Re: Freeradius help to update /etc/hosts?

[Alan DeKok]

Dave wrote:
 Ive been using freeradius for years to authenticate pppoe users for my
 WISP., Customers get dynamic IP addresses from an IP pool.
 Im going to be implementing a new monitoring system, and I need to use
 hostnames to check on customer status.
 Anyone have ideas how freeradius can update a DNS server such as BIND or
 other linux DNS server?

  Use PowerDNS.  Put the host names into SQL.  Use FreeRADIUS (2.1.6) to
do SQL inserts.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

invoke userdefine module

[shivashankar]

hi,

i installed freeradius2.1.6

i added one user define module ..

but i need to invoke this module..to test username and password.
 
could u plz let me know how to invoke that userdefine module

regardi's
shiva shankar

-- 
View this message in context: 
http://www.nabble.com/invoke-userdefine-module-tp25111274p25111274.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: invoke userdefine module

[Doug Hardie]

See http://wiki.freeradius.org/Modules2


On 23 August 2009, at 23:45, shivashankar wrote:



hi,

i installed freeradius2.1.6

i added one user define module ..

but i need to invoke this module..to test username and password.

could u plz let me know how to invoke that userdefine module

regardi's
shiva shankar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_perl / libtool / libltdl problem

[Anton Brinyov]

 Does this mean you are also having this problem with 2.2.6a of 
 libtool/libltdl?

Yes.

 There isn't a permanent solution that I know of yet.  However, there is a 
 workaround that you can use for now:

 LD_PRELOAD=path_to_libperl.so /usr/local/sbin/radiusd

Thanks. It works.


 Where path_to_libperl.so is the full path for that file (e.g., it's 
 /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so on one of my systems).

 -Original Message-
 From: 
 freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org 
 [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org]
  On Behalf Of Anton Brinyov
 Sent: Sunday, August 23, 2009 6:17 PM
 To: FreeRadius users mailing list
 Subject: Re: rlm_perl / libtool / libltdl problem

 Hi,

 It means, there isn't solution for this problem now?

 Thanks,
 Anton

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failed to add duplicate client problem

[Wegener, Norbert]

We have a vpn gateway with different URLs for different user groups. For each 
URL a specific radius server has to be defined. Up to now those different 
radius servers have been installed on different machines. When trying to 
consolidate those servers within different virtual servers on one single 
machine freeradius refuses to start with the Failed to add duplicate client xx 
to clients list. Maybe there's a duplicate?  message. Yes, there is a 
duplicate and it is on purpose.
Is there a way to cirumvent this?


Mit freundlichen Grüßen
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed to add duplicate client problem

[Alan DeKok]

Wegener, Norbert wrote:
 We have a vpn gateway with different URLs for different user groups. For
 each URL a specific radius server has to be defined. Up to now those
 different radius servers have been installed on different machines. When
 trying to consolidate those servers within different virtual servers on
 one single machine freeradius refuses to start with the Failed to add
 duplicate client xx to clients list. Maybe there's a duplicate? 
 message. Yes, there is a duplicate and it is on purpose.
 Is there a way to cirumvent this?

  List the clients under different virtual servers, and have the virtual
servers listen on different IP addresses.

  The list of clients is based off of a virtual server.  Within each
virtual server, the client IP addresses *must* be unique.

  If you post your config, my guess is that you have *global* clients,
and then are defining the same client IP twice.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Failed to add duplicate client problem

[Wegener, Norbert]

  If you post your config, my guess is that you have *global* clients,
and then are defining the same client IP twice.

The clients are read from an sql database. As every client has a corresponding 
server attached in that database it could be assumed that every client is local 
to the that virtual server. 
This obviously is not true. 
Having distinct sql*conf files for each server and different nas_query in 
dialup*.conf solves the problem. 
Thank you.

  Norbert Wegener

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: invoke userdefine module

[shiva shankar]

hi DOu Hardie,

i added module thorugh this link only.
the thing is i need to check username password in newly created module

2009/8/24 Doug Hardie bc...@lafn.org

 See http://wiki.freeradius.org/Modules2


 On 23 August 2009, at 23:45, shivashankar wrote:


 hi,

 i installed freeradius2.1.6

 i added one user define module ..

 but i need to invoke this module..to test username and password.

 could u plz let me know how to invoke that userdefine module

 regardi's
 shiva shankar

 -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 

regard's
shiva shankar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: invoke userdefine module

[Ivan Kalik]

You call the module like any other: by listing it in virtual server
configuration. That link explains how can the module get attributes from
the request.

