Re: segmentation fault in rlm_attr_rewrite and eaptls module
I am trying to download the branch_1_1 from CVS but i am getting error as: Unknown host Ping to 64.24.0.50 (cvs.freeradius.org) not reachable. Is the cvs.freeradius.org server is down? Thanks, Sumithra On 4/7/07, Alan DeKok [EMAIL PROTECTED] wrote: nikitha wrote: Thanks for your information. As we need a fix immediately, can i upgrade to 1.1.5? Does it have fixes for these kind of issues? If you need something now, try 1.1.4, or branch_1_1 in CVS. What is the exact date that you are planning to release 1.1.6? No idea. Next week some time. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault in rlm_attr_rewrite and eaptls module
nikitha wrote: I am trying to download the branch_1_1 from CVS but i am getting error as: Unknown host Ping to 64.24.0.50 http://64.24.0.50 (cvs.freeradius.org http://cvs.freeradius.org) not reachable. Is the cvs.freeradius.org http://cvs.freeradius.org server is down? I can see it as up. It may be the routing between your site and the server. If something goes wrong, whole sections of the net are temporarily unreachable. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault in rlm_attr_rewrite and eaptls module
I could ping to freeradius.org but not to cvs.freeradius.org. Anyhow i will try it once again after some time. Thanks. On 4/9/07, Alan DeKok [EMAIL PROTECTED] wrote: nikitha wrote: I am trying to download the branch_1_1 from CVS but i am getting error as: Unknown host Ping to 64.24.0.50 http://64.24.0.50 (cvs.freeradius.org http://cvs.freeradius.org) not reachable. Is the cvs.freeradius.org http://cvs.freeradius.org server is down? I can see it as up. It may be the routing between your site and the server. If something goes wrong, whole sections of the net are temporarily unreachable. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
two database
Hi i m using freeradius 0.9 is it possible to select two sql databases in sql.conf ? how ? Thanks In Advance Regards Nirmal Patel 9323704733 - TV dinner still cooling? Check out Tonight's Picks on Yahoo! TV.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two database
Nirmal wrote: Hi i m using freeradius 0.9 Why? is it possible to select two sql databases in sql.conf ? Yes. how ? See the documentation in the recent versions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alternate proxying methods.
Alan DeKok wrote: Arran Cudbard-Bell wrote: The obvious solution is to actually direct users at a realm, instead of relying on DEFAULT entries... But as soon as a user hits the rlm_realm they will be proxied... Only if you define authhost and accthost. If those don't exist (or are set to LOCAL), then the realm will be recognized, but the request will not be proxied. Yes well in my case there would be realms defined, one for JRS and one secondary RADIUS servers. The solution I found is to ignore the standard front end for rlm_realm, and instead use the Proxy-To-Realm and Replicate-To-Realm in the users file. Replicate-To-Realm does something? I don't think so. It's not referenced in the source anywhere. Oh... damn I saw someone had submitted a patch for it a long time ago during my google searching, and had assumed it had been included. # Shorthand sussex DEFAULT Pre-Proxy-Realm =~ .*susx.ac.uk.*, Auth-Type := Reject Reply-Message = Please use [EMAIL PROTECTED] as your user ID, Fall-Through = no It's probably time for a regex map, like Postfix has. That would simplify this configuration quite a bit. Yeah that would be nice, make this kind of stuff much neater , especially if your checking for loads of Regexp based conditions. Just thought it was quite a neat way or doing it, as opposed to all the weirdness with prefixes and suffixes and using rlm_realm in the authorize and accounting section. The realm module is there to handle the people who need it's functionality. :) Bless their little cotton socks. Also heard talk to deprecating Proxy-To-Realm and Replicate-To-Realm... which is a really bad idea as using Proxy-To-Realm and Replicate-To-Realm is far more powerful , and can be configured from sql :) Replicate-To-Realm doesn't do anything... Proxy-To-Realm is useful, but wrong. Let me explain. RADIUS proxies send packets to RADIUS servers... not to realms. So the simplest way to set proxying is proxy to server X. Note that there's no mention of a realm. But we also want fail-over and load-balancing. So in 2.0, we have the concept of server pools, which aggregate many RADIUS servers into one pool. The pool is then treated as one logical server. So we can also set proxy to server pool Y. Note that there's no mention of a realm. Finally, servers and/or pools often handle realms. So it's useful to say that this realm is handled by server X, or server pool Y. It's also useful to say proxy the request to the server/pool that handles realm FOO. That is a logical abstraction that simplifies the administrators