Re: Compilation errors in checkrad
On 29 Oct 2012, at 17:14, Edinilson - ATINET wrote: > Hi, > > After upgrade perl to version 5.16 checkrad was returning the following error: > > Can't modify constant item in scalar assignment at > /usr/local/sbin/checkrad line 477, near ");" > Execution of /usr/local/sbin/checkrad aborted due to compilation errors. > > I don´t know exactly how to solve this problem. Stick a $ at the front of the line at 477 :) https://github.com/FreeRADIUS/freeradius-server/commit/87ae675f866fff4d54419bdaf74612fa406718a5 -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compilation errors in checkrad
Hi, After upgrade perl to version 5.16 checkrad was returning the following error: Can't modify constant item in scalar assignment at /usr/local/sbin/checkrad line 477, near ");" Execution of /usr/local/sbin/checkrad aborted due to compilation errors. I don´t know exactly how to solve this problem. Some information about my system: Freeradius: radiusd: FreeRADIUS Version 2.2.0, for host amd64-portbld-freebsd9.0, built on Oct 29 2012 at 10:49:31 Perl: This is perl 5, version 16, subversion 0 (v5.16.0) built for amd64-freebsd Freebsd: FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Any help will be appreciated Regards Edinilson -- ATINET Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not working
HI, I have set the Interm-Update interval to 5min so accounting packet is received every 5 min. The basic purpose I want to run checkrad script is the check "Simultaneous-Use" in multiple server environment. I will paste the Accounting Packet output here as soon as I get home. -- Kind Regards Mudasir Mirza - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not working
Mudasir Mirza wrote: > Hi, > Thanks for your reply. Can you tell me what information from my side > will help in finding the root cause. > > I have also read the doc for "Simultaneous-Use" and as far as I can see > I have done all the necessary things. Well, you didn't show the output when the server receives packets. So no, you didn't do all of the necessary things. Is the server receiving accounting packets? What does "radiusd -X" say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not working
Hi, Thanks for your reply. Can you tell me what information from my side will help in finding the root cause. I have also read the doc for "Simultaneous-Use" and as far as I can see I have done all the necessary things. On Mon, Sep 3, 2012 at 12:33 AM, Mudasir Mirza wrote: > HI, > > I have just configured FreeRadius for my Test lab, and I am unable to get > the checkrad script to work. > I have written a custom checkrad script to work for the server that I am > using. > > Attached is the file of output "radiusd -X" > > I have also set "Simultaneous-Use := 1" in radgroupcheck. > > I am unable to figure out the issue as to why checkrad script is not being > called on in this case. > > -- > Kind Regards > Mudasir Mirza > > -- Kind Regards Mudasir Mirza - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not working
Mudasir Mirza wrote: > I have just configured FreeRadius for my Test lab, and I am unable to > get the checkrad script to work. > I have written a custom checkrad script to work for the server that I am > using. > > Attached is the file of output "radiusd -X" Which is completely useless. The point of debug mode is to see how it processes packets. The debug log you posted shows no packets. > I have also set "Simultaneous-Use := 1" in radgroupcheck. That isn't enough. See doc/Simultaneous-Use. Does the server receive accounting packets? > I am unable to figure out the issue as to why checkrad script is not > being called on in this case. Neither can I. You didn't provide enough information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad not working
HI, I have just configured FreeRadius for my Test lab, and I am unable to get the checkrad script to work. I have written a custom checkrad script to work for the server that I am using. Attached is the file of output "radiusd -X" I have also set "Simultaneous-Use := 1" in radgroupcheck. I am unable to figure out the issue as to why checkrad script is not being called on in this case. -- Kind Regards Mudasir Mirza main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = off max_request_time = 60 cleanup_delay = 8 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad.sh" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 2 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.6.24.1 { require_message_authenticator = no secret = "12345" shortname = "Mikrotik" nastype = "mikrotik" } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expi
Checkrad and Cisco WLC 4400 NAS
Hi, i've got a problem with simultaneous-use and a Cisco WLC4400. If i choose nastype=other in clients.conf the radaact table gets queried and if there is a running session for that user ( acctstoptime IS NULL) the user gets rejected ( defined for the users group in radgroupcheck simultaneous-use := 1 ). So far so good, but if i choose nastype=cisco, the user can log in as often as wanted. Checkrad gets executed and logs the following: /var/log/radius/checkrad.log --snip--- Fri Jun 1 15:18:27 2012 checkrad cisco 141.72.65.21 1 macha...@staff.dhbw-mannheim.de 4fc8c577/a0:0b:ba:dd:25:8a/44 snmpget: /usr/bin/snmpget -r 1 -t 5 -v2c -c 'xx' 141.72.65.21 .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.1 user at port S1: No snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'xx' 141.72.65.21 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) snap If i execute the snmpget command by hand, i get the following: SNMPv2-SMI::enterprises.9.2.9.2.1.18.1 = No Such Object available on this agent at this OID The MIB on this device seems to be different than on other cisco devices :-( Has anyone an updated checkrad version which can get active usersessions from Cisco WLC or a hint how checkrad needs to be edited to do so ? Using nastype=other is no option, because the NAS only sends sessiontimeouts every 10 Minutes and i always have a time lag between radacct sessions and NAS sessions. Help would be really great ! Yours Patrick Machauer Rechenzentrum Duale Hochschule Baden-Württemberg Mannheim Baden-Wuerttemberg Cooperative State University Mannheim Rechenzentrum Coblitzallee 1-9 68163 Mannheim Tel.: +49 (0)621 4105 - 1278 Fax: +49 (0)621 4105 - 1278 E-Mail: macha...@dhbw-mannheim.de <mailto:macha...@dhbw-mannheim.de> Web: http://www.rz.dhbw-mannheim.de <http://www.rz.dhbw-mannheim.de> <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper ERX and checkrad
cat /usr/share/freeradius/dictionary.juniper Best regards, Fred MAISON 2011/7/15, Igor Smitran : > It is my first time to setup Juniper ERX-1440 with freeradius. All my > other NAS's are cisco. > I was trying to setup checkrad to check for simultaneous connections and > realized that juniper is not listed in nas type list. > Can someone help me with getting chekrad to work with Juniper ERX? > > Thank you > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Juniper ERX and checkrad
It is my first time to setup Juniper ERX-1440 with freeradius. All my other NAS's are cisco. I was trying to setup checkrad to check for simultaneous connections and realized that juniper is not listed in nas type list. Can someone help me with getting chekrad to work with Juniper ERX? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use with checkrad
Hi I know its not the best way to do it but I would really like to use simultaneous-use attribute without using the checkrad script. meaning the radius server does the check in radacct table and if the check is true, deny authentication. is this possible? I am using sql and in the radgroupcheck table i have simultaneous-use := 1 and in sites-enabled/defaults under session I have sql selected and the query is present in sql/mysql/dialup.conf is it possible for the freeRADIUS server to do this? Thanks in advance -- View this message in context: http://freeradius.1045715.n5.nabble.com/simultaneous-use-with-checkrad-tp4521260p4521260.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
George, Thanks for the reply. I will doublecheck my configuration. The one thing I noticed, even though checkrad is working, I can't find any clue in any log or debug output. I set it to log to checkrad.log, but that only works when I manually run /usr/sbin/checkrad. Is there another place that I'm not aware of? Thanks! -dan On 6/6/2011 1:14 AM, George Chelidze wrote: On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/04/2011 06:28 AM, Dan Brisson wrote: Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. hm.. I would compare both setups to eliminate any typos in 2.1.7 configuration. As far as it works with 2.1.10 you can build it on CentOS from source. Glad to hear you figured it out. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
Just finished setting up the latest Freeradius - 2.1.10. Checkrad is working. I've replicated the settings from 2.1.7 so I have to think something has changed from 2.1.7 to 2.1.10. I'm running on CentOS with 2.1.7 installed from Yum. My 2.1.10 was built from source on RHEL5. I ultimately need to be on CentOS. Once I get 2.1.10 installed and tested, I'll reply to the list. Thanks to those who chimed in. -dan On 6/3/11 9:21 AM, George Chelidze wrote: On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 6/3/2011 9:21 AM, George Chelidze wrote: On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed Sorry, poorly worded on my part. check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? authorize { preprocess auth_log chap mschap suffix eap { ok = return } unix files sql checkval nascheck expiration logintime pap } accounting { detail unix radutmp sql attr_filter.accounting_response } Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 02:35 PM, Dan Brisson wrote: It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: It's a configuration option not a command to be executed check_with_nas = yes So, it's there Can you post authorize/accounting sections from your configuration? Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
No different with only using sql in session { }. It really seems like this line in the radutmp "modules" file is not being executed: check_with_nas = yes But from radiusd -X, it does seem to be: Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes Stumped still -dan On 6/3/11 5:49 AM, Dan Brisson wrote: George, Sorry, I had commented out the simul_verify_query as a troubleshooting step but actually do have it uncommented at this point, but it still won't work. I checked radiusd.conf and found this: # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad Re: radutmp vs. sql, good question. I will try with only sql active. Thanks, -dan On 6/3/11 3:58 AM, George Chelidze wrote: On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
George, Sorry, I had commented out the simul_verify_query as a troubleshooting step but actually do have it uncommented at this point, but it still won't work. I checked radiusd.conf and found this: # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad Re: radutmp vs. sql, good question. I will try with only sql active. Thanks, -dan On 6/3/11 3:58 AM, George Chelidze wrote: On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
On 06/03/2011 03:59 AM, Dan Brisson wrote: # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" as your verify_query is commented out, it will never check it with nas, just compare result of count_query with configured max value (1 in your case), so uncomment it. sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } Do you really need both? modules/perl: func_checksimul = checksimul I would enable checkrad statement in radiusd.conf as it seems to be used with radutmp/sql modules for sumult checks. Best Regards, George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