Ivan Kalik
Kalik Informatika ISP

 i added module thorugh this link only.
 the thing is i need to check username password in newly created module

 2009/8/24 Doug Hardie bc...@lafn.org

 See http://wiki.freeradius.org/Modules2


 On 23 August 2009, at 23:45, shivashankar wrote:


 hi,

 i installed freeradius2.1.6

 i added one user define module ..

 but i need to invoke this module..to test username and password.

 could u plz let me know how to invoke that userdefine module

 regardi's
 shiva shankar

 -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --

 regard's
 shiva shankar
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Failed to add duplicate client problem

[Alan DeKok]

Wegener, Norbert wrote:
  If you post your config, my guess is that you have *global* clients,
 and then are defining the same client IP twice.
 
 The clients are read from an sql database. As every client has a 
 corresponding server attached in that database it could be assumed that every 
 client is local to the that virtual server. 
 This obviously is not true. 

  Ah... that code isn't written.  The add client routine needs to
catch the case of SQL adding clients with servers.  It doesn't do that
right now.

 Having distinct sql*conf files for each server and different nas_query in 
 dialup*.conf solves the problem. 
 Thank you.

  OK.  We'll take a look at fixing it in the next release.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CoA-Ack and radclient/radiusd

[Anton G.]

Alan DeKok ?:

Anton G. wrote:

get today git/stable and tried - same result.. (


  Are you sure you're using *that* version, and that you don't have
multiple versions of the software installed?


Yes, checked it twice..





Alan, can you please provide me some tips to do further debug of this?


  It involves looking through the hashes in src/lib/packet.c.  It's not
pretty...


well, i have no choice, i should dig it out




Not mentioning radiusd CoA,
i`m pretty puzzled why radclient doesn`t want to handle CoA-ACK from nas..


  I don't know... others have got this to work.


i understand,
radclient have coa support for a long time..



  What's the OS / CPU?

FreeBSD 7.1-RELEASE-p3 jail

Could it be OS specific?
or NAS specific ?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Echo the radius accounting request

[ganesh nagpure]

Hi,

Thanks for your mail.

I want to send the radius accounting packets to home server but the home server 
is not radius server. It will take that accounting packet and procees for 
billing and I also need the following thing in echo request

username= us...@doamain.com
calling-station-id= user1

username= us...@doamain.com
calling-station-id= user2

Is it possible?

Cheers
Ganesh

--- On Fri, 8/21/09, Ivan Kalik t...@kalik.net wrote:

 From: Ivan Kalik t...@kalik.net
 Subject: Re: Echo the radius accounting request
 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
 Date: Friday, August 21, 2009, 9:32 PM
  RAS --- Free radius 
 Proxy Radius
 
  1) I want to echo the free radius accounting request
 with modified two
  radius attributes to another proxy radius server.
 
 See copy-acct-to-home-server virtual server.
 
  2) but another radius server will not send any
 aknowledgement back to
  freeradius server.
 
 And freeradius will mark it as dead and stop sending
 packets to it. Why
 would you want to break the home server so it would stop
 responding?
 
 
 Ivan Kalik
 Kalik Informatika ISP
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[George Koulyabin]

Hi.

I tried to use sql_auth-SQL-Group like ldap example (DEFAULT sql_auth-SQL-Group 
== Group1), but FR-server
failed with error 'users[1]: Parse error (check) for entry DEFAULT: Invalid 
octet string Group1 for
attribute name sql_auth-SQL-Group'. This error says that attribute is not 
defined into dictionary.
I had got success when 'sql_auth' was defined as last entry into instantiate { 
}. But I think that this
solution is unsecure and wrong.

On Fri, Aug 21, 2009 at 07:14:32PM +0100, Ivan Kalik wrote:
  users:
   DEFAULT SQL-Group == 'Group1'
...
 
  But files chooses sql_acct (alphabetic first) as sql entry.
  How to choose sql_auth?

 http://wiki.freeradius.org/Rlm_ldap#Group_Support

 Same applies to sql groups.

On Fri, Aug 21, 2009 at 07:14:32PM +0100, Ivan Kalik wrote:
  users:
   DEFAULT SQL-Group == 'Group1'
...
 
  But files chooses sql_acct (alphabetic first) as sql entry.
  How to choose sql_auth?

 http://wiki.freeradius.org/Rlm_ldap#Group_Support

 Same applies to sql groups.

 Ivan Kalik
 Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[Alan DeKok]

George Koulyabin wrote:
 I had got success when 'sql_auth' was defined as last entry into instantiate 
 { }. But I think that this
 solution is unsecure and wrong.

