper db index file used in multilink
ip-index = ${raddbdir}/ipindex.512k_high
# override: Will this ippool override a
Framed-IP-Address already set
override = no
# maximum-timeout: If not zero specifies the maximum
time in seconds an
# entry may be active. Default: 0
maximum-timeout = 0
}
ippool 512k_low {
...
instantiate {
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
}
accounting {l
radutmp
512k_high
512k_low
10m_high
10m_low
sql
}
session {
radutmp
sql
}
post-auth {
sql
512k_high
512k_low
10m_high
10m_low
}
Also, I notice that 'mygroup' has IP assignments from 2 pools. This
can't work, because RADIUS will just select the first one it gets from
MySQL. May I suggest either subdividing your users into two groups, or
merging the two groups?
Hope this helps,
Jan
On 06/10/06, Roberto Gonzalez Azevedo [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm having some trouble with ippool.
I have some ip pools who need to be distributed
for my clients.
There is a example, my radiusd.conf:
...
ippool p0 {
range-start = xx.xx.xx.1
range-stop = xx.xx.xx.20
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p0
ip-index = ${raddbdir}/ippool/db.ipindex.p0
override = yes
maximum-timeout = 0
}
ippool p1 {
range-start = xx.xx.xx.21
range-stop = xx.xx.xx.40
netmask = 255.255.255.0
cache-size = 32
session-db = ${raddbdir}/ippool/db.ippool.p1
ip-index = ${raddbdir}/ippool/db.ipindex.p1
override = yes
maximum-timeout = 0
}
...
In accounting:
accounting {
...
group mypools {
p0
p1
}
...
}
In post-auth:
post-auth {
...
group mypools {
p0
p1
}
...
}
In (mysql) radgroupcheck :
+-+---+--++-+--+
| id | GroupName | Attribute| op | Value | prio |
+-+---+--++-+--+
| 30 | mygroup | Pool-Name| := | p0 |1 |
| 31 | mygroup | Pool-Name| := | p1 |1 |
...
It's working, but my clients only catch IP from the first pool (p0).
They never catch from others pools (p1, p2 ...).
Somebody already had a problem like this?
Thanks !!!
- --
-
Roberto Gonzalez Azevedo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFJmaWF+EMwkXLsEwRAt+jAJ45YW7n1JkYxje54bNCtsRs5rmwXgCfUnf/
NFDvR7t4usmdljxm/xB26XQ=
=xMzx
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS user Survey
404 On 05/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Don't know why it shows me - Sorry but this survey is no longer available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Alan DeKok Sent: Thursday, October 05, 2006 11:39 AM To: FreeRadius users mailing list Subject: FreeRADIUS user Survey In order to better understand the needs of people using FreeRADIUS, I've set up a survey with 12 questions. The goal is to understand who's using FreeRADIUS, how they're using it, and what the users needs are. The page is: http://gs-survey.com/s.asp?s=1651 Please take a few minutes to fill out the survey, and I'll be posting a summary of the responses here. I expect to have a few more surveys after this one, to be able to target future development. Thanks for your efforts in supporting FreeRADIUS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question
Perhaps a simpler method of doing 'smartcards' like you're referring to is to make single-use username/passwords printed on small cards (which can be done within chillispot I believe), which the consultants just pick up from reception, enter in the details, and get a prepaid hour or whatever. This would also save the expense if a consultant happens to wander off with a smartcard... All of this can certainly be done with freeradius, but you might need to look around for a billing solution that'll work in collaboration with chillispot, and making single-use vouchers etc... if at all possible, I'd encourage the use of physical login cards, that can be exchanged for cash... it all gets a bit messy (and expensive) when you throw billing in there too. Especially post-pay. Sorry I can't offer any exact advice on how to do this - I got to the point of putting together a rough proposal, but no further. Hope this helps, Regards, Jan Mulders On 03/10/06, Torkel Mathisen [EMAIL PROTECTED] wrote: Hi We have a very simple freeradius setup today. We use freeradius 1.0.5 with PEAP/MS-CHAPv2 and users file. My boss has asked be about making this configuration a bit more flexible and easier to admin. He also wants some new features. The keywords are hotspot, web-frontend and possibly billing and smartcards. Basically what he wants is for external consultant to be able to bring their laptops and just connect to a hotspot webserver and from there on authorize on to the WiFi. He also wants the