thinking. It's a layer of indirection that means he can work conceptually with what the user types in (name + realm), and what he sees in the packet (name + realm), rather than dealing with the details of the protocol. Historically, FreeRADIUS did not have home_servers or server_pools. They were shoved into realms, which was wrong. But it's what we had, which is where the confusion between realms pools servers comes from. So... Replicate-To-Realm doesn't work. I'd be curious to know what it does for you. Well obviously nothing :( , I hadn't got around to testing it yet I just assumed it would as acct_users didn't have any parsing errors thrown. But that would be because it's defined as attribute 1049 in dictionary.freeradius.internal ATTRIBUTE Replicate-To-Realm 1049string Damn.. Well obviously someone wanted to implement it once, but never got round to it *sigh*. I had assumed that it would copy the incoming packet to the realm specified but also continue processing locally. This would really only be of use for accounting packets. Proxy-To-Realm won't be going away, it's still useful. But Proxy-To-Server-Pool Proxy-To-Home-Server are useful, too. Once we have those, Proxy-To-Realm becomes look up realm, find auth/acct server, and then use that for Proxy-To-Server-Pool. Yes so the actual function is fine, it's just the terminology. A more accurate name might be 'Assign-To-Realm', and then once it's been 'assigned' the internet logic of the realm will decide where it's actually proxied to. Well thanks for explaining all that, had a pretty good idea of what was happening, but you helped solidify it. If you do feel like adding replicate-to-realm in.. would be most appreciated :) Thanks, Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two database
can i use two sql database in sql.conf for free radius version 0.9 ? currently i m using freeradius 0.9 + MySQL 3.23 + PPPoE on linux (NAS) authentication and accounting is happening in one database. i have a very large user database and i want to assign roaming profile to my users, in that case users will be authenticated from database1 which is having authentication information (radcheck, radgroupcheck,radreply) of all users and accounting will be done in database2 (radacct table). how to specify two database in sql.conf ? as there is only one line radius_db. :( i did not find more help in docs of freeradius-1.1.5 !! Please help Nirmal Patel +91-9323704733 Alan DeKok [EMAIL PROTECTED] wrote: Nirmal wrote: Hi i m using freeradius 0.9 Why? is it possible to select two sql databases in sql.conf ? Yes. how ? See the documentation in the recent versions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two database
can i use two sql database in sql.conf for free radius version 0.9 ? currently i m using freeradius 0.9 + MySQL 3.23 + PPPoE on linux (NAS) authentication and accounting is happening in one database. i have a very large user database and i want to assign roaming profile to my users, in that case users will be authenticated from database1 which is having authentication information (radcheck, radgroupcheck,radreply) of all users and accounting will be done in database2 (radacct table). how to specify two database in sql.conf ? as there is only one line radius_db. :( i did not find more help in docs of freeradius-1.1.5 !! Please help Nirmal Patel +91-9323704733 Alan DeKok [EMAIL PROTECTED] wrote: Nirmal wrote: Hi i m using freeradius 0.9 Why? is it possible to select two sql databases in sql.conf ? Yes. how ? See the documentation in the recent versions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 8:00? 8:25? 8:40? Find a flick in no time with theYahoo! Search movie showtime shortcut.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: two database
Nirmal wrote:
can i use two sql database in sql.conf for free radius version 0.9 ?
currently i m using freeradius 0.9 + MySQL 3.23 + PPPoE on linux (NAS)
authentication and accounting is happening in one database.
i have a very large user database and i want to assign roaming profile
to my users, in that case users will be authenticated from *database1*
which is having authentication information (radcheck,
radgroupcheck,radreply) of all users *and* accounting will be done in
*database2 *(radacct table).
how to specify two database in sql.conf ? as there is only one line
*radius_db. :(*
**
You have two instances of the sql module config in sql.conf
so first default instance is
sql {
directive = whatever
config for database1
}
second for accounting
sql sql_accounting {
directive = whatever
config for database2
}
You then reference sql_accounting instead of just plain sql in the
accounting sections .
**
i did not find more help in docs of freeradius-1.1.5 !! Please help
Nirmal Patel
+91-9323704733
*/Alan DeKok [EMAIL PROTECTED]/* wrote:
Nirmal wrote:
Hi i m using freeradius 0.9
Why?
is it possible to select two sql databases in sql.conf ?
Yes.
how ?