  Why is that?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[Ivan Kalik]

 I tried to use sql_auth-SQL-Group like ldap example (DEFAULT
 sql_auth-SQL-Group == Group1), but FR-server
 failed with error 'users[1]: Parse error (check) for entry DEFAULT:
 Invalid octet string Group1 for
 attribute name sql_auth-SQL-Group'. This error says that attribute is
 not defined into dictionary.
 I had got success when 'sql_auth' was defined as last entry into
 instantiate { }.

Yes, you do need to list them in instatiate if files are instatiated first
in startup sequence. But you can change the order the modules are listed.

 But I think that this
 solution is unsecure and wrong.

Why?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Echo the radius accounting request

[Fajar A. Nugraha]

On Mon, Aug 24, 2009 at 5:35 PM, ganesh nagpuregnagpure_m...@yahoo.com wrote:
 Hi,

 Thanks for your mail.

 I want to send the radius accounting packets to home server but the home 
 server is not radius server.
 It will take that accounting packet and procees for billing

In that case why bother proxying radius packets? Why not simply write
the acct packets to a database and have your billing application read
the database?

 and I also need the following thing in echo request

 username= us...@doamain.com
 calling-station-id= user1

 username= us...@doamain.com
 calling-station-id= user2


should be easy from freeradius' default radacct table.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

check username and password

[shivashankar]

hi 

how to check username and password in rlm_wipromodule(user-define) module.

plz help

-- 
View this message in context: 
http://www.nabble.com/check-username-and-password-tp25114745p25114745.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: check username and password

[Ivan Kalik]

 how to check username and password in rlm_wipromodule(user-define) module.


Did you actually read this?

http://wiki.freeradius.org/Modules2#Accessing_Radius_Request_Attributes

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius die-ing without any reason or log

[Johan Meiring]

Hi,

I have a production server running freeradius 2.0.5 on debian lenny.

Basic description as follows:
Server has been up for about a year.
Not too busy.
Approx 1.6 million interim accounting updates per month.
Server runs rlm_perl only.
Perl talks to sql database.
All packets stored in sql, auth/start/stop/interim.
Some queries do need a bit of optimization, it's on my todo list.

Above info is basically so you can get an idea of how busy the server is.

Now my problem:

It has now happened three times that the server has just died.
All three times in the past 3 months.

Server is getting busier over time, and it didn't happen in the 
beginning, so it could be load related.


When it dies there is nothing in the logs whatsoever.  Just my last log 
entry that I made from perl, and nothing else.


I also checked the system log files for things like oomkiller, nothing.

Any ideas on where to start troubleshooting as to why this happens, as 
the logs contain nothing whatsoever?


I realise this is vague, please let me know if you need more info.

Obviuosly posting the full log is not going to work, as the server lasts 
4-6 weeks before crashing.


I have in the meantime upgraded to freeradius downloaded and compiled 
from git on about 2009-05-27 (identifies itself as 2.1.6, but from git 
about a week after the release of 2.1.6).


No idea if this will resolve the issue.

Thanks!

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying accounting to create a 'tee'

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 23/08/2009 18:17, Fajar A. Nugraha wrote:
 On Sun, Aug 23, 2009 at 11:54 PM, Ivan Kalikt...@kalik.net wrote:
 On Sat, Aug 22, 2009 at 5:53 PM, Arran
 Cudbard-Bella.cudbard-b...@sussex.ac.uk wrote:
 Fajar A. Nugraha wrote:
 In that setup, where does one get AcctStartTime and AcctStopTime
 values?

 Or just use whatever functions are available in your scripting
 environment.
 - is it from the NAS?

 No, the NAS doesn't include any timestamps.

 Your answer is the complete opposite of Ivan's response :D So which
 one is correct?

 His. Packet timestamp is generated by radius server.

 
 So %S in dialup.conf is packet timestamp, and if I'm reading from
 detail file I should make use of the attribute
 Packet-Original-Timestamp (or similar) to get the real packet
 timestamp?
 

No, that'll get you the timestamp of when the packet was read back into the 
server. The only way to calculate the original received timestamp is to write 
the original Acct-Delay-Time into a custom
attribute (say Acct-Delay-Time-Orig), subtract that from the current 
Acct-Delay-Time, then that from the current UNIX timestamp.

received_time = current_unix_ts - (Acct-Delay-Time - Acct-Delay-Time-Orig)

If you just want an accurate start time, you need to subtract Acct-Delay-Time 
from the current timestamp.

start_time = current_unix_ts - Acct-Delay-Time

See it's all pretty simple :) You can do the above calculations with the 
expressions module (expr) which operates in pretty much the same way as the TCL 
expressions module.