I do have this feeling that I'm missing, but I'm not sure what it is. Here's what I have configured: clients.conf: client 10.1.10.20 { secret = password nastype = pr3000 sql/mysql/dialup.conf: # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = "SELECT COUNT(*) \ FROM ${acct_table1} \ WHERE username = '%{SQL-User-Name}' \ AND acctstoptime IS NULL" # simul_verify_query = "SELECT radacctid, acctsessionid, username, \ # nasipaddress, nasportid, framedipaddress, \ # callingstationid, framedprotocol \ # FROM ${acct_table1} \ # WHERE username = '%{SQL-User-Name}' \ # AND acctstoptime IS NULL" sites-enabled/default: # Session database, used for checking Simultaneous-Use. Either the radutmp # or rlm_sql module can handle this. # The rlm_sql module is *much* faster session { radutmp # # See "Simultaneous Use Checking Queries" in sql.conf sql } modules/perl: func_checksimul = checksimul And in my MySQL radcheck table I have: testuser Simultaneous-Use := 1 Thanks in advance for any insight, -dan On 6/2/11 5:54 AM, Alan DeKok wrote: Dan Brisson wrote: I was wondering if someone could help me determine why checkrad isn't being called. I've followed the directions in the doc/Simultaneous-Use but still cannot get checkrad to fire off when I login. It will check radutmp, but never reaches out to my NAS with checkrad, as evidenced here from radiusd -X: +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> testuser ++[radutmp] returns ok Using Post-Auth-Type Reject If you've configured Simultaneous-Use, then there should be *something* about checkrad in the output. Can I provide any other data? I'm using SQL for authorization and accounting. I'm on version 2.1.7-7.el5 of FreeRadius. Where did you configure Simultaneous-Use? How? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get checkrad to be called
Dan Brisson wrote: > I was wondering if someone could help me determine why checkrad isn't > being called. I've followed the directions in the doc/Simultaneous-Use > but still cannot get checkrad to fire off when I login. It will check > radutmp, but never reaches out to my NAS with checkrad, as evidenced > here from radiusd -X: > > +- entering group session {...} > [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp > [radutmp] expand: %{User-Name} -> testuser > ++[radutmp] returns ok > Using Post-Auth-Type Reject If you've configured Simultaneous-Use, then there should be *something* about checkrad in the output. > Can I provide any other data? I'm using SQL for authorization and > accounting. I'm on version 2.1.7-7.el5 of FreeRadius. Where did you configure Simultaneous-Use? How? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get checkrad to be called
I was wondering if someone could help me determine why checkrad isn't being called. I've followed the directions in the doc/Simultaneous-Use but still cannot get checkrad to fire off when I login. It will check radutmp, but never reaches out to my NAS with checkrad, as evidenced here from radiusd -X: +- entering group session {...} [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> testuser ++[radutmp] returns ok Using Post-Auth-Type Reject In this case, testuser was already logged in as verified by radwho, but why didn't it go out and check my NAS? I'm using a Nomadix HSG for a NAS, which doesn't have a definition in clients.conf, but I've been able to get /usr/sbin/checkrad to return the following by modifying the "pr3000" definition: [root@hologram radius]# more checkrad.log Wed Jun 1 22:11:34 2011 checkrad pr3000 10.1.10.20 1 testuser 1 snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 10.1.10.20 .1.3.6.1.4.1.3309.1.2.2.18.1.1.5 Returning 1 (double detected) So it would seem if I could get FR to perform checkrad, I'd be in good shape. Can I provide any other data? I'm using SQL for authorization and accounting. I'm on version 2.1.7-7.el5 of FreeRadius. TIA, -dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultneous-Use + SQL + Checkrad
Galatóczki István wrote: > I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. You should really upgrade to 2.1.8. > The online users check not work in the NAS with checkrad script my network. > > I read the list and forums but not founded solution. > I have read and followed the step of below comment: > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg58506.html > > my config: > radcheck table: Simultaneous-Use: =1 > -sites-enabled/default- > accounting ( > sql sqlippool The IPPool module does not do simultaneous-use tracking. > ) > session ( > sql > ) > uncomment: simul_count_query... in dialup.conf > > include: sql.conf etc.. in the radiusd.conf > > Question: working the checkrad script without radutmp? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultneous-Use + SQL + Checkrad
Hi All! I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. The online users check not work in the NAS with checkrad script my network. I read the list and forums but not founded solution. I have read and followed the step of below comment: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg58506.html my config: radcheck table: Simultaneous-Use: =1 -sites-enabled/default- accounting ( sql sqlippool ) session ( sql ) uncomment: simul_count_query... in dialup.conf include: sql.conf etc.. in the radiusd.conf Question: working the checkrad script without radutmp? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultneous-Use + SQL + Checkrad
Hi All! I use Freeradius 2.0.4(deb pack) with Mysql 5.0.51. The online users check not work in the NAS with checkrad script my network. I read the list and forums but not founded solution. Question: working the checkrad script without radutmp? my config: radcheck- Simultaneous-Use: =1 accounting ( sql sqlippool ) session ( sql ) uncomment: simul_count_query... in dialup.conf include: sql.conf etc.. in the radiusd.conf Best Regards Steve ps: sorry my english - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN 3000 and Simultaneous Use via checkrad
> In order to implement simultaneous use checking in my environment I > added a subroutine to checkrad that handles snmp checks to the Cisco > 3000 series VPN concentrators. I am happy to share my work/experience > with anyone that may have a similar environment. While we are on the subject of Cisco and checkrad.pl, I have found that sometimes trouble can be found here: if ($port < 2) { # # The AS5350 doesn't support polling the session ID, # so we do it based on nas-port-id. This only works # for analog sessions where port < 2. # Yes, this means that simultaneous-use on the as5350 # doesn't work for ISDN users. # $login = snmpget($ARGV[1], $pass, "$csm.2.9.2.1.18.$port"); print LOG " user at port S$port: $login\n" if ($debug); } else { $login = snmpget($ARGV[1], $pass, "$csm.9.150.1.1.3.1.2.$sess_id"); print LOG " user with session id $ARGV[4] ($sess_id): " . "$login\n" if ($debug); } There are devices that don't support that first OID. Solution is to comment out if section: # if ($port < 2) { # # The AS5350 doesn't support polling the session ID, # so we do it based on nas-port-id. This only works # for analog sessions where port < 2. # Yes, this means that simultaneous-use on the as5350 # doesn't work for ISDN users. # # $login = snmpget($ARGV[1], $pass, "$csm.2.9.2.1.18.$port"); # print LOG " user at port S$port: $login\n" if ($debug); # } else { $login = snmpget($ARGV[1], $pass, "$csm.9.150.1.1.3.1.2.$sess_id"); print LOG " user with session id $ARGV[4] ($sess_id): " . "$login\n" if ($debug); # } This alteration will get the script working properly for 7xxx routers that fail default check (ie. they don't support OID that checks who is on the port - instead they peek into local accounting to see if there is an active session for that accounting id). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN 3000 and Simultaneous Use via checkrad
Greetings, In order to implement simultaneous use checking in my environment I added a subroutine to checkrad that handles snmp checks to the Cisco 3000 series VPN concentrators. I am happy to share my work/experience with anyone that may have a similar environment. Sincerely, Bill McCormick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkrad / Simultaneous-Use clarification please
> From: "Alan DeKok" >>"If you want to check the stripped user name... then use it." > > How can I control this? I am assuming you are referring to proxy.con > realm > configuration? > > "Why you ask?" > > The 'powers that be' have declared that the same userid may log in via > multiple realms (access technologies) up to a certain connection limit. > So u...@realm1 and u...@realm2 count as 2 connections for user. In their > original form, radius would view them as two distinct userids. > > I need the form 'u...@realm' for authentication right after the > simultaneous-use check. Strip username and pass User-Name + Realm to authentication script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkrad / Simultaneous-Use clarification please
From: "Alan DeKok" "If you want to check the stripped user name... then use it." How can I control this? I am assuming you are referring to proxy.con realm configuration? "Why you ask?" The 'powers that be' have declared that the same userid may log in via multiple realms (access technologies) up to a certain connection limit. So u...@realm1 and u...@realm2 count as 2 connections for user. In their original form, radius would view them as two distinct userids. I need the form 'u...@realm' for authentication right after the simultaneous-use check. How, specifically, can I get the Simultaneous-Use function to use the Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the remainder of the processing? (I have seen references to variable in some cases having a form of %{prefix:User-Name} but am unclear of how/where that can/should be used. I have searched the internet, the docs available, and some of the source code in attempting to understand freeradius, only posting questions when I am truly puzzled. Indications of "how" to do (or NOT do) something are most appreciated. This is a significant upgrade effort, and I'm ok with re-designing how things are achieved, if I can determine WHAT the 'best way' should be. I have NO control over the rules that apply to users and accounts in the real world. (I especially love when they CONTRADICT! - Marketing...) Thanks, -craig - Original Message - From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Thursday, September 10, 2009 4:16 AM Subject: Re: Checkrad / Simultaneous-Use clarification please Craig Campbell wrote: We currently have users that log in both with and without realms. Well... then you have to manage that. In radutmp we log the stripped username (i.e. no realm component). Why? Since the radutmp data has no realm part for the username, how do I get the Simultaneous-Use code to check the username without the realm component? Currently the realm portion is carried through until the accounting processing (for radutmp). I don't understand. You give radutmp a stripped user name, but you don't give the session checking a stripped user name? If you want to check the stripped user name... then use it. If I understand correctly, f...@comfort will pass Sinultaneous-Use because radutmp is logging these as just "fred". Yes. Because you told it to treat them as different users. If you want the simultaneous checking to check the stripped user name, then strip the user name... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information from ESET Smart Security, version of virus signature database 4412 (20090909) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 4412 (20090909) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkrad / Simultaneous-Use clarification please
Craig Campbell wrote: > We currently have users that log in both with and without realms. Well... then you have to manage that. > In radutmp we log the stripped username (i.e. no realm component). Why? > Since the radutmp data has no realm part for the username, how do I get > the Simultaneous-Use code to check the username without the realm > component? Currently the realm portion is carried through until the > accounting processing (for radutmp). I don't understand. You give radutmp a stripped user name, but you don't give the session checking a stripped user name? If you want to check the stripped user name... then use it. > If I understand correctly, f...@comfort will pass Sinultaneous-Use > because radutmp is logging these as just "fred". Yes. Because you told it to treat them as different users. If you want the simultaneous checking to check the stripped user name, then strip the user name... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checkrad / Simultaneous-Use clarification please