See the documentation in the recent versions.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No need to miss a message. Get email on-the-go
http://us.rd.yahoo.com/evt=43910/*http://mobile.yahoo.com/mail
with Yahoo! Mail for Mobile. Get started.
http://us.rd.yahoo.com/evt=43910/*http://mobile.yahoo.com/mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and cisco hidden share
Hello *I'm running FreeRadius with the standard Ubuntu Breezy package that reads as freeradius 1.0.4-2. Its been the connection to the LDAP backend for authentication on an old Cisco 3640 with IOS 12.2(23) for quite a while. I'm trying to setup a new 2811 router with IOS 12.4(11)T1 and am running into a little trouble with repeating the same configuration. The setup works fine if I use a password like testing123 on both ends. But when I use radius-server key 7 to encrypt it breaks. The current setup does use this so I know it works. But in all the documentation I've been weeding** through** on configuring clients.conf nothing seems to mention how this kind of encryption works on the Free Radius server end. The router insists on extremely long key for this configuration. The 3640 shows one in the config. But client.conf show a much shorter one. When I try to plug the long one in clients.conf freeradius fails to startup. So how do you configure freeradius for a Cisco hidden password? Thanks * -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
John Baker wrote: The setup works fine if I use a password like testing123 on both ends. But when I use radius-server key 7 to encrypt it breaks. As in... what happens? The current setup does use this so I know it works. But in all the documentation I've been weeding** through** on configuring clients.conf nothing seems to mention how this kind of encryption works on the Free Radius server end. See RFC 2865... if you really care about it. But trust me, FreeRADIUS works. The router insists on extremely long key for this configuration. The 3640 shows one in the config. But client.conf show a much shorter one. When I try to plug the long one in clients.conf freeradius fails to startup. Could you say what error it produces? The comments in clients.conf indicate that the shared secret can be no more than 31 characters long. In 2.0, this restriction is removed. So how do you configure freeradius for a Cisco hidden password? No idea. The Cisco hidden password thing isn't well documented. i.e. The Cisco docs tell you that you can enable hidden passwords, but don't say what that means. And if you look for hidden password in: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a5f.html It looks to me like you're using the wrong command. radius server key sets the shared secret to the following text, which in your case is 7. If you want hidden passwords, it looks like you have to use another command. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
Hello I'm certain was using the right command. The number 7 in the line tells the router that a hidden key will follow. coltrane(config)#radius-server key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key Now at this point I actually got it to work. It turned out that in trying to copy the extremely long number from the old config there was an error. But I still don't know exactly what it is doing so I'm hoping somebody can explain because I may want to change the key at some point. On the router end the key is configured with radius-server key 7 54-character-key On the radius server in clients.conf this client's secret = totally-different-26-character-key Initially I thought that one side or the other would be like /etc/shadow passwords or the garbled string you see looking at a enable secret password in the cisco conf. That would account for them appearing totally different. But just copying the old configuration straight works so I guess not. Alan DeKok wrote: John Baker wrote: The setup works fine if I use a password like testing123 on both ends. But when I use radius-server key 7 to encrypt it breaks. As in... what happens? The current setup does use this so I know it works. But in all the documentation I've been weeding** through** on configuring clients.conf nothing seems to mention how this kind of encryption works on the Free Radius server end. See RFC 2865... if you really care about it. But trust me, FreeRADIUS works. The router insists on extremely long key for this configuration. The 3640 shows one in the config. But client.conf show a much shorter one. When I try to plug the long one in clients.conf freeradius fails to startup. Could you say what error it produces? The comments in clients.conf indicate that the shared secret can be no more than 31 characters long. In 2.0, this restriction is removed. So how do you configure freeradius for a Cisco hidden password? No idea. The Cisco hidden password thing isn't well documented. i.e. The Cisco docs tell you that you can enable hidden passwords, but don't say what that means. And if you look for hidden password in: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a5f.html It looks to me like you're using the wrong command. radius server key sets the shared secret to the following text, which in your case is 7. If you want hidden passwords, it looks like you have to use another command. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and cisco hidden share