possibility of billing. I want to know what kind of design you guys would recommend here. I'm thinking freeradius (1.1.3 now) with a mysql db and some web-frontend for adding users (what?). Then Chillipot on a new server for hotspot access. How does that sound? Will Chillipot be able to authorize users based on PEAP/MS-CHAPv2 ? How would you be able to do billing with this setup? And lastly is the situation with smartcards. My boss was thinking about some cards or something that the consultant can pick up in the reception that will give them access to the WiFi for a certain amount of time. At the end of the day they have to deliver it again. There is also a possibility of doing billing from that. Will this kind of configuration require some commercial software or is freeradius able to do that? The last thing is not THAT important, but I want to know if anyone has a setup like this. I hope someone got some recommentations. Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool problem: Failed to open file - Permission denied
Hello, It's been far too long a day, and I think I'm overlooking something ridiculously simple. I get this error when starting freeradius: rlm_ippool: Failed to open file /etc/raddb/ippool.512k_high: Permission denied radiusd.conf[142]: 512k_high: Module instantiation failed. I've tried making a file called ippool.512k_high, same error. Tried chmod 777'ing it, different error: rlm_ippool: Failed to open file /etc/raddb/ippool.512k_high: Success radiusd.conf[142]: 512k_high: Module instantiation failed. Also tried chmod radiusd ippool.512k_high and chgrp. If someone could give me a helpful tip as to how to get this thing working again, I'd appreciate it a lot. Thanks all, Jan Mulders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql radacct table no query
you should be putting it in radcheck, so it's checked when you log in. radacct is used to store accounting information (like session times etc :)) Hope this helps, Jan Mulders On 29/09/06, Collen Blijenberg [EMAIL PROTECTED] wrote: Hmm, i was testing the mysql backend with freeradius 1.1.3. looks good at first glance, but i bumped into something essential (for us that is). We like to link MAC addresses with the user account's. what did i do: I added a user in table radcheck. worked! next step, added same user in table: radacct. username:gebruiker CalledStationId: 00166f980e79 did not work! I change the MAC address to a wrong one, and i still get in.?? also in debug (radiusd -X) no radacct query is done?, so no attribute checkings are done !!?? So my question is, how can i make the attributes work with the mysql backend.. are we missing some mysql queries in the sql.conf ?? (btw, this all did worked with the 'users' file from freeradius) Cheers Collen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS + MySQL + decisionmaking?
Thanks for your help. I ended up pulling the accounting counter part
out completely and did it via a cronjob that changed the user's group
- and have implemented the detail log as suggested.
Thank you,
Jan
On 27/09/06, Guy Fraser [EMAIL PROTECTED] wrote:
On Wed, 2006-09-27 at 02:47 +0100, Jan Mulders wrote:
Hello,
I am trying to set up some decision-making logic into FreeRADIUS, to
assign users a different speed of service depending on how much
bandwidth they've used since their billing started.
I want to issue 512k speed to users in group A, who have used less
than 20GB of bandwidth (monthlybytecounter is working fine at the
moment and totals this up nicely). However, if they've used more than
20GB, I want to issue 256k speed to users.
For group B, I want users to get 10Mbps as long as they've used less
than 50GB of bandwidth, and 1Mbps if they're over.
I want to assign the values for speed to some vendor-specific
variable, let's say Max-User-Speed.
Hi
I am replying because I haven't seen any other replies.
The Attribute you use will depend on the NAS equipment
you are using. Check the documentation and dictionaries
for your radius client.
I am using MySQL for this. Here is a snippet from my database:
radcheck table:
username, attribute, op, value
testuser1, Password, ==, testing
usergroup table:
username, groupname
testuser1, groupa
Here is a snippet from my radiusd.conf file:
instantiate {
monthlybytecounter
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
}
accounting {
#acct_unique
#detail
sql
radutmp # ?
}
session {
radutmp # ?
sql
}
My question is... how do I implement this? Can anyone write down a few
examples of how I'd go about making these rules?