I am investigaitng using the Simultaneous-Use feature with freeradius 2.1.6. We currently have users that log in both with and without realms. In radutmp we log the stripped username (i.e. no realm component). Since the radutmp data has no realm part for the username, how do I get the Simultaneous-Use code to check the username without the realm component? Currently the realm portion is carried through until the accounting processing (for radutmp). For example, # radwho -r | grep pebenopi fred,fred,PPP,S315138101,Wed 11:28,192.168.1.101,201.229.41.119 fred,fred,PPP,S315305457,Wed 20:53,192.168.1.101,66.247.201.44 fred,fred,PPP,S317335857,Wed 10:40,192.168.1.101,201.229.26.67 From users f...@comfort Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = "/custome_auth_binary" , Fall-Through = no If I understand correctly, f...@comfort will pass Sinultaneous-Use because radutmp is logging these as just "fred". Thanks, -craig __ Information from ESET Smart Security, version of virus signature database 4411 (20090909) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about /usr/local/sbin/checkrad
Thanks for excellent help. On Fri, Apr 24, 2009 at 5:47 PM, wrote: > > Do I understand right or not about checkrad? Please drive me right > > direction. > > > > radius# checkrad > > Usage: checkrad nas_type nas_ip nas_port login session_id > > > > Checkrad checks if the accounting session open in the database is still > open on the NAS as well. You can find nas_ip, nas_port, login (ie. > username) and session_id in your radacct table. You can also find the > query that lists open sessions in dialup.conf. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about /usr/local/sbin/checkrad
> Do I understand right or not about checkrad? Please drive me right > direction. > > radius# checkrad > Usage: checkrad nas_type nas_ip nas_port login session_id > Checkrad checks if the accounting session open in the database is still open on the NAS as well. You can find nas_ip, nas_port, login (ie. username) and session_id in your radacct table. You can also find the query that lists open sessions in dialup.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about /usr/local/sbin/checkrad
Tseveendorj wrote: > What is nas_port ? is it mean 1645, 1646 ? No. It's not a UDP port. It means "port on the NAS". See http://freeradius.org/rfc/attributes.html. Click on "NAS-Port" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about /usr/local/sbin/checkrad
Hello, Do I understand right or not about checkrad? Please drive me right direction. radius# checkrad Usage: checkrad nas_type nas_ip nas_port login session_id What is nas_port ? is it mean 1645, 1646 ? I found the session_id from cisco router with following command hostname#sh pppoe session all Total PPPoE sessions 3 *session id: 184* local MAC address: 001d.46c7.2630, remote MAC address: 00e0.a666.51eb virtual access interface: Vi2.2, outgoing interface: Gi0/0.1 206389 packets sent, 185625 received 246455857 bytes sent, 20392801 received is it ? Best regards, Tseveen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not called after upgrade to 2.x
On Wed, 02 Jul 2008 18:02:18 +0200 Alan DeKok <[EMAIL PROTECTED]> wrote: > i.e. "when the server starts properly", checkrad works. When the > server doesn't start properly, it doesn't. > > > So it is not a severe bug of checkrad in 2.0.5, it just behaves strange, > > when some clients in clients.conf are no correctly defined. > > I've fixed it. The server now refuses to start if the client > definitions are wrong. > > Alan DeKok. Thank you, Alan! oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not called after upgrade to 2.x
oz wrote: > I guess, I tracked it down. I started radiusd -X of version 2.0.3 in my > 2.0.5 environment, and compared the console messages between the two > versions. > > I noticed, that 2.0.5 didn't read in all my NAS clients. It stopped, > where one client definition had no secret set, with this message: > [...] > client as5200 { > ipaddr = 192.168.101.2 > require_message_authenticator = no > shortname = "as5200" > } > /usr/local/etc/raddb/clients.conf[310]: secret must be at least 1 > character long Ok... so that client definition was wrong. Version 2.0.5 *should* fail to start at that point. Hmm... I've tracked down the issue and committed a fix to CVS. > Version 2.0.5 then rejects all users from *all the other* clients, when > checkrad is invoked and when radiusd wasn't able to read in the > clients.conf before completely: Well... yes. If it can't read the clients, it doesn't know about them. So the underlying issue is that the client configuration was wrong, and the server was too liberal in allowing an invalid configuration. The checkrad code still works. > When the clients.conf contains only valid clients, checkrad is invoked > as it should: i.e. "when the server starts properly", checkrad works. When the server doesn't start properly, it doesn't. > So it is not a severe bug of checkrad in 2.0.5, it just behaves strange, > when some clients in clients.conf are no correctly defined. I've fixed it. The server now refuses to start if the client definitions are wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not called after upgrade to 2.x
Alan DeKok wrote: oz wrote: M. S. wrote: Can I put this in bugzilla? Seems like simultaneous use is completely broken in 2.x which is a fairly significant feature. I would agree. I'm not sure why it's broken... To me checkrad seems to be broken too. I'm using 2.0.5 without virtual servers. ... checkrad: Unknown NAS 212.x.x.x, not checking Arg. I don't know why that doesn't work. It is possible, that in 2.0.3 checkrad was ok, because I noticed no problems with Simultaneous-Use there ... but maybe accidentally. If it works in 2.0.3 that would be good to know. It would help track down where the problem is. Is it really a bug in freeradius-2.0.5? Yes. Alan DeKok. Hello, I guess, I tracked it down. I started radiusd -X of version 2.0.3 in my 2.0.5 environment, and compared the console messages between the two versions. I noticed, that 2.0.5 didn't read in all my NAS clients. It stopped, where one client definition had no secret set, with this message: [...] client as5200 { ipaddr = 192.168.101.2 require_message_authenticator = no shortname = "as5200" } /usr/local/etc/raddb/clients.conf[310]: secret must be at least 1 character long Version 2.0.5 then rejects all users from *all the other* clients, when checkrad is invoked and when radiusd wasn't able to read in the clients.conf before completely: auth: user supplied User-Password matches local User-Password +- entering group session expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp expand: %{User-Name} -> smith checkrad: Unknown NAS 212.x.x.x, not checking ++[radutmp] returns ok Multiple logins (max 1) [MPP attempt]: [smith] (from client testerx port 1610612780 cli #erx705#E60#44) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 9 to 212.x.x.x port 5 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Finished request 2. Going to the next request When the clients.conf contains only valid clients, checkrad is invoked as it should: auth: user supplied User-Password matches local User-Password +- entering group session expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp expand: %{User-Name} -> smith checkrad: unknown NAS type erx rlm_radutmp: Failed to check the terminal server for user 'smith'. ++[radutmp] returns fail Login OK: [smith] (from client testerx port 1610612780 cli #erx705#E60#44) (... *this* checkrad message is ok, because the original checkrad-script isn't aware of my custom NAS type erx). So it is not a severe bug of checkrad in 2.0.5, it just behaves strange, when some clients in clients.conf are no correctly defined. Kind regards, oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not called after upgrade to 2.x
oz wrote: > M. S. wrote: >> Can I put this in bugzilla? Seems like simultaneous use is completely > broken in 2.x which is a fairly significant feature. I would agree. I'm not sure why it's broken... > To me checkrad seems to be broken too. I'm using 2.0.5 without virtual > servers. ... > checkrad: Unknown NAS 212.x.x.x, not checking Arg. I don't know why that doesn't work. > It is possible, that in 2.0.3 checkrad was ok, because I noticed no > problems with Simultaneous-Use there ... but maybe accidentally. If it works in 2.0.3 that would be good to know. It would help track down where the problem is. > Is it really a bug in freeradius-2.0.5? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad not called after upgrade to 2.x
P.S. Sorry, I posted to the developers-list, but I meant the users-list, so here it should be discussed: M. S. wrote: > Can I put this in bugzilla? Seems like simultaneous use is completely broken in 2.x which is a fairly significant feature. To me checkrad seems to be broken too. I'm using 2.0.5 without virtual servers. Checkrad says, my NAS is Unknown when it is invoked, although I have it in my clients.conf: client testerx { ipaddr = 212.x.x.x secret = xxx nastype = erx } radiusd -X [...] auth: user supplied User-Password matches local User-Password +- entering group session expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp expand: %{User-Name} -> smith checkrad: Unknown NAS 212.x.x.x, not checking ++[radutmp] returns ok Multiple logins (max 1) [MPP attempt]: [smith] (from client testerx port 1610612780 cli #erx705#E60#44) Found Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject of id 88 to 212.x.x.x port 5 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Finished request 2. [...] For our customers I have Simultaneous-Use := 1 in my users-file and checkrad is invoked, when a stale session in radutmp is found: # radwho -ir smith,04279558,PPP,S1610612780,Wed 12:2,212.x.x.x,x.x.x.x It is possible, that in 2.0.3 checkrad was ok, because I noticed no problems with Simultaneous-Use there ... but maybe accidentally. Is it really a bug in freeradius-2.0.5? oz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad + NoCat
Hi all, I was wondering whether nocat (http://nocat.net/) could be queried for simultaneous use somehow. I've found only some outdated patch on http://lists.nocat.net/pipermail/nocat/2003-October/003795.html I've inspired from the idea and attached is a patch to checkrad.pl.in. You need additional perl module HTTP::Lite(downloadable from CPAN). I've tested and it's working well. In order to deploy checkrad you need to set your nas type to "nocat" and enable simultaneous-use checking for your user(Simultaneous-Use:=1 in users file|radcheck|radgroupcheck) and your freeradius server has to be allowed in NAS firewall to access http://$nas_ip:$nas_port/status NAS> iptables -A INPUT -p tcp --dport <$nas_port> -s <$radius_server> -j ACCEPT I hope this can help someone... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- Index: src/main/checkrad.pl.in === RCS file: /source/radiusd/src/main/checkrad.pl.in,v retrieving revision 1.33 diff -u -r1.33 checkrad.pl.in --- src/main/checkrad.pl.in 1 May 2004 09:32:14 - 1.33 +++ src/main/checkrad.pl.in 30 Apr 2007 13:21:32 - @@ -32,6 +32,7 @@ # mikrotik_telnet 1.1Author: Evren Yurtesen <[EMAIL PROTECTED]> # mikrotik_snmp1.0Author: Evren Yurtesen <[EMAIL PROTECTED]> # redback_telnet Author: Eduardo Roldan +# nocat_http Author: Milan Holub # # Config: $debug is the file you want to put debug messages in # $snmpget is the location of your ``snmpget'' program @@ -43,6 +44,9 @@ # $naspass is the location of your NAS admin password file # +# for nocat gateway +use HTTP::Lite; + $prefix= "@prefix@"; $localstatedir = "@localstatedir@"; $logdir= "@logdir@"; @@ -1344,6 +1348,20 @@ return 0; } +sub nocat_http { +my ($nas_ip, $nas_port, $login, $session_id) = ($ARGV[1], $ARGV[2], $ARGV[3], $ARGV[4]); +my $http = new HTTP::Lite; +my $req = $http->request("http://$nas_ip:$nas_port/status";) or die "Unable to get document: $!"; +die "Request failed ($req): ".$http->status_message() if $req ne "200"; +my $body = $http->body(); +#print $body; +if ($body =~ /^$login<\/td>.*$session_id<\/td>.*<\/tr>$/m) { +print LOG "User is logged in!" if ($debug); +return 1; +} +return 0; +} + ### # Poor man's getopt (for -d) @@ -1418,6 +1436,8 @@ $ret = &mikrotik_snmp; } elsif ($ARGV[0] eq 'redback'){ $ret = &redback_telnet; +} elsif ($ARGV[0] eq 'nocat'){ +$ret = &nocat_http; } elsif ($ARGV[0] eq 'other') { $ret = 1; } else { - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Checkrad Redback