It sounds like your trying to encrypt the shared secret in the router config. Or, your trying to copy the encrypted shared secret and paste it. (The 7 is what tipped me off) First, you need to verify that you have the password-encryption is enabled in the IOS. This is the magic that makes that happen. Second, Be aware that IOS from 12.2 to 12.4 is majorly different. Trust me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to 12.3, to 12.4, to another 12.4) just to chase down a bug that popped up in 12.3 (We needed a new feature that didn't exist in 12.2 or we would have stayed there) This is taken from the internet, but it looks like it will fit you pretty well. http://briandesmond.com/blog/archive/2006/07/22/How-to-authenticate-agai nst-Active-Directory-from-Cisco-IOS.aspx The IOS side of the configuration is quite easy. The commands can be entered sequentially either as a paste in from a text file or as part of some automated procedure (e.g. SecureCRT scripts, an Expect shell script, etc). The sample config below assumes two RADIUS servers with IP addresses 192.168.1.10 and 192.168.1.11. The sample also sources all requests from interface Loopback0: Note: Don't use the key of Cis$ko. Make up your own. conf t aaa new-model radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko ip radius source-interface Loopback0 aaa group server radius RadiusServers server 192.168.1.10 auth-port 1812 acct-port 1813 server 192.168.1.11 auth-port 1812 acct-port 1813 exit aaa authentication login default group RadiusServers local exit Assuming the password-encryption service is started on the device the shared secrets will be encrypted after they're entered. It is also highly recommended that a local login exist in case there is a failure to communicate with the RADIUS servers for any reason (the authentication order in the configlet specifies falling back to the local database after the RadiusServers group). Ports 1812 and 1813 are specified in this configuration, so the necessary holes will need to be punched through firewalls and access-lists to allow this to work. To change the ports utilized by IAS, pull up the properties of the root node in the console and choose the ports tab. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and cisco hidden share
One further comment. The shared secret in FreeRADIUS CANNOT be the really long number in the IOS config file. This is an encrypted hash of the REAL secret. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
Hi Michael Please add any info you feel is relevant to: http://wiki.freeradius.org/Cisco Cheers Peter On Mon 09 Apr 2007, King, Michael wrote: It sounds like your trying to encrypt the shared secret in the router config. Or, your trying to copy the encrypted shared secret and paste it. (The 7 is what tipped me off) First, you need to verify that you have the password-encryption is enabled in the IOS. This is the magic that makes that happen. Second, Be aware that IOS from 12.2 to 12.4 is majorly different. Trust me, I've just ended a 4 firmware upgrade nightmare (Went from 12.2, to 12.3, to 12.4, to another 12.4) just to chase down a bug that popped up in 12.3 (We needed a new feature that didn't exist in 12.2 or we would have stayed there) This is taken from the internet, but it looks like it will fit you pretty well. http://briandesmond.com/blog/archive/2006/07/22/How-to-authenticate-agai nst-Active-Directory-from-Cisco-IOS.aspx The IOS side of the configuration is quite easy. The commands can be entered sequentially either as a paste in from a text file or as part of some automated procedure (e.g. SecureCRT scripts, an Expect shell script, etc). The sample config below assumes two RADIUS servers with IP addresses 192.168.1.10 and 192.168.1.11. The sample also sources all requests from interface Loopback0: Note: Don't use the key of Cis$ko. Make up your own. conf t aaa new-model radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko ip radius source-interface Loopback0 aaa group server radius RadiusServers server 192.168.1.10 auth-port 1812 acct-port 1813 server 192.168.1.11 auth-port 1812 acct-port 1813 exit aaa authentication login default group RadiusServers local exit Assuming the password-encryption service is started on the device the shared secrets will be encrypted after they're entered. It is also highly recommended that a local login exist in case there is a failure to communicate with the RADIUS servers for any reason (the authentication order in the configlet specifies falling back to the local database after the RadiusServers group). Ports 1812 and 1813 are specified in this configuration, so the necessary holes will need to be punched through firewalls and access-lists to allow this to work. To change the ports utilized by IAS, pull up the properties of the root node in the console and choose the ports tab. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [m0n0wall] Captive Portal and Radius
Are we talking about M0n0 as a NAS here? If yes, why not to mod the boxy to do internal counting of the section and then talk to the radius with final data? -Original Message- From: YvesDM [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 11:37 AM To: Peter Boosten Cc: m0n0wall@lists.m0n0.ch Subject: Re: [m0n0wall] Captive Portal and Radius On 4/9/07, Peter Boosten [EMAIL PROTECTED] wrote: YvesDM wrote: When you use radius you can specify max-daily-session through sqlcounter. Yves, thanks for your answer, although it doesn't answer my question. Again: I defined a max-daily-session. Works like charm. But I don't want him to use this max-daily-session in one run. I would like him to take some breaks (say every two hours), so I defined a Session-Timeout of 7200 seconds. But nothing prevents him from logging in just after the Session-Timeout expired. So I would like to know if there's some parameter that defines the minimum time between two sessions. I see, sorry I missed that part. If I need to do this I usually use a linux firewall and change the iptables rules through cron. There are firewall distro's with ready to use examples for this, but of course they are off-topic on this list and I don't know if you actually want to use them at all. If you want more info on this you can e-mail me off list, no problem. But I think setting up a radius server