Terminate dsl ppp sessions daily

[Volker Lieder]

Hi list,

we use freeradius for our dsl user authentication.

We want to disconnect some users via radius at fixed times, e.g. 04:00 am.

Which attribute and value should / can i use?

Session-Timeout doesnt do the job.

Regards,
Volker Lieder

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Terminate dsl ppp sessions daily

[Volker Lieder]

Hi,
we tried to calculate it via expr. 

How would you calculate it?

Regards,
Volker

Am 14.10.2013 um 17:03 schrieb Arran Cudbard-Bell:

 
 On 14 Oct 2013, at 15:52, Volker Lieder v.lie...@uvensys.de wrote:
 
 Hi list,
 
 we use freeradius for our dsl user authentication.
 
 We want to disconnect some users via radius at fixed times, e.g. 04:00 am.
 
 Which attribute and value should / can i use?
 
 Session-Timeout doesnt do the job.
 
 Calculate time difference between now at 04:00am and insert it into 
 Session-Timeout?
 
 If your NAS doesn't implement Session-Timeout then you can use CoA/DM or SNMP.
 
 Arran Cudbard-Bell a.cudba...@freeradius.org
 FreeRADIUS Development Team
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Usage of Session-Timeout

[Volker Lieder]

Hi,

we upgraded a freeradius setup from 1.x to 2.1.10+dfsg-2+squeeze1 on Debian 
Squeeze.

Within the old version, we used a database config for groups with an attribute 
Session-Timeout and the value `%{expr:06:00}`
With new version freeradius send an error while looking in debug mode like:

Tue Oct  1 16:15:23 2013 : Info: [sql]  expand: 06:00 - 06:00
Tue Oct  1 16:15:23 2013 : Info: [sql] Not a number at :00
Tue Oct  1 16:15:23 2013 : Info: [sql]  expand: %{expr:06:00} - 

Can you explain why this value isnt working with new version or what we have to 
change to set the Session-Timeout that user get disconnected e.g. at 06:00 am?

Regards,
Volker Lieder



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with multiple groups

[Volker Lieder]

Hi there,
we have a setup running for ppp user on a freeradius/mysql base. 
We recognized that not all group values are given to the user while the login 
is running.
After some debugging we found out, that freeradius didn't get all information 
from the database while its inside of the tables.

Attached you find our used versions, database setting and a sql debug log from 
a testing user.  

Tested on debian 6.0.7, 2.1.10+dfsg-2+squeeze1 and
debian 7.1, 2.1.12+dfsg-1.2


mysql select * from radusergroup where username like 
'dsluser%';+-+--+--+
| username| groupname| priority |
+-+--+--+
| dslu...@realm.net | Default  |1 |
| dslu...@realm.net | 5Uhr-Trennung|2 |
| dslu...@realm.net | Default_dsl-mobile.de|1 |
| dslu...@realm.net | PM_DSL_8000  |1 |
+-+--+--+


select * from radgroupreply where groupname='PM_DSL_8000';
++--+--++-+
| id | groupname| attribute| op | value 
  |
++--+--++-+
| 35 | PM_DSL_8000  | Cisco-AVPair | := | 
lcp:interface-config=service-policy output PM_DSL_8000_DSCP46_50PROZENT |
++--+--++-+

mysql select * from radgroupreply where groupname='Default';
++---+-++--+
| id | groupname | attribute   | op | value|
++---+-++--+
|  9 | Default   | Framed-Protocol | =  | PPP  |
| 10 | Default   | Framed-Routing  | =  | None |
| 11 | Default   | Service-Type| =  | Framed-User  |
| 24 | Default   | Cisco-AVPair| += | lcp:interface-config=ip mtu 1492 |
++---+-++--+

mysql select * from radgroupreply where groupname='5Uhr-Trennung';
+++-++-+
| id | groupname  | attribute   | op | value   |
+++-++-+
|  2 | 5Uhr-Trennung  | Session-Timeout | =  | `%{expr:05:00}` |
+++-++-+

mysql select * from radgroupreply where groupname='Default_dsl-mobile.de';
++--+-++--+
| id | groupname| attribute   | op | value  
  |
++--+-++--+
| 44 | Default_dsl-mobile.de| Framed-Protocol | =  | PPP
  |
| 45 | Default_dsl-mobile.de| Framed-Routing  | =  | None   
  |
| 46 | Default_dsl-mobile.de| Service-Type| =  | Framed-User
  |
| 48 | Default_dsl-mobile.de| Cisco-AVPair| += | 
lcp:interface-config=ip mtu 1448 |
++--+-++--+


Output from /usr/sbin/freeradius -d /etc/freeradius -X -f and a new dsl login 
try:

[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id - 
SELECT id, username, attribute, value, op   FROM radreply   
WHERE username = 'dslu...@realm.net'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = 'dslu...@realm.net'   ORDER BY id
[sql]   expand: SELECT groupname   FROM radusergroup   WHERE 
username = '%{SQL-User-Name}'   ORDER BY priority - SELECT groupname   
FROM radusergroup   WHERE username = 'dslu...@realm.net'
   ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname   FROM radusergroup   
WHERE username = 'dslu...@realm.net'   ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,   Value, op   
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupreply   WHERE groupname = 'Default'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,  

pix and radius authentication

[Volker Lieder]

Hello list,
i want to set up a pix 525 with Cisco PIX Firewall Version 6.3(4) to 
authenticate vpn-users against a freebsd-radius.
This step already works fine, the users get authenticated.
Now we want to give the user via radius an ip-address, but this doesnt 
work.
At this moment i only can login via vpn-client if i have a local ip 
pool configured on the pix.
The Framed-IP-Address = 10.106.4.5 entry in the radius-users file 
doesnt work.
Has somebody a solution for this problem or isn't it possible?
Also we want to send an access-list to the user via radius...
But in this case i dont have any idea to solve the problem.

Thank you very much
Volker Lieder
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html