Hello, I need help! I have a freeradius server 1.1.3 with mysql 4.1.11 backend and we manage ip address pools with the NAS (Redback SMS), it works fine. Now we need to have subscribers groups with particular ip address pools for each group. I don't how to configure it with the NAS so i want to manage this with freeradius but i don't exactly know how to configure it with users file because i think that i can't use at the same time mysql database and users file. thanks for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Checkrad Redback
Thanks Kevin for your help! i'll try to ask lucent support. Kevin Bonner a écrit : > On Monday 02 April 2007 08:11:10 ahissi jean-françois wrote: > >> Hello, >> >> I'am facing a Simultaneous-Use problem. >> >> We are ISP and we have adsl subscribers. >> The aaa is a freeradius 1.1.3 server >> and the NAS is a REDBACK SMS. >> >> The Simultaneous-Use don't work! >> >> We want plan to use checkrad but >> there is no snmp script for redback! >> The telnet options is not good i think because we have 18000 >> subscribers. >> >> Please help me with a snmp script for redback or with an other >> solution for Simultaneous-Use. >> >> Thinks! >> > > I agree that verifying a session via telnet is not a scaleable solution. > Lucent probably has SNMP MIBS for the Redback, which should have a way to > confirm active sessions. > > Kevin Bonner > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Checkrad Redback
On Monday 02 April 2007 08:11:10 ahissi jean-françois wrote: > Hello, > > I'am facing a Simultaneous-Use problem. > > We are ISP and we have adsl subscribers. > The aaa is a freeradius 1.1.3 server > and the NAS is a REDBACK SMS. > > The Simultaneous-Use don't work! > > We want plan to use checkrad but > there is no snmp script for redback! > The telnet options is not good i think because we have 18000 > subscribers. > > Please help me with a snmp script for redback or with an other > solution for Simultaneous-Use. > > Thinks! I agree that verifying a session via telnet is not a scaleable solution. Lucent probably has SNMP MIBS for the Redback, which should have a way to confirm active sessions. Kevin Bonner pgpMuUVY0TsK7.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Checkrad Redback
Hello, I'am facing a Simultaneous-Use problem. We are ISP and we have adsl subscribers. The aaa is a freeradius 1.1.3 server and the NAS is a REDBACK SMS. The Simultaneous-Use don't work! We want plan to use checkrad but there is no snmp script for redback! The telnet options is not good i think because we have 18000 subscribers. Please help me with a snmp script for redback or with an other solution for Simultaneous-Use. Thinks! Jan Mulders a écrit : > > Radtest is designed to send RADIUS packets. If you take a look at the > manpage you will see that it is based on a small utility that sends > raw RADIUS packets, and contains code for retransmission, display of > variables, and other things. > > What do you mean, "AVPs"? If you're referring to the draft EAP > protocol using Diameter, then I have no knowledge of how to send > these. You may want to try reading the manpage for radtest, or reading > the documentation for radcheck. > > Jan > On 02/04/07, *khursheed Ahmed* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > > Hi Jan > > like Radtest, But radtest is used for the test of Radius installation > Could it will give me AVPs of > Radius so that may I convert them for Diameter packets > > thnx > > >From: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > >Reply-To: freeradius-users@lists.freeradius.org > <mailto:freeradius-users@lists.freeradius.org> > >To: freeradius-users@lists.freeradius.org > <mailto:freeradius-users@lists.freeradius.org> > >Subject: Freeradius-Users Digest, Vol 24, Issue 5 > >Date: Mon, 02 Apr 2007 11:15:13 +0200 > > > >Send Freeradius-Users mailing list submissions to > > freeradius-users@lists.freeradius.org > <mailto:freeradius-users@lists.freeradius.org> > > > >To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.freeradius.org/mailman/listinfo/freeradius-users > >or, via email, send a message with subject or body 'help' to > > [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > > >You can reach the person managing the list at > > [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > > [snip] > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad problem solved & get solution
Dear guys I have solve the problem of checkrad for simultenous login i have face many problem first time but finaly i got solution and i have modifiy my script for my nas i have freeradius-1.1.0 with MSSQL2000 with cisco 3700 NAS i want to share my solution with all freeradius guys those are faceing this problem I am useing checkrad with SNMP and i have change some thing in my script. checkrad script take input from radius when user try for login like suse:/ # checkrad Usage: checkrad nas_type nas_ip nas_port login session_id suse:/ # checkrad get input nas_type from client.conf nas_type and nas_ip then user name and port take from login time whn user try for login ... but i dont user port and id_session caz my cisco nas MIB not support port and session thats why i am useing only login name first check manualy through this method #checkrad -d cisco 71.5.250.199 43 satish 0004F09 return 0 ( Login OK ) this script just run snmpwalk command and fetch user all user name and gerp specific name which is store in login name veriable in per script ( checkrad ) and compare against of snmpwalk out put if user match then give u error code 1 ( dobule 1 Login ) this is the login of script * Just change in this line of perl script and test your login Note :- i am useing cisco nas type so the perl excute cisco_snmp subrutine so please find this code in cisco_snmp subrutine this is testing perpose after testing replave $login = satish; with this line my $login = $ARGV[3]; my change in checkrad.pl $login = satish; if($login eq $ARGV[3]) { return 1; }else{ $out=snmpwalk($ARGV[1],$pass,"1.3.6.1.4.1.9.10.24.1.3.2.1.2.3.45"); if($out=~/\"$ARGV[3]\"/){ return 1; }else{ return 0; you can see the login here $login store satish veriable then this script check $ARGV[3] veriable this veriable we can get on login time whn will try to satish login then snmpwalk run this command with MIB now point is you have to find MIB for online users u can find mib through the software or something else i have also find MIB and put it there with snmpwalk command then second if($out=~/\"$ARGV[3]\"/){ this will check user if it get in snmpwalk out put then u got doble login error if not match the u got single login means no one login this time with user name satish .. and put Simultenouse-use := 1 attributes in user file my entry is satish Auth-Type := Local, User-Password == "testing", Simultaneous-Use := 1 Service-Type = Framed-user, Framed-Protocal = PPP, Fall-Through = Yes Contact : - me if you have any problem regarding Simultenouse login problem . $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad or sql base simultaneous-use
Note: forwarded message attached. $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers --- Begin Message --- Tanks dear But dear my problem is i am useing simultaneous-use with sql and it is working fine but my problem is users connect with NAS ( cisco vpdn ) but some user stuck in mssql database radacct tables means user connection error or any other error users got disconnect and then they try for login i got some log user already login because in radacct table use AcctStopTime = 1/1/1900 thats why those user not able to login how can i automaticaly close this session is there any attribute which is automaticaly clear idle session one more thing i have set idle-timeout attributes but it's also not work ??? what is the problem of users stuck in database thats why i want to change my simultaneouse-use with checkrad script is it solve by checkrad script.??? [EMAIL PROTECTED] wrote: radwho lists online users according to radutmp checkrad doesn't use radwho. It "asks" NAS if user so and so is on port so and so with session ID so and so. In session you choose if looking for online users will be done in database or radutmp. checkrad will be called when online user is detecded if you put "cisco" as nastype. If you put "other" it won't. Ivan Kalik Kalik Informatika ISP Dana 12/3/2007, "satish patel" pi¹e: >anyone help me please > >I have many problem for simultaneous login user problem i have >freeradius-1.1.0 with MSSQL with cisco VPDN configuration i dont know why >simultaneous not working with checkrad script > >can u explain me i have confusen in radwho and checkrad command so checkrad >command use radwho output and what is sql base simultenoues detection if >i enable sql in /etc/radb/radius.conf in session part > >like :- > >Session { > # radtump > sql >} > >what is the radutmp and sql if i use radutmp then checkrad call by radius or >not i have confuseion in checkrad andsql base simultenous use can u >explain me > > > > >$ cat ~/satish/url.txt > >System administrator ( Data Center ) > >please visit this site > >http://linux.tulipit.com > >- > Heres a new way to find what you're looking for - Yahoo! Answers > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html--- End Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad or sql base simultaneous-use
You can close all open sessions by altering AcctStopTime: UPDATE radacct SET AcctStopTime='whatever' WHERE AcctStopTime='1900-01-01 00:00:00' Or you can just delete them all (probably better if you are charging customers monthly and not by time online): DELETE FROM radacct WHERE AcctStopTime='1900-01-01 00:00:00' Freeradius might grumble a bit if you delete open sessions for current users too, but it will go on. If you want to keep current open sessions you should add something like - AND AcctStartTime<'2007-03-13 00:00:00' - at the end of SQL statements. Ivan Kalik Kalik Informatika ISP Dana 13/3/2007, "satish patel" <[EMAIL PROTECTED]> piše: >Tanks dear > > > But dear my problem is i am useing simultaneous-use with sql and it > is working fine but my problem is users connect with NAS ( cisco vpdn ) but > some user stuck in mssql database radacct tables means user connection error > or any other error users got disconnect and then they try for login i got > some log > >user already login because in radacct table use AcctStopTime = 1/1/1900 >thats why those user not able to login how can i automaticaly close this >session is there any attribute which is automaticaly clear idle session one >more thing i have set idle-timeout attributes but it's also not work ??? what >is the problem of users stuck in database thats why i want to change my >simultaneouse-use with checkrad script is it solve by checkrad >script.??? > > > >[EMAIL PROTECTED] wrote: radwho lists online users according to radutmp >checkrad doesn't use radwho. It "asks" NAS if user so and so is on >port so and so with session ID so and so. >In session you choose if looking for online users will be done in >database or radutmp. checkrad will be called when online user is >detecded if you put "cisco" as nastype. If you put "other" it won't. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 12/3/2007, "satish patel" > piše: > >>anyone help me please >> >>I have many problem for simultaneous login user problem i have >>freeradius-11.0 with MSSQL with cisco VPDN configuration i dont know why >>simultaneous not working with checkrad script >> >>can u explain me i have confusen in radwho and checkrad command so checkrad >>command use radwho output and what is sql base simultenoues detection >>if i enable sql in /etc/radb/radius.conf in session part >> >>like :- >> >>Session { >> # radtump >> sql >>} >> >>what is the radutmp and sql if i use radutmp then checkrad call by radius >>or not i have confuseion in checkrad andsql base simultenous use >>can u explain me >> >> >> >> >>$ cat ~/satish/url.txt >> >>System administrator ( Data Center ) >> >>please visit this site >> >>http://linux.tulipit.com >> >>- >> Heres a new way to find what you're looking for - Yahoo! Answers >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > >$ cat ~/satish/url.txt > >System administrator ( Data Center ) > >please visit this site > >http://linux.tulipit.com > >- > Heres a new way to find what you're looking for - Yahoo! Answers > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad or sql base simultaneous-use