is a little overkill when it's only to control your son's internet use. Let the ethics be my worry. It has proven its use already (we're talking internet addiction here...). Sounds familiar ;-) Just thinking, can't you add/delete a check item to radcheck through some script? expiration Attribute or something? Let the script set/delete a (passed by) expiration date in radcheck. When the attribute is there he won't be able to login cause his account will be expired, when the attribute is not there, he can login :-) Something like this: mysql select * from radcheck where `UserName` = 'hombrouckxeli'; +-+---+---++---+ | id | UserName | Attribute | op | Value | +-+---+---++---+ | 359 | hombrouckxeli | User-Password | := | masked | | 360 | hombrouckxeli | Expiration| := | 01 april 2007 | +-+---+---++---+ 2 rows in set (0.00 sec) mysql Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco hidden share
Okay, this is the piece I was trying to figure out. :) Like I said in a follow up I found that copying the key out of the old cisco config and the old one in the users.conf worked. Initially I made an error on this cisco end when copying that made it fail. So the piece of confusion is how you get that encrypted hash in there in the first place when configuring a new key. King, Michael wrote: One further comment. The shared secret in FreeRADIUS CANNOT be the really long number in the IOS config file. This is an encrypted hash of the REAL secret. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with freeradius and mysql
Thank all for your help. My freeradius with mysql is working now. Christian - Original Message - From: satish patel To: FreeRadius users mailing list Sent: Friday, April 06, 2007 2:55 AM Subject: Re: Problem with freeradius and mysql Dear all Here I am shareing my Knowledge. for freeradius users. i have done freeradius-1.1.4 with mysql with cisco VPDN configuration as well as i have configuraed per user base bandwidth configuration and simultanious user login configuration i have sharing my configuration for my freeradius users I have cisco router with this configuration aaa new-model ! ! aaa group server radius testing123 server-private 71.5.250.243 auth-port 1812 acct-port 1813 key tulipconnect ip radius source-interface FastEthernet0/1 deadtime 0 ! aaa authentication login default local group radius group testing123 aaa authentication ppp default group testing123 local aaa authorization exec default local group radius group testing123 aaa authorization network default group testing123 local aaa accounting update periodic 1 aaa accounting exec default start-stop group testing123 aaa accounting network default start-stop group testing123 aaa accounting connection default start-stop group testing123 ! _ My all user databases in mysql and simultanius login also in mysql mysql tables :- mysql select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | satish | User-Password | := | tulip | | 2 | priya| User-Password | := | tulip | ++--+---++---+ 2 rows in set (0.00 sec) mysql select * from radgroupcheck;; ++---+--++---+ | id | GroupName | Attribute| op | Value | ++---+--++---+ | 1 | 64KB | Simultaneous-Use | := | 1 | | 4 | 128KB | Simultaneous-Use | := | 1 | ++---+--++---+ 2 rows in set (0.00 sec) mysql select * from radgroupreply;; ++---+-+++--+ | id | GroupName | Attribute | op | Value | prio | ++---+-+++--+ | 1 | 64KB | Framed-Protocol | = | PPP |0 | | 2 | 64KB | Framed-MTU | = | 1400 |0 | | 3 | 64KB | Service-Type| = | Framed-User |0 | | 4 | 128KB | Framed-Protocol | = | PPP |0 | | 5 | 128KB | Framed-MTU | = | 1450 |0 | | 6 | 128KB | Service-Type| = | Framed-User |0 | | 7 | 128KB | Cisco-Avpair| = | lcp:interface-config#1=rate-limit output 128000 1 1 conform-action continue exceed-action drop |0 | ++---+-+++--+ 7 rows in set (0.00 sec) mysql select * from usergroup; ++--+---+ | id | UserName | GroupName | ++--+---+ | 1 | satish | 64KB | | 3 | priya| 128KB | ++--+---+ 2 rows in set (0.00 sec) Simultanious Login configuration ( edit this file /etc/raddb/sql.conf ) ### # Simultaneous Use Checking Queries ### # simul_count_query - query for the number of current connections # - If this is not defined, no simultaneouls use checking # - will be performed by this module instance # simul_verify_query- query to return details of current connections for verification # - Leave blank
RE: freeradius and cisco hidden share
-Original Message- So the piece of confusion is how you get that encrypted hash in there in the first place when configuring a new key. Service password-encryption http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_ reference_chapter09186a00801a7fa1.html#wp1204790 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject user without realm
Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto My current setup and radius -X follows. I'm using MySQL as database (both for users and accounting) hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP Users file. Commented the entry referencing to Auth-Type = System. No other changes. Nothing added to huntgroups The radius -X output: rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 172 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'user' rlm_sql (sql): sql_set_user escaped user -- 'user' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 0 modcall[authorize]: module pap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password user rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module pap returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Login OK: [user] (from client dsu24 port 0) Sending Access-Accept of id 0 to a.b.c.d port 3793 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Session-Timeout := 7200 Finished request 0 Going to the next request -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+OpenLDAP+SAMBA+Windows Domain Logon.