Would I perhaps be better off making a cronjob or something that
changes the user's group to one of the following? groupA_belowcap,
groupA_overcap, groupB_belowcap, groupB_overcap?
I do not usually work with MySQL but you are on the right track
using a counter but you didn't say if it was an sql_counter, which
is what I would use. I would also drop the radutmp bits, and do
everything from SQL. One other note, I usually keep the detail
bits, for archival purposes in case of a dispute.
As for examples, this is as close as I can give you with the bits
you want :
--- snip ---
modules {
detail acct_log {
detailfile = ${radacctdir}/%Y/%m/detail-%Y%m%d
detailperm = 0640
dirperm = 0750
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sql
key = User-Name
reset = monthly
query = SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
}
instantiate {
dailycounter
monthlycounter
}
authorize {
sql
dailycounter
monthlycounter
}
accounting {
acct_log
sql
}
session {
sql
}
--- snip ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS + MySQL + decisionmaking?
Hello,
I am trying to set up some decision-making logic into FreeRADIUS, to
assign users a different speed of service depending on how much
bandwidth they've used since their billing started.
I want to issue 512k speed to users in group A, who have used less
than 20GB of bandwidth (monthlybytecounter is working fine at the
moment and totals this up nicely). However, if they've used more than
20GB, I want to issue 256k speed to users.
For group B, I want users to get 10Mbps as long as they've used less
than 50GB of bandwidth, and 1Mbps if they're over.
I want to assign the values for speed to some vendor-specific
variable, let's say Max-User-Speed.
I am using MySQL for this. Here is a snippet from my database:
radcheck table:
username, attribute, op, value
testuser1, Password, ==, testing
usergroup table:
username, groupname
testuser1, groupa
Here is a snippet from my radiusd.conf file:
instantiate {
monthlybytecounter
}
authorize {
preprocess
sql
}
authenticate {
pap
}
preacct {
preprocess
}
accounting {
#acct_unique
#detail
sql
radutmp # ?
}
session {
radutmp # ?
sql
}
My question is... how do I implement this? Can anyone write down a few
examples of how I'd go about making these rules?
Would I perhaps be better off making a cronjob or something that
changes the user's group to one of the following? groupA_belowcap,
groupA_overcap, groupB_belowcap, groupB_overcap?
Regards,
Jan Mulders
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + MySQL + md5 passwords?
Hello all.I'm trying to get FreeRADIUS to authenticate against MD5 passwords. Here's the relevant part of my config...modules { pap { encryption_scheme = md5
}..instantiate { #mysqlcounter}authorize { preprocess sql}authenticate { pap
}preacct { preprocess}accounting { #acct_unique #detail sql radutmp # ?}session { radutmp # ?
sql}[end of file]I have the passwords in my database as MD5 (I have included a testuser2 with a plaintext password for troubleshooting):id UserName Attribute op Value
1 testuser1 Password == ae2b1fca515949e5d54fb22b8ed955752 testuser2 Password == testingWhat do I need to do to make FreeRADIUS authenticate passwords sent as plaintext to it from a client NAS, to MD5 stored in the database?
Is this possible?(please see attempt logs below)Regards,Jan Mulders### client request ###www~# radtest testuser1 testing localhost:1812 3 testing123Sending Access-Request of id 111 to
127.0.0.1 port 1812 User-Name = testuser1 User-Password = testing NAS-IP-Address = 255.255.255.255
NAS-Port = 3Re-sending Access-Request of id 111 to 127.0.0.1 port 1812 User-Name = testuser1 User-Password = testing NAS-IP-Address =
255.255.255.255 NAS-Port = 3rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=111, length=200www~ radiusd log ###
Listening on authentication *:1812Listening on accounting *:1813Ready to process requests.rad_recv: Access-Request packet from host 127.0.0.1:49086, id=111, length=61
User-Name = testuser1 User-Password = testing NAS-IP-Address = 255.255.255.255 NAS-Port = 3rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4rlm_sql (sql): No matching entry in the database for request from user [testuser1]Login incorrect: [testuser1/testing] (from client localhost port 3)rad_recv: Access-Request packet from host
127.0.0.1:49086, id=111, length=61Sending Access-Reject of id 111 to 127.0.0.1 port 49086
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