Tanks dear But dear my problem is i am useing simultaneous-use with sql and it is working fine but my problem is users connect with NAS ( cisco vpdn ) but some user stuck in mssql database radacct tables means user connection error or any other error users got disconnect and then they try for login i got some log user already login because in radacct table use AcctStopTime = 1/1/1900 thats why those user not able to login how can i automaticaly close this session is there any attribute which is automaticaly clear idle session one more thing i have set idle-timeout attributes but it's also not work ??? what is the problem of users stuck in database thats why i want to change my simultaneouse-use with checkrad script is it solve by checkrad script.??? [EMAIL PROTECTED] wrote: radwho lists online users according to radutmp checkrad doesn't use radwho. It "asks" NAS if user so and so is on port so and so with session ID so and so. In session you choose if looking for online users will be done in database or radutmp. checkrad will be called when online user is detecded if you put "cisco" as nastype. If you put "other" it won't. Ivan Kalik Kalik Informatika ISP Dana 12/3/2007, "satish patel" pi¹e: >anyone help me please > >I have many problem for simultaneous login user problem i have >freeradius-1.1.0 with MSSQL with cisco VPDN configuration i dont know why >simultaneous not working with checkrad script > >can u explain me i have confusen in radwho and checkrad command so checkrad >command use radwho output and what is sql base simultenoues detection if >i enable sql in /etc/radb/radius.conf in session part > >like :- > >Session { > # radtump > sql >} > >what is the radutmp and sql if i use radutmp then checkrad call by radius or >not i have confuseion in checkrad andsql base simultenous use can u >explain me > > > > >$ cat ~/satish/url.txt > >System administrator ( Data Center ) > >please visit this site > >http://linux.tulipit.com > >- > Heres a new way to find what you're looking for - Yahoo! Answers > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad or sql base simultaneous-use
radwho lists online users according to radutmp checkrad doesn't use radwho. It "asks" NAS if user so and so is on port so and so with session ID so and so. In session you choose if looking for online users will be done in database or radutmp. checkrad will be called when online user is detecded if you put "cisco" as nastype. If you put "other" it won't. Ivan Kalik Kalik Informatika ISP Dana 12/3/2007, "satish patel" <[EMAIL PROTECTED]> piše: >anyone help me please > >I have many problem for simultaneous login user problem i have >freeradius-1.1.0 with MSSQL with cisco VPDN configuration i dont know why >simultaneous not working with checkrad script > >can u explain me i have confusen in radwho and checkrad command so checkrad >command use radwho output and what is sql base simultenoues detection if >i enable sql in /etc/radb/radius.conf in session part > >like :- > >Session { > # radtump > sql >} > >what is the radutmp and sql if i use radutmp then checkrad call by radius or >not i have confuseion in checkrad andsql base simultenous use can u >explain me > > > > >$ cat ~/satish/url.txt > >System administrator ( Data Center ) > >please visit this site > >http://linux.tulipit.com > >- > Heres a new way to find what you're looking for - Yahoo! Answers > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad replace by other script
can i replace checkrad with another script $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad snmp + cisco VPDN problem
Dear alll I have problem last 2 month nobady give me solution of this error when i run checkrad manually i got this error [EMAIL PROTECTED] satishp]# checkrad cisco 192.168.1.1 1034 mlpm542 999 SNMP Error: Received SNMP response with error code error status: noSuchName index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.1034) SNMPv1_Session (remote host: "192.168.1.1" [192.168.1.1].161) community: "public" request ID: 2076414691 PDU bufsize: 8000 bytes timeout: 2s retries: 5 backoff: 1) at /usr/local/sbin/checkrad line 221 checkrad: No SNMP answer from cisco. what is this ??? Is this related to OID or somthing else and how do i check wheather checkrad call by radius everytime and is there nessesary to put passwd in naspass i have only define nastype = cisco and empty naspassord file and some entry in naslist nasspasswd #203.172.90.118 !root TufFseCrET #203.172.42.152 !root ToTaLCnTl #192.168.1.1SNMPpublic naslist # NAS Name Short Name Type # -- #portmaster1.isp.compm1.NY livingston #portmaster2.isp.compm1.LA livingston #localhost local portslave 192.168.1.1vpdncisco this is my configuration i want to use checkrad then how do i check my checkrad working or now $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad or sql base simultaneous-use
anyone help me please I have many problem for simultaneous login user problem i have freeradius-1.1.0 with MSSQL with cisco VPDN configuration i dont know why simultaneous not working with checkrad script can u explain me i have confusen in radwho and checkrad command so checkrad command use radwho output and what is sql base simultenoues detection if i enable sql in /etc/radb/radius.conf in session part like :- Session { # radtump sql } what is the radutmp and sql if i use radutmp then checkrad call by radius or not i have confuseion in checkrad andsql base simultenous use can u explain me $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad not work with cisco VPDN
This is how it should work: setting Simultaneous-Use will produce a check in the database if the user is online; if the user is online according to database (end of story if nastype is set to "other") checkrad is called to see if the NAS agrees if user is not online according to NAS connection will be allowed, otherwise rejected You are getting SNMP error "noSuchName" which suggests that OID 1.3.6.1.4.1.9.2.9.2.1.18 is not correct for your router. This one comes from OLD-CISCO-TS-MIB which might not be supported by your router. You can probably contact Cisco and ask what OID should you use for your router. Ivan Kalik Kalik Informatika ISP Dana 12/3/2007, "satish patel" <[EMAIL PROTECTED]> piše: >Dear sir > > i have useing freeradius + cisco vpdn router but i have this > problem when i run checkrad manually > >[EMAIL PROTECTED] ~]# checkrad cisco 192.168.1.1 800 mlpm034 C555 > >SNMP Error: >Received SNMP response with error code > error status: noSuchName > index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.800) >SNMPv1_Session (remote host: "192.168.1.1" [192.168.1.1].161) > community: "public" > request ID: -91963655 >PDU bufsize: 8000 bytes > timeout: 2s > retries: 5 >backoff: 1) > at /usr/local/sbin/checkrad line 221 >checkrad: No SNMP answer from cisco. > > >what is this and when i check checkrad.log file i shown.. > >snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 >.iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 > Returning 0 (login ok) >Mon Mar 12 12:35:12 2007 checkrad cisco 192.168.1.1 800 mlpm034 C555 >No SNMP answer from cisco. > user at port S800: >snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 >.iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 > Returning 0 (login ok) >Mon Mar 12 12:35:33 2007 checkrad cisco 192.168.1.1 800 mlpm034 C555 >No SNMP answer from cisco. > user at port S800: >snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 >.iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 > Returning 0 (login ok) > > >what is this ??? why this thing happending is there any problem in my >configuration > > >One more thing i want to say > >i dont know last time when i add simultaneouse-use attributes in sql database >not in /etc/raddb/users file so is it any issue > >is checkrad only read /etc/raddb/users file only or sql database > >i am bit confusing in two thing SQL and users file what read by checkrad script > > > > > > >$ cat ~/satish/url.txt > >System administrator ( Data Center ) > >please visit this site > >http://linux.tulipit.com > >- > Heres a new way to find what you're looking for - Yahoo! Answers > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad not work with cisco VPDN
Dear sir i have useing freeradius + cisco vpdn router but i have this problem when i run checkrad manually [EMAIL PROTECTED] ~]# checkrad cisco 192.168.1.1 800 mlpm034 C555 SNMP Error: Received SNMP response with error code error status: noSuchName index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.800) SNMPv1_Session (remote host: "192.168.1.1" [192.168.1.1].161) community: "public" request ID: -91963655 PDU bufsize: 8000 bytes timeout: 2s retries: 5 backoff: 1) at /usr/local/sbin/checkrad line 221 checkrad: No SNMP answer from cisco. what is this and when i check checkrad.log file i shown.. snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) Mon Mar 12 12:35:12 2007 checkrad cisco 192.168.1.1 800 mlpm034 C555 No SNMP answer from cisco. user at port S800: snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) Mon Mar 12 12:35:33 2007 checkrad cisco 192.168.1.1 800 mlpm034 C555 No SNMP answer from cisco. user at port S800: snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) what is this ??? why this thing happending is there any problem in my configuration One more thing i want to say i dont know last time when i add simultaneouse-use attributes in sql database not in /etc/raddb/users file so is it any issue is checkrad only read /etc/raddb/users file only or sql database i am bit confusing in two thing SQL and users file what read by checkrad script $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad snmp error
Is OID correct? Do snmpwalk for your router and see if that OID (without 766 at the end) is listed. Ivan Kalik Kalik Informatika ISP Dana 11/3/2007, "satish patel" <[EMAIL PROTECTED]> piše: >I have getting this error when i run manualy checkrad > >[EMAIL PROTECTED] mibs]# checkrad cisco 192.168.1.1 766 mlpm264 BC3F >SNMP Error: >Received SNMP response with error code > error status: noSuchName > index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.766) >SNMPv1_Session (remote host: "192.168.1.1" [192.168.1.1].161) > community: "public" > request ID: -422345818 >PDU bufsize: 8000 bytes >timeout: 2s > retries: 5 > backoff: 1) > at /usr/local/sbin/checkrad line 221 >checkrad: No SNMP answer from cisco. >[EMAIL PROTECTED] mibs]# > > > >and i got this error when i check log > >No SNMP answer from cisco. > user at port S766: >snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 >.iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 > Returning 0 (login ok) >Sun Mar 11 15:35:15 2007 checkrad cisco 192.168.1.1 766 mlpm264 BC3F >No SNMP answer from cisco. > user at port S766: >snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 >.iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 > Returning 0 (login ok) >[EMAIL PROTECTED] mibs]# > > > >what is this how can i checkrad use with snmp i have enable SNMP on cisco >router > > > >$ cat ~/satish/url.txt > >System administrator ( Data Center ) > >please visit this site > >http://linux.tulipit.com > >- > Here�s a new way to find what you're looking for - Yahoo! Answers > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad snmp error