Sorry for my delay :P The Samba version is '3.0.23c-2' and works fine like my old AD Domain. The winbind package is not install, but there is a process running 'winbindd', it was installed when i install the samba. I use a Debian linux server. Robinson Santos, where u from ? :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Marcos Roberto Greiner wrote: Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto Ok , so you just want to Reject users who don't provide a realm ? Then you would need an entry in the users file like this DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, Auth-Type := Reject --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == NULL, Auth-Type := Reject == users == hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner pgpAUsH7FbwDX.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Arran Cudbard-Bell wrote: Marcos Roberto Greiner wrote: Hi, I'm trying to use FreeRadius with Realms (using the form [EMAIL PROTECTED]). Basically, if a user uses [EMAIL PROTECTED], I want Radius to authenticate locally. If it's @provider2.com, 3.com, etc, on other servers listed in proxy.conf. The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? Thank you very much, Roberto Ok , so you just want to Reject users who don't provide a realm ? Then you would need an entry in the users file like this DEFAULT User-Name !~ ^([[:alnum:[EMAIL PROTECTED])@([[:alnum:].]+)$, Auth-Type := Reject That didn't work. When the user adds the 'local' domain (provider1.com), the hints file strips the domain for the checking against the database. After that, the new entry in the users file will reject the user, because there is no longer any domain in the login. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac OS 10.4 Radius
I am looking to see if anyone has a install of FreeRadius running on a Mac OS 10.4 server binding to an LDAP server. We are looking at doing this and I was wanting to see if anyone has already got a binary out there or some words of advise for it. I currently have FreeRadius running on a Linux box as a stand alone and has been for sometime now but need a new install on a Macintosh to try some new things. Thanks John This Message was sent through the Chatham County Schools E-Mail Server All e-mail correspondence to and from this address is subject to the North Carolina Public Records Law, which may result in monitoring and disclosure to third parties, including law enforcement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user without realm
Kevin Bonner wrote: On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote: The problem I'm having is that if a user adds no realm, only the user, the server is autenticating locally. I wanted it to deny the authentication. How should I proceed? A username with no realm will match the NULL realm. You can reject NULL realms with: == users == DEFAULT Realm == NULL, Auth-Type := Reject == users == hints file. Added only the following entry: # The following entry is to be authenticated locally DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP A realm definition for domain1.com and a small users file entry should do the same thing, as long as you don't add the nostrip option for the realm. The problem here was that I couldn't find the proper entry to add to the users file :-( rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58 User-Name = [EMAIL PROTECTED] User-Password = user Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 36 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL This request matches the NULL realm, which should be impossible based on your configuration and the description of how the NULL realm works. The User-Name has a realm in this request, so it should match the DEFAULT realm if it is defined. Since the hints file matched at line 36 here, I assume you actually configured provider1.com instead of domain1.com in your hints file. Is this assumption correct? If not, what is in your hints file at line 36? Kevin Bonner I mistyped domain1 and provider1. The entry at line 36 is provider1. The Hints file I wrote incorrectly in the explanation. It actually contains provider1. I tried to change the 'Strip-User-Name = Yes' to 'Strip-User-Name = NO' in the Hints file, but got the problem that I didn't know what would be to correct entry in the users file. With the change, with the @provider1 domain, the server is replying properly, but without domain, the server didn't replying at all. I then tried your suggestion of adding the 'DEFAULT Realm == NULL, Auth-Type := Reject' entry. Same case as above. Without a domain, the server simply didn't answer, not even a with a reject. BUT, looking at the debug output of Radius -X I found the missing piece. In the proxy.conf file, the NULL entry was commented. I removed the comments, pointed it to LOCAL, and the entry you suggested for the users file (DEFAULT Realm == NULL) kicked in. It's now working as desired. Thank you for your help, Marcos Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question
When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. In what circumstances are accounting packets sent from the NAS? How can I test to see whether the packets are being sent? What sort of information is supposed to be stored in radacct? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
Ian Truelsen wrote: When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. As the README and FAQ say: run the server in debugging mode. It will tell you if it's receiving accounting packets. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RadiusExpert Wiki
Hi all, Open System Consultants (OSC) has established a free resource for the RADIUS user community to collect and share information about configuring and implementing RADIUS protocol devices and software. RadiusExpert:Community Portal at http://www.open.com.au/wiki/index.php/Main_Page will become the repository for all the information that often resides only in the heads of system administrators who manage and maintain the security access and authentication requirements of their networks. We welcome contributions about such topics as configuring various RADIUS devices, load balancing with RADIUS servers and wireless authentication tips from our very active user community. If you can contribute any information on any RADIUS topic to the benefit of the entire community, please feel free. This is not a trawl for customers by OSC, but a genuine attempt to assist everyone in the RADIUS community. The wiki is vendor-neutral and covers all free and commercial RADIUS servers and compatible devices. This message was posted with the assent of Alan DeKok Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alternate proxying methods.