I have getting this error when i run manualy checkrad [EMAIL PROTECTED] mibs]# checkrad cisco 192.168.1.1 766 mlpm264 BC3F SNMP Error: Received SNMP response with error code error status: noSuchName index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.766) SNMPv1_Session (remote host: "192.168.1.1" [192.168.1.1].161) community: "public" request ID: -422345818 PDU bufsize: 8000 bytes timeout: 2s retries: 5 backoff: 1) at /usr/local/sbin/checkrad line 221 checkrad: No SNMP answer from cisco. [EMAIL PROTECTED] mibs]# and i got this error when i check log No SNMP answer from cisco. user at port S766: snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) Sun Mar 11 15:35:15 2007 checkrad cisco 192.168.1.1 766 mlpm264 BC3F No SNMP answer from cisco. user at port S766: snpwalk: /usr/bin/snmpwalk -r 1 -t 5 -v2c -c 'public' 192.168.1.1 .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3 Returning 0 (login ok) [EMAIL PROTECTED] mibs]# what is this how can i checkrad use with snmp i have enable SNMP on cisco router $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use and checkrad with Cisco Router
Dear Sir, I want to know the setup for the simultaneous logins and checkrad script with Cisco Router SNMP enabled. The settings are configured but checkrad is not returning any results from cisco snmp. Also, how can I know whether radius will block MPP attempts? I am looking for configuration and any additional documents that can help me understand it more. Best Regards, M. Faisal Butt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with checkrad
Hi, I am facing problem with checkrad in icradius. I am sorry for mailing this question on this mailing list because i could not find solution any where.We have recently added ascend MAX TNT in list of NAS, before that simultenous use was working fine, now with Max simultenous use is not working, in checkrad logs i have found that session id is 8 digits long but in NAS session id is 9 digits long so it get the user login. If any body has solution for this please help. Thanks, fam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use, checkrad, and MPP attempts
On Wednesday 09 November 2005 00:35, Christopher Carver wrote: > The proxy'ing radius servers and NAS's of the other company from whom we > lease equipment are unavailable to checkrad. By default shouldn't it be > allowing these people on? I looked at the code and it seemed as though > it should. I set the nastype to other in clients.conf for these entries > and I still see MPP attempts. Finally, I looked at the source of > checkrad. I modified the line for "other" nastypes to always return 0, > which should be interpreted as no multiple login. The numbers you see > to the left are line numbers Chris, Look at the code again. In session.c, the rad_check_ts function is what calls checkrad. If the nastype is empty or "other", checkrad is _never_ called, and the function returns 1 (meaning the user is logged in). We did this simult use bypass by using a nastype called visp, which returns 0 in checkrad. See freeradius bug#166 for a checkrad patch we've been using here which cleans up the code a bit and makes it easier to add new types. Any comments/problems can be posted to the bug. -Kevin pgpHsmkFKxsMA.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous use, checkrad, and MPP attempts
Christopher Carver <[EMAIL PROTECTED]> wrote: > The proxy'ing radius servers and NAS's of the other company from whom we > lease equipment are unavailable to checkrad. By default shouldn't it be > allowing these people on? It depends what you want. The current behavior is to disallow logins, as you found out. It should really be configurable. > Any idea why this isn't behaving how I expect? Is there a more > appropriate way I can ensure that users connecting via NAS's and > proxy'ing radius servers we lease will never be rejected because of > multiple logins? No, juest edit the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous use, checkrad, and MPP attempts
Hello, Thanks everyone for the great product that I've relying on for the past several years. I am now seeing a problem I hope someone can help with. I'm using Freeradius-0.9.3 on FreeBSD 5.2.1-REALEASE. We have Freeradius doing strictly dialup authentication. Some of the NAS's querying the radius server are our equipment. Some of the NAS's are equipment we lease from another company and have no access to. We have been successfully using simultaneous checking while using all of our own equipment. However, since leasing equipment we have been getting the following entries in radius.log: Tue Nov 8 23:26:09 2005 : Auth: Multiple logins (max 1) [MPP attempt]: [user1] (from client pa-230-radius0 port 2287 cli async) Tue Nov 8 23:27:17 2005 : Auth: Multiple logins (max 1) [MPP attempt]: [user2] (from client pa-230-radius0 port 2703 cli async) Tue Nov 8 23:32:38 2005 : Auth: Multiple logins (max 1) [MPP attempt]: [user3] (from client pa-230-radius0 port 3699 cli async) The proxy'ing radius servers and NAS's of the other company from whom we lease equipment are unavailable to checkrad. By default shouldn't it be allowing these people on? I looked at the code and it seemed as though it should. I set the nastype to other in clients.conf for these entries and I still see MPP attempts. Finally, I looked at the source of checkrad. I modified the line for "other" nastypes to always return 0, which should be interpreted as no multiple login. The numbers you see to the left are line numbers: 1351 } elsif ($ARGV[0] eq 'other') { 1352 $ret = 0; 1353 } else { Any idea why this isn't behaving how I expect? Is there a more appropriate way I can ensure that users connecting via NAS's and proxy'ing radius servers we lease will never be rejected because of multiple logins? And what is the difference between MPP attempt and regular multiple login? Thank you very much for your time. Chris Carver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and No NAS-Port seen (checkrad)
Dusty Doris wrote: radius-server attribute nas-port format X with X being dependant on the type of connections I don't know if this will force it, but perhaps the default type is something that doesn't apply to your type of connection. For PPPoA we use format d, which gives you the slot/mod/port vpi/vci. But there are a few other options, just give it a ? thanks Dusty, i tried all formats (a,b,c,d) and i always recieve NAS-Post = 0 My interface is ISDN, and i see this on the accounting: Cisco-NAS-Port = "ISDN 7/4:D:19" Is there a way to use this attribute instead of NAS-Port? --- thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and No NAS-Port seen (checkrad)
On Tue, 25 Oct 2005, Miguel wrote: Hi, im having problems implementing simultaneous-use on a cisco AS5400, is the same problem addresses in this thread http://lists.cistron.nl/pipermail/freeradius-users/2005-March/041894.html Ok, i know what the problem is, but how can i instruct the cisco that it must send the NAS-Port attribute?, is this even posible? thanks I think in conf t you can define the radius attribute with something like radius-server attribute nas-port format X with X being dependant on the type of connections I don't know if this will force it, but perhaps the default type is something that doesn't apply to your type of connection. For PPPoA we use format d, which gives you the slot/mod/port vpi/vci. But there are a few other options, just give it a ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and No NAS-Port seen (checkrad)
Jonathan De Graeve wrote: Depends on the nas. Which nas? Cisco AS5400 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco and No NAS-Port seen (checkrad)
>Ok, i know what the problem is, but how can i instruct the cisco that it >must send the NAS-Port attribute?, is this even posible? Depends on the nas. Which nas? J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and No NAS-Port seen (checkrad)
Miguel <[EMAIL PROTECTED]> wrote: > Ok, i know what the problem is, but how can i instruct the cisco that it > must send the NAS-Port attribute?, is this even posible? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco and No NAS-Port seen (checkrad)
Hi, im having problems implementing simultaneous-use on a cisco AS5400, is the same problem addresses in this thread http://lists.cistron.nl/pipermail/freeradius-users/2005-March/041894.html Ok, i know what the problem is, but how can i instruct the cisco that it must send the NAS-Port attribute?, is this even posible? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About nastype and Checkrad
Felix Chang <[EMAIL PROTECTED]> wrote: > Sorry.. just something very confuse. I am using a > FreeBsd computer as my NAS, may I know what is the > nastype for this NAS? Is it "other"? Yes. > I know when the nastype is "other", the radius server won't call > for the checkrad. Therefore, if I want to use the checkrad to check > for the simultaneous-use, what should I do? You resign yoyrself to the fact that you can't call checkrad. > Any reference on how to modify the script in the checkrad? It's a Perl script, and not a very complicated one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About nastype and Checkrad
Sorry.. just something very confuse. I am using a FreeBsd computer as my NAS, may I know what is the nastype for this NAS? Is it "other"? I know when the nastype is "other", the radius server won't call for the checkrad. Therefore, if I want to use the checkrad to check for the simultaneous-use, what should I do? Do I really need to modify the script in the checkrad?? Any reference on how to modify the script in the checkrad? I am seeking it for a long time already through the internet but nothing was found. It is not much information about the checkrad. Please knidly reply. Thanks! Regards Felix ___ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding checkrad
"Nurul Faizal M.Shukeri" <[EMAIL PROTECTED]> wrote: > mmm.. can I just check double login, perhaps by query database only without > snmpwalk to ap. If you don't run checkrad, the server assumes that it's database is correct. Set the nas type to "other", and checkrad won't run. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Regarding checkrad
mmm.. can I just check double login, perhaps by query database only without snmpwalk to ap. $sql = "SELECT COUNT(*) FROM radcheck WHERE Username='ultrabalad' AND AccTime=0; Once the result is equal to 1, freeradius will kick second login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, August 04, 2005 11:00 AM To: FreeRadius users mailing list Subject: Re: Regarding checkrad "Nurul Faizal M.Shukeri" <[EMAIL PROTECTED]> wrote: > Any suggestion for solution, perhaps my server configuration. I'm stupid > about snmp. It's not the server. It's the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding checkrad
"Nurul Faizal M.Shukeri" <[EMAIL PROTECTED]> wrote: > Any suggestion for solution, perhaps my server configuration. I'm stupid > about snmp. It's not the server. It's the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Regarding checkrad
Hi Alan, Any suggestion for solution, perhaps my server configuration. I'm stupid about snmp. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nurul Faizal M.Shukeri Sent: Thursday, August 04, 2005 8:57 AM To: 'FreeRadius users mailing list' Subject: RE: Regarding checkrad Thank Alan, perhaps my AP problem, coz I already enable the feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, August 04, 2005 12:28 AM To: FreeRadius users mailing list Subject: Re: Regarding checkrad "Nurul Faizal M.Shukeri" <[EMAIL PROTECTED]> wrote: > My ap is cisco 340 and I already enable snmp feature. I don't know what the > problem is. Plz help me. Checkrad isn't able to talk to the AP. The AP isn't listening on SNMP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Regarding checkrad
Thank Alan, perhaps my AP problem, coz I already enable the feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, August 04, 2005 12:28 AM To: FreeRadius users mailing list Subject: Re: Regarding checkrad "Nurul Faizal M.Shukeri" <[EMAIL PROTECTED]> wrote: > My ap is cisco 340 and I already enable snmp feature. I don't know what the > problem is. Plz help me. Checkrad isn't able to talk to the AP. The AP isn't listening on SNMP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding checkrad
"Nurul Faizal M.Shukeri" <[EMAIL PROTECTED]> wrote: > My ap is cisco 340 and I already enable snmp feature. I don't know what the > problem is. Plz help me. Checkrad isn't able to talk to the AP. The AP isn't listening on SNMP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding checkrad