Arran Cudbard-Bell wrote: So... Replicate-To-Realm doesn't work. I'd be curious to know what it does for you. ... But that would be because it's defined as attribute 1049 in dictionary.freeradius.internal Yes. Well obviously someone wanted to implement it once, but never got round to it *sigh*. There was an implementation of it in 0.1 or 0.2, but it was removed because is caused a great many problems in the server core. I had assumed that it would copy the incoming packet to the realm specified but also continue processing locally. This would really only be of use for accounting packets. Yes. The suggestion now is to use radrelay. It's more work, but it does the same thing. I *think* in 2.0 we can get radrelay to duplicate the functionality of Replicate-To-Realm without too much effort, but I'll have to spend some more time looking into it. Yes so the actual function is fine, it's just the terminology. A more accurate name might be 'Assign-To-Realm', and then once it's been 'assigned' the internet logic of the realm will decide where it's actually proxied to. That's a reasonable name. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with mschap, ntlm_auth and a conditional syntax
Hello,
I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in
radiusd.conf:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
A corresponding part of debug from radiusd -X is:
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with
NT-Password
radius_xlat: '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge:-00'
rlm_mschap: Unknown expansion string Challenge:-00
radius_xlat: '--challenge='
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response:-00'
rlm_mschap: Unknown expansion string NT-Response:-00
radius_xlat: '--nt-response='
Exec-Program output: Specify all required command line parameters!
Exec-Program-Wait: plaintext: Specify all required command line parameters!
Exec-Program: returned: 1
When I remove conditional syntax:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}
an athentication operates correctly:
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with
NT-Password
radius_xlat: '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: ca
radius_xlat: '--challenge=1d6796d06b4bab53'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat:
'--nt-response=69bbd30b6a06d6be5cc2fb88c658c1582da5a8a91ebcbee8'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e
NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0
I tested freeradius 1.1.4 with conditional syntax:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
It's OK:
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with
NT-Password
radius_xlat: '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: af
radius_xlat: '--challenge=eebe17185aaa4366'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat:
'--nt-response=f668c0b7b4e32deeb49529c2f3295699561589836d73f474'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e
NT_KEY: 9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0
Lukasz Lacinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mschap, ntlm_auth and a conditional syntax
Below is my previous e-mail, but with output from freeradius in format easier
to read.
I use ntlm_auth in mschapv2 (freeradius 20070409) by the following line in
radiusd.conf:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
A corresponding part of debug from radiusd -X is:
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
radius_xlat: '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge:-00'
rlm_mschap: Unknown expansion string Challenge:-00
radius_xlat: '--challenge='
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response:-00'
rlm_mschap: Unknown expansion string NT-Response:-00
radius_xlat: '--nt-response='
Exec-Program output: Specify all required command line parameters!
Exec-Program-Wait: plaintext: Specify all required command line parameters!
Exec-Program: returned: 1
When I remove conditional syntax:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}
an athentication operates correctly:
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
radius_xlat: '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: ca
radius_xlat: '--challenge=1d6796d06b4bab53'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '--nt-response=69bbd30b6a06d6be5cc2fb88c658c1582da5a8a91ebcbee8'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0
I tested freeradius 1.1.4 with conditional syntax:
ntlm_auth = /usr/local/eduroam/progs/ntlm/ntlm_auth.pl --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
and here parameters with conditional syntax are interpreted correctly:
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
radius_xlat: '--username=uzyszkodnik'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: af
radius_xlat: '--challenge=eebe17185aaa4366'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '--nt-response=f668c0b7b4e32deeb49529c2f3295699561589836d73f474'
Exec-Program output: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program-Wait: plaintext: NT_KEY: 9d1f2ebc255b18c110a446e5de42389e NT_KEY:
9D1F2EBC255B18C110A446E5DE42389E
Exec-Program: returned: 0
Lukasz Lacinski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
On 4/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Ian Truelsen wrote: When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. As the README and FAQ say: run the server in debugging mode. It will tell you if it's receiving accounting packets. I did just that when I set up a Foundry test switch, and I noticed that I was getting (and entering into the database) authorization, but not accounting packets. I bit of digging in the docs later, and I was able to cobble up the incantation to tell the switch to send accounting information, too. I'd previously set up the correct ports, but it took additional commands to get the switch to _send_ the packets over the port. Check the docs for your NAS, specifically look for something like aaa accounting enable... or the like. You didn't say what vendor made your NAS, so guessing commands is going to be a bit difficult. -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can i do that?
Hello, apolyxrono.
OK, an example. I use freeradius server to do the accounting for my
DSL clients. There are two tables in the accounting scheme:
1. dsl_accounting. This is a shorter version of radacct, containing
only the fields I found to be useful to me.
MySQL create statement:
CREATE TABLE `radius`.`dsl_accounting` (
`RadAcctId` bigint(21) NOT NULL auto_increment,
`AcctUniqueId` varchar(32) NOT NULL default '',
`UserName` varchar(64) NOT NULL default '',
`AcctStartTime` datetime NOT NULL default '-00-00 00:00:00',
`AcctStopTime` datetime NOT NULL default '-00-00 00:00:00',
`AcctSessionTime` int(12) default '0',
`AcctInputOctets` bigint(12) default '0',
`AcctOutputOctets` bigint(12) default '0',
`CallingStationId` varchar(50) NOT NULL default '',
`FramedIPAddress` varchar(15) NOT NULL default '',
PRIMARY KEY (`RadAcctId`),
KEY `UserName` (`UserName`),
KEY `FramedIPAddress` (`FramedIPAddress`),
KEY `AcctUniqueId` (`AcctUniqueId`),
KEY `AcctStartTime` (`AcctStartTime`),
KEY `AcctStopTime` (`AcctStopTime`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
The logic:
At the start of accounting session a new row is inserted with the
following fields:
RadAcctId = auto-incremented value;
AcctUniqueId = %{Acct-Unique-Session-Id} variable passed by freeradius;
UserName = %{SQL-User-Name} variable passed by freeradius;
AcctStartTime = %S value (current time) passed by freeradius;
AcctStopTime = '-00-00 00:00:00';
AcctSessionTime = 0;
AcctInputOctets = 0;
AcctOutputOctets = 0;
CallingStationId = %{Calling-Station-Id} variable passed by freeradius;
FramedIPAddress = %{Framed-IP-Address} variable passed by freeradius.
With the arrival of Accounting Update packet the appropriate row is
updated as follows:
AcctSessionTime = %{Acct-Session-Time} variable passed by freeradius;
AcctInputOctets = %{Acct-Input-Octets} variable passed by freeradius;
AcctOutputOctets = %{Acct-Output-Octets} variable passed by freeradius.
When the accounting session is finalized the appropriate row is
updated as follows:
AcctStopTime = %S value (current time) passed by freeradius;
AcctSessionTime = %{Acct-Session-Time} variable passed by freeradius;
AcctInputOctets = %{Acct-Input-Octets} variable passed by freeradius;
AcctOutputOctets = %{Acct-Output-Octets} variable passed by freeradius.
2. dsl_accounting_details. This one stores information about every
fragment of the accounting session (time between consecutive
accounting packets arrival, 60 seconds in my case), and can be used
for bandwidth usage graphs, statistical reports, etc.
MySQL create statement:
CREATE TABLE `radius`.`dsl_accounting_details` (
`AcctFragId` bigint(21) NOT NULL auto_increment,
`AcctUniqueId` varchar(32) NOT NULL default '',
`FragStartTime` datetime NOT NULL default '-00-00 00:00:00',
`FragStopTime` datetime NOT NULL default '-00-00 00:00:00',
`FragInputOctets` bigint(12) default NULL,
`FragOutputOctets` bigint(12) default NULL,
PRIMARY KEY (`AcctFragId`),
KEY `FragStartTime` (`FragStartTime`),
KEY `FragStopTime` (`FragStopTime`),
KEY `AcctUniqueId` (`AcctUniqueId`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
The logic:
At the start of accounting session a new row is inserted with the
following fields:
AcctFragId = auto-incremented value;
AcctUniqueId = %{Acct-Unique-Session-Id} variable passed by freeradius;
FragStartTime = %S value (current time) passed by freeradius;
FragStopTime = '-00-00 00:00:00';
FragInputOctets = 0;
FragOutputOctets = 0.
With the arrival of Accounting Update packet the appropriate row is
updated as follows:
FragStopTime = %S value (current time) passed by freeradius;
FragInputOctets = input traffic since last accounting packet (a
difference between current dsl_accounting.AcctInputOctets and a new
value passed by freeradius in the %{Acct-Input-Octets} variable;
FragOutputOctets = output traffic since last accounting packet (a
difference between current dsl_accounting.AcctOutputOctets and a new
value passed by freeradius in the %{Acct-output-Octets} variable;
... and then a new row is inserted (see above).
When the accounting session is finalized the appropriate row is
updated as follows:
FragStopTime = %S value (current time) passed by freeradius;
FragInputOctets = input traffic since last accounting packet (a
difference between current dsl_accounting.AcctInputOctets and a new
value passed by freeradius in the %{Acct-Input-Octets} variable;
FragOutputOctets = output traffic since last accounting packet (a
difference between current dsl_accounting.AcctOutputOctets and a new
value passed by freeradius in the %{Acct-output-Octets} variable.
You can't make several inserts/updates (and calculate traffic
differences, which requires an additional select) with a single SQL
query. This is where MySQL stored procedures come handy. To implement
the described accounting scheme the following procedures can be used:
1. dsl_acct_start
DELIMITER $$
DROP PROCEDURE IF