Hi all... I'm trying to use checkrad to check for double login. I have read doc/Simultaneous-Use. The problem is when I'm trying to use checkrad, this is the output :- sony# checkrad cisco 10.201.1.3 37 ultrabalad 3706 Timeout: No Response from 10.201.1.3. Timeout: No Response from 10.201.1.3 My ap is cisco 340 and I already enable snmp feature. I don't know what the problem is. Plz help me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin CVS produces checkrad defunct
On Fri, 29 Jul 2005, Muenz, Michael wrote: Hi, yesterday I've updated dialup_admin to CVS version. Most things works great, but my radiusd produce many defunct processes now. Any ideas? radius01:/usr/local/dialup_admin/bin# pstree init-+-atd [..] |-mysqld_safe---mysqld---mysqld---22*[mysqld] |-radiusd---radiusd-+-2*[radiusd---6*[checkrad]] | |-radiusd---5*[checkrad] | |-radiusd---10*[checkrad] | `-radiusd---9*[checkrad] radius01:/usr/local/dialup_admin/bin# ps ax [...] 21874 ?Z 0:00 [checkrad ] 22080 ?Z 0:00 [checkrad ] 22335 ?Z 0:00 [checkrad ] 22501 ?Z 0:00 [checkrad ] [...] I have a second radius machine with an old CVS version (1.75) and there are no defunct's. FreeRadius is running 1.0.4 on both machines, and use mysql for usermanagement. dialupadmin will not use checkrad. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin CVS produces checkrad defunct
Hi, yesterday I've updated dialup_admin to CVS version. Most things works great, but my radiusd produce many defunct processes now. Any ideas? radius01:/usr/local/dialup_admin/bin# pstree init-+-atd [..] |-mysqld_safe---mysqld---mysqld---22*[mysqld] |-radiusd---radiusd-+-2*[radiusd---6*[checkrad]] | |-radiusd---5*[checkrad] | |-radiusd---10*[checkrad] | `-radiusd---9*[checkrad] radius01:/usr/local/dialup_admin/bin# ps ax [...] 21874 ?Z 0:00 [checkrad ] 22080 ?Z 0:00 [checkrad ] 22335 ?Z 0:00 [checkrad ] 22501 ?Z 0:00 [checkrad ] [...] I have a second radius machine with an old CVS version (1.75) and there are no defunct's. FreeRadius is running 1.0.4 on both machines, and use mysql for usermanagement. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem checkrad cisco ap1200
Sorry, i think it is two different list and i try to have the more information that i can get. That's why I put this message on the two list. However i don't yet solve my problem. I browse the mib of my ap but the username seem to be not accessible. But i also use a cisco WLSE ton manage all my AP and the WLSE get all the user on the wireless lan by snmp so it is possible. When i could i'll try to ask cisco to they give me the good OID. ph From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Problem checkrad cisco ap1200 Date: Thu, 16 Jun 2005 13:20:32 -0400 "ph b." <[EMAIL PROTECTED]> wrote: > Furthermore, when i use the tool snmpge for the oid > 1.3.6.1.4.1.9.2.9.2.1.18.XXX, it return me the same result : noSuchName. The MIBs used by that AP are unknown to checkrad. You were told this yesterday on the cistron list. Did you think the answer would somehow be different for FreeRADIUS? > And when i connect on the ap and do "show aaa user all", i can see the users > name et other data. So the logins are stored on the ap but can i get them by > SNMP or not ? how can i fnd the good OID ? Do what you were told on the Cistron list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem checkrad cisco ap1200
"ph b." <[EMAIL PROTECTED]> wrote: > Furthermore, when i use the tool snmpge for the oid > 1.3.6.1.4.1.9.2.9.2.1.18.XXX, it return me the same result : noSuchName. The MIBs used by that AP are unknown to checkrad. You were told this yesterday on the cistron list. Did you think the answer would somehow be different for FreeRADIUS? > And when i connect on the ap and do "show aaa user all", i can see the users > name et other data. So the logins are stored on the ap but can i get them by > SNMP or not ? how can i fnd the good OID ? Do what you were told on the Cistron list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem checkrad cisco ap1200
Hello, The script "checkrad" not run with my ap1200, when i test it i have : SNMP Error: Received SNMP response with error code error status: noSuchName index 1 (OID: 1.3.6.1.4.1.9.2.9.2.1.18.XXX) SNMPv1_Session (remote host: "192.XXX.XXX.XXX" [192.XXX.XXX.XXX].161) community: "public" request ID: -662891836 PDU bufsize: 8000 bytes timeout: 2s retries : 5 backoff: 1) at /usr/sbin/checkrad line 221 checkrad: No SNMP answer from cisco checkrad: not found! I think it is a problem with the ap but i don't see what it is. The conf for the snmp on the ap is : access-list 111 permit tcp any any neq telnet snmp-server view dot11view ieee802dot11 included snmp-server community public view dot11view RO If i erase the view, i have the same problem. Furthermore, when i use the tool snmpge for the oid 1.3.6.1.4.1.9.2.9.2.1.18.XXX, it return me the same result : noSuchName. The ap use the IOS 12.3(2) And when i connect on the ap and do "show aaa user all", i can see the users name et other data. So the logins are stored on the ap but can i get them by SNMP or not ? how can i fnd the good OID ? Could you help me ? thanks ph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad/waitpid problem
Stephan Jaeger <[EMAIL PROTECTED]> wrote: > I just compiled HEAD but somehow the proxy radius server does not > recognize the replies from the home radius server: Fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad/waitpid problem
Am Mittwoch, den 27.04.2005, 05:39 -0400 schrieb Alan DeKok: > > Ignoring request from unknown home server 127.0.0.1 port 1815 > > Is that the correct IP? Yes, thats the right one. > Oh well, at least this narrows the scope where the bug can be. That sounds good ;) Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad/waitpid problem
Stephan Jaeger <[EMAIL PROTECTED]> wrote: > I just compiled HEAD but somehow the proxy radius server does not > recognize the replies from the home radius server: I'm not *too* surprised. I've been working on IPv6 support, which means lots of little changes throughout the server core. If proxying is currently broken, that's just one thing to fix. But I don't think it's that hard. > The (imho) interesting parts in the debug output of the proxy server: > Waking up in 3 seconds... > rad_recv: Access-Accept packet from host 127.0.0.1 port 1815, id=0, > length=60 > Ignoring request from unknown home server 127.0.0.1 port 1815 Is that the correct IP? > Re-sending Access-Request of id 0 to 0.0.0.0 port 1815 And that's obviously wrong. Oh well, at least this narrows the scope where the bug can be. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad/waitpid problem
Am Dienstag, den 26.04.2005, 09:51 -0400 schrieb Alan DeKok: > Stephan Jaeger <[EMAIL PROTECTED]> wrote: > > For testing purposes i replaced the call to rad_waitpid with waitpid. > > As soon as the checkradius script is exiting the call returns with -1 > > and errno set to "No child processes". > > It's a bug in 1.0.x. The CVS head has fixes. I just compiled HEAD but somehow the proxy radius server does not recognize the replies from the home radius server: Wed Apr 27 10:22:39 2005 : Error: Ignoring request from unknown home server 127.0.0.1 port 1815 Wed Apr 27 10:22:41 2005 : Proxy: marking authentication server localhost:1815 for realm test dead The (imho) interesting parts in the debug output of the proxy server: Waking up in 3 seconds... rad_recv: Access-Accept packet from host 127.0.0.1 port 1815, id=0, length=60 Ignoring request from unknown home server 127.0.0.1 port 1815 --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Re-sending Access-Request of id 0 to 0.0.0.0 port 1815 The at least in the output the home server ip is 0.0.0.0, while it still reaches the home server he seems to have problems matching the reply later on. In my 20050103 snapshot it looks better: Sending Access-Request of id 0 to 127.0.0.1:1815 Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad/waitpid problem
Stephan Jaeger <[EMAIL PROTECTED]> wrote: > For testing purposes i replaced the call to rad_waitpid with waitpid. > As soon as the checkradius script is exiting the call returns with -1 > and errno set to "No child processes". It's a bug in 1.0.x. The CVS head has fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad/waitpid problem
Hi, i have a problem with freeradius executing the checkrad script. I get "Check-TS: unknown error in waitpid()" child_pid = -1; for (n = 0; n < 10; n++) { sleep(1); radlog(L_ERR, "pid: %d", pid); child_pid = waitpid(pid, &status, WNOHANG); radlog(L_ERR, "child_pid: %d, %s", child_pid, strerror(errno)); /*if ((child_pid < 0) || (child_pid == pid)) { found = 1; break; }*/ } For testing purposes i replaced the call to rad_waitpid with waitpid. As soon as the checkradius script is exiting the call returns with -1 and errno set to "No child processes". here is the output from the above loop (checkrad has a sleep(5) in it): pid: 3831 child_pid: 0, Success pid: 3831 child_pid: 0, Success pid: 3831 child_pid: 0, Success pid: 3831 child_pid: 0, Success pid: 3831 child_pid: 0, Success pid: 3831 child_pid: -1, No child processes pid: 3831 child_pid: -1, No child processes pid: 3831 child_pid: -1, No child processes pid: 3831 child_pid: -1, No child processes pid: 3831 child_pid: -1, No child processes System is Linux 2.6.9. Regards Stephan Jaeger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session id used in checkrad
Accounting is working fine, and also I have uncommented that line in sql.conf to check Simultaneous-Use using sql module. I see that checkrad is still called after simul_count_query. The documentation says that checkrad is called once a previuos session is detected in the database session (radutmp or sql). Is there any way to use Simultaneous-Use without calling checkrad ? I know that it would relay on accounting info only, but it does not need to do snmp queries every session is required. Thanks in advance. Richard Cotrina On Wed, 6 Apr 2005, Shane wrote: > Doesn't it just look for "AcctStopTime = 0" and know the user is still > logged in? (or no account stop packets have been received) > > In sql.conf > # Uncomment simul_count_query to enable simultaneous use checking > simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE > UserName='%{SQL-User-Name}' AND AcctStopTime = 0" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: session id used in checkrad
Richard Cotrina wrote: When using Simultaneous-Use, after the session database (either radutmp or sql) is checked, what is the "session id" value used by checkrad ? Is it the value from Acct-Session-Id ? I'm using sql to check Simultaneous-Use, and the radacct table only has a column called "AcctSessionId" which refers to Acct-Session-Id attribute. The trouble I'm having is that my NAS session id is different from Acct-Session-Id logged by accounting, and that cause checkrad to not work correctly. I'm using a Cisco NAS, with "Login-User" sessions, which "Session IDs" can be seen using "show aaa sessions" command. They have not the same values stored in freeradius accounting in the attr Acct-Session-Id. Any ideas on what could be wrong ? Richard Cotrina Doesn't it just look for "AcctStopTime = 0" and know the user is still logged in? (or no account stop packets have been received) In sql.conf # Uncomment simul_count_query to enable simultaneous use checking simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
session id used in checkrad
When using Simultaneous-Use, after the session database (either radutmp or sql) is checked, what is the "session id" value used by checkrad ? Is it the value from Acct-Session-Id ? I'm using sql to check Simultaneous-Use, and the radacct table only has a column called "AcctSessionId" which refers to Acct-Session-Id attribute. The trouble I'm having is that my NAS session id is different from Acct-Session-Id logged by accounting, and that cause checkrad to not work correctly. I'm using a Cisco NAS, with "Login-User" sessions, which "Session IDs" can be seen using "show aaa sessions" command. They have not the same values stored in freeradius accounting in the attr Acct-Session-Id. Any ideas on what could be wrong ? Richard Cotrina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkrad Mikrotik NAS problem.
Re: Checkrad Mikrotik NAS problem. I am having the following problem with checkrad and Mikrotik NAS, some users are able to beat simultaneous-Use:=1 check attribute if they have auto-redial set to on their PPPoE client, after a few Rejects checkrad gives in and allows log in (checrad.log) included. Below is an example Mon Apr 4 18:34:56 2005 checkrad mikrotik_snmp 10.10.66.20 160 stardust2 81a00019 snpwalk: /usr/bin/snmpwalk -r 0 -t 5 -v1 -c 'space-snmp' 10.10.66.20 ifDescr Mon Apr 4 18:34:57 2005 checkrad mikrotik_snmp 10.10.66.20 160 stardust2 81a00019 snpwalk: /usr/bin/snmpwalk -r 0 -t 5 -v1 -c 'space-snmp' 10.10.66.20 ifDescr Returning 1 (double detected) Mon Apr 4 18:34:58 2005 checkrad mikrotik_snmp 10.10.66.20 160 stardust2 81a00019 snpwalk: /usr/bin/snmpwalk -r 0 -t 5 -v1 -c 'space-snmp' 10.10.66.20 ifDescr Returning 1 (double detected) Returning 0 (login ok) Can you pls help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
On Tue, 29 Mar 2005 14:36:42 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > I believe it is. See src/modules/rlm_sql/rlm_sql.c, which calls > rad_check_ts(). Yup, I definitely see that.. And now that I'm digging deeper, I'm seeing the problem.. *sigh* So here's what I'm guessing is going on... We changed IP addresses a while back. The old IP's no longer exist, but there are apparently a number of radacct records that were never "stopped" correctly. So when the checkrad process runs, it sees these old records, can't identify the NAS, and reports that it's skipping them. Even if there are no records for a recognized NAS, the presence of "old" records there causes a reject. I tried looking through the source and I can see where this message is sent. It sends a return value of 1 if this happens, and it appears that a return of 1 indicates an MPP attempt... Is that about right? So I guess my best course of action right now is to clear out those old records. :) > Alan DeKok. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
If a utmp is in place, in the above occurance, checkrad would be called which will verify that the user is NOT logged into the NAS, and thus will allow the auth. You will however still sit with the stale accounting records in SQL No. See src/main/session.c. If the user is no longer logged in, then the server "zaps" the login records by sending a fake accounting stop packet to itself. You learn something new every day Again, I'll have to verify because on our systems using MySQL Accounting + radutmp + checkrad, we sit with quite allot of stale accounting data in the SQL tables (Frankly, we have cron jobs to purge stale records every couple of days - even dialupadmin purge stale accounting records every day)... Maybe it's caused by something else then. Again, IMHO checkrad should be called if SQL's simul use query returns more than x records, but again, to my understanding, this has not yet been implemented in FR. I believe it is. See src/modules/rlm_sql/rlm_sql.c, which calls rad_check_ts(). Will do. On almost all our older implementations, we where forced to use checkrad from utmp. Will setup a test rig with some NASes I know works + latest FR and see what happens... Will be VERY good if the above is actually working :) -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
"Chris Knipe" <[EMAIL PROTECTED]> wrote: > In this situation, the correct approach would be for checkrad to be > called from FR yes - something, which for some reason it is not > doing. It should, but I'm not sure why. > If a utmp is in place, in the above occurance, checkrad would be called > which will verify that the user is NOT logged into the NAS, and thus will > allow the auth. You will however still sit with the stale accounting > records in SQL No. See src/main/session.c. If the user is no longer logged in, then the server "zaps" the login records by sending a fake accounting stop packet to itself. > Again, IMHO checkrad should be called if SQL's simul use query returns more > than x records, but again, to my understanding, this has not yet been > implemented in FR. I believe it is. See src/modules/rlm_sql/rlm_sql.c, which calls rad_check_ts(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
On Tue, 29 Mar 2005 21:18:06 +0200, Chris Knipe <[EMAIL PROTECTED]> wrote: > Again, I am guessing this is incomplete code (at this stage). > you manually reset all the SQL acocunting records)... I hope I'm making > sense... Yup.. seems clear anough.. > Again, IMHO checkrad should be called if SQL's simul use query returns more > than x records, but again, to my understanding, this has not yet been > implemented in FR. Agreed.. And no, it doesn't look like that's been implemented yet > You can use FR proxing (I think) to proxy accounting to the backup FR > server - which should then create a backup utmp. I'm not 100% right now of > the top of my head whether the utmp entry is made on a auth request or the > acct-start request, but it may be worth looking into. You should also be > able to proxy auth requests to the backup servers as well, which means that > all the FR servers will have a "replicated" utmp file. Hrm... Yeah, I guess this is doable.. Seems like a lot of work.. I wish there was some way to determine if/when sql simul checking will be "finished" .. Thank you for your help... I enabled radutmp and that's working.. I'll live with it as-is for now and we'll see what the future holds... > -- > Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
It may actually be a good idea to get checkrad to be called if utmp *OR* SQL thinks a user is loged in twice But that will require some source hacking I think. I guess I don't understand the purpose of the simul checks in the sql.conf file then.. If utmp is the only thing that checks for simul use, then why have the sql checks? The sql checks *are* working, they definitely block users who appear to be online already, but without checkrad, it never double checks the nas ... Again, I am guessing this is incomplete code (at this stage). To my understanding, SQL Simul queries check to see whether a user is already loged in based on Radius Accounting. Yes, this works and is all fine and dandy. However, the SQL Accounting data is not always up to date. Say, for example your NAS gets restarted due to a power failure. When the NAS comes back online, your users won't be able to log in because according to SQL Accounting records, they already are loged in. In this situation, the correct approach would be for checkrad to be called from FR yes - something, which for some reason it is not doing. If a utmp is in place, in the above occurance, checkrad would be called which will verify that the user is NOT logged into the NAS, and thus will allow the auth. You will however still sit with the stale accounting records in SQL, which means that if *only* SQL's simul use query was used, you will end up calling checkrad for each and every authentication request eventually (or in the current case where checkrad is never called for SQL simul use, sit with a situation where nobody will be able to log in untill you manually reset all the SQL acocunting records)... I hope I'm making sense... Again, IMHO checkrad should be called if SQL's simul use query returns more than x records, but again, to my understanding, this has not yet been implemented in FR. You can use FR proxing (I think) to proxy accounting to the backup FR server - which should then create a backup utmp. I'm not 100% right now of the top of my head whether the utmp entry is made on a auth request or the acct-start request, but it may be worth looking into. You should also be able to proxy auth requests to the backup servers as well, which means that all the FR servers will have a "replicated" utmp file. -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
On Tue, 29 Mar 2005 20:58:45 +0200, Chris Knipe <[EMAIL PROTECTED]> wrote: > You must run utmp. Even if it is just for simul. use. You can stil have > all your accounting in SQL instead of detailed files, but utmp must be there > for checkrad. Ugh.. So, if my primary radius server fails to backup, and the backup utmp has nothing in it, then wouldn't users be able to simul at least once before it ever called checkrad? > It may actually be a good idea to get checkrad to be called if utmp *OR* SQL > thinks a user is loged in twice But that will require some source > hacking I think. I guess I don't understand the purpose of the simul checks in the sql.conf file then.. If utmp is the only thing that checks for simul use, then why have the sql checks? The sql checks *are* working, they definitely block users who appear to be online already, but without checkrad, it never double checks the nas ... > As always.. I may be wrong - I think I'm right :) :) > -- > Chris. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad, check_with_nas, and sql
I don't have radutmp enabled. I noticed, however, in the radutmp module definition, the check_with_nas option. It appears that this causes the checkrad program to be called. If radutmp is not enabled, checkrad isn't called.. I think. To my knowledge, checkrad is never called if utmp isn't available. At any rate, I tried enabling simultaneous checking with sql and the checkrad program never got called. Unfortunately, this means that a lot of users are being rejected incorrectly.. You must run utmp. Even if it is just for simul. use. You can stil have all your accounting in SQL instead of detailed files, but utmp must be there for checkrad. It may actually be a good idea to get checkrad to be called if utmp *OR* SQL thinks a user is loged in twice But that will require some source hacking I think. As always.. I may be wrong - I think I'm right :) -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad, check_with_nas, and sql
Wow.. today seems to be the day I sent a lot of mail to the freeradius list.. :) Hopefully an answer to this will finish off what I need to accomplish... :) In my radiusd.conf file, I have enabled sql for simultaneous use checking : session { sql } I don't have radutmp enabled. I noticed, however, in the radutmp module definition, the check_with_nas option. It appears that this causes the checkrad program to be called. If radutmp is not enabled, checkrad isn't called.. I think. At any rate, I tried enabling simultaneous checking with sql and the checkrad program never got called. Unfortunately, this means that a lot of users are being rejected incorrectly.. So, the question is this.. does radutmp need to be enabled? Or is it possible to have checkrad called when using sql? Thanks! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html