 Thanks for the help. I'm trying to deploy a setup similar to John's,
 proxying acct packets only, where proxying failure should not affect
 response to the NAS. Decoupled accounting along with getting the
 original packet timestamp seems to be the key of getting this right.
 

Yeah it's a pretty common setup, we do it too. One thing you have to watch out 
for is  packets with fatal errors. Where the remote accounting server never 
acknowledged receipt of the packet, so it
gets stuck in an infinite loop in the proxying queue.

I haven't figured out how to solve this properly with the current setup, so 
it'd be good to see some discussion on list about it.

- -- 
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqSh58ACgkQcaklux5oVKJ2dwCfRfTa/8sX9l1UzzGOmErC0d6E
pfYAn2cJc/RZvOog6r2mAW2xbo96upaV
=/n/e
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[George Koulyabin]

On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
 George Koulyabin wrote:
  I had got success when 'sql_auth' was defined as last entry into 
  instantiate { }. But I think that this
  solution is unsecure and wrong.
 
   Why is that?

For example, I added new sql-module into sql.conf and forgot to fix 
order of loading of sql-modules 
into instantiate { }. I tried to do it. The 'users' used last sql-module of 
sql.conf. 
Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such 
variable used into 'files'-module?

 
   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying accounting to create a 'tee'

[Alan DeKok]

Arran Cudbard-Bell wrote:
 No, that'll get you the timestamp of when the packet was read back into the 
 server. The only way to calculate the original received timestamp is to write 
 the original Acct-Delay-Time into a custom
 attribute (say Acct-Delay-Time-Orig), subtract that from the current 
 Acct-Delay-Time, then that from the current UNIX timestamp.

  The detail file reader creates/updates the Acct-Delay-Time based on
how long the packet has been sitting in the detail file.  There's no
need to update it manually.

 Yeah it's a pretty common setup, we do it too. One thing you have to watch 
 out for is  packets with fatal errors. Where the remote accounting server 
 never acknowledged receipt of the packet, so it
 gets stuck in an infinite loop in the proxying queue.
 
 I haven't figured out how to solve this properly with the current setup, so 
 it'd be good to see some discussion on list about it.

  Hmm... it should continue sending a packet from the detail file until
the upstream server has responded.  It shouldn't write packets to the
detail file if they've been read from the detail file.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius die-ing without any reason or log

[Alan DeKok]

Johan Meiring wrote:
 I have a production server running freeradius 2.0.5 on debian lenny.
...
 It has now happened three times that the server has just died.
 All three times in the past 3 months.

  It's 2.0.5 there have been a number of issues fixed since then.

 Any ideas on where to start troubleshooting as to why this happens, as
 the logs contain nothing whatsoever?

  See doc/bugs in 2.1.x.  It contains instructions for running it under
gdb.  There are no performance impacts of doing this.

 I have in the meantime upgraded to freeradius downloaded and compiled
 from git on about 2009-05-27 (identifies itself as 2.1.6, but from git
 about a week after the release of 2.1.6).

  Grab the latest from stable git.  It has even more issues fixed...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[Alan DeKok]

George Koulyabin wrote:
 On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
 George Koulyabin wrote:
 I had got success when 'sql_auth' was defined as last entry into 
 instantiate { }. But I think that this
 solution is unsecure and wrong.
   Why is that?
 
   For example, I added new sql-module into sql.conf and forgot to fix 
 order of loading of sql-modules 
 into instantiate { }. I tried to do it. The 'users' used last sql-module of 
 sql.conf. 
 Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such 
 variable used into 'files'-module?

  (a) That doesn't make it unsecure.

  (b) you may have MULTIPLE sql modules, and may be doing MULTIPLE sql
group comparisons in the files module.  Adding one sqlmod-inst to
the files module won't help you try to use MULTIPLE sql modules.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[Ivan Kalik]

 On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
 George Koulyabin wrote:
  I had got success when 'sql_auth' was defined as last entry into
 instantiate { }. But I think that this
  solution is unsecure and wrong.

   Why is that?

   For example, I added new sql-module into sql.conf and forgot to fix 
 order
 of loading of sql-modules
 into instantiate { }.

So you think freeradius is faulty and unsecure because it didn't work the
way you wanted when you didn't configure it properly?

 Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such
 variable used into 'files'-module?

sqlcounter will instatiate sql instance it needs before it is
instantiated. Files module will not instatiate all possible sql, ldap,
counter and whatever instances that might field attributes in it. You will
have to add them to instatiate if they are not loaded *before* files
module on server startup. If you list those instances before files in
authorize they should also be instantiated before files on startup.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius die-ing without any reason or log

[Alan Buxey]

Hi,

 I have a production server running freeradius 2.0.5 on debian lenny.

there have been several changes in the 2.1.x tree to stop random crashes
occurring - these are often the results of handlers being stripped,
memory leaks/overwrites and some veyr corner cases. i would try
the 2.1.6 release ('git' release if you are feeling brave)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: TTLS to require client cert

[Yoni Levin]

I have similar problem
I also try to force TTLs to request client certificate but it just does
not happen. The radius does not send the request.
Maybe the reason is that I added EAP-TLS-Require-client-cert = YES in
the wrong section?
I uncommented it in the tls section of eap.conf

Thanks for your help.


-Original Message-
From:
freeradius-users-bounces+yoni.levin=altair-semi@lists.freeradius.org
[mailto:freeradius-users-bounces+yoni.levin=altair-semi@lists.freera
dius.org] On Behalf Of Petar Marinkovic
Sent: Thursday, July 16, 2009 12:43 AM
To: t...@kalik.net; FreeRadius users mailing list
Subject: Re: TTLS to require client cert

Yes, it does,  but something isnt working, he is just not checking the
client certificate

On 07/15/2009, Ivan Kalik t...@kalik.net wrote:
 Hi all, I need help once again. I want TTLS to require client cert. I
put
 EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's
not
 working. What I am doing wrong here?

 What isn't working? Freeradius can request a certificate - does your
 supplicant support that?

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 
 


This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals 
computer viruses.






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Dynamic VLAN attribute in LDAP or AD?

[Gary Gatten]

I'm assuming I can do roughly the same thing with NTLM_AUTH?  I have
to use NTLM_Auth for 8021x (right? - at least all docs say this), so if
I don't HAVE to use LDAP all the better.

TIA!

Gary


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of Jason Alderfer
Sent: Tuesday, August 18, 2009 2:18 PM
To: FreeRadius users mailing list
Subject: Re: Dynamic VLAN attribute in LDAP or AD?


 So, I'm trying to use 802.1x dynamic VLAN assignment.  I have this
 working when I conf the users file.  However, I don't want to
 create/maintain the users file for 2,000 users!

 Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
 Ideally I could do this at the Group level, such that when a user
 moves from one group to another their automagically assigned to the
 correct VLAN.

If you're using version 2.0.5 or higher you can do this with unlang as
follows.  This example sets the vlan based on the user's DN, but you
should be able to modify it to look at your group membership attribute. 
Repeat for all relevant ldap groups.

if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
update reply {
 Tunnel-Type := VLAN
 Tunnel-Medium-Type := IEEE-802
 Tunnel-Private-Group-Id := 9
}
}


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying accounting to create a 'tee'

[John Morrissey]

On Sat, Aug 22, 2009 at 01:59:00AM +0100, Arran Cudbard-Bell wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 21/08/2009 21:15, John Morrissey wrote:
  On Sun, Aug 16, 2009 at 10:11:02AM +0200, Alan DeKok wrote:
  vol...@ufamts.ru wrote:
  If home server does not respond, FR does not respond too - NAS repeats
  request - FR writes request data to SQL again.
 
So... configure the server to respond.  See the file
  raddb/sites-available/decoupled-accounting
  
  Is decoupled-accounting (writing all detail to disk and replaying it
  serialized with a detail listener) the only way to configure FreeRADIUS to
  respond to the NAS?
 
 Yes. Otherwise it'll wait for the response from the proxy server, and
 proxy the Accounting-Response from the proxy server back to the NAS. It's
 the only way the NAS could be sure the remote server received the
 Accounting-Request.

Right. I was hoping there was a way for robust-proxy-accounting to respond
to the NAS when the proxy isn't responding, since the accounting request has
been successfully processed (i.e., written to the detail log and saved for
later proxying).

  I'm adapting robust-proxy-accounting for our environment and can't
  figure out how (or if it's possible) to get FreeRADIUS to respond to the
  originating NAS when proxying fails and the detail is logged for later
  proxying.
 
 Yep that's a good idea if the data is time critical, it also allows
 multiple requests to be forwarded in parallel.

nod, this is my preference. Unfortunately (as I mentioned above), I haven't
been able to figure out if/how it's possible to have FreeRADIUS always
respond to the NAS, even when the proxy isn't responding and accounting is
spooled to the detail file for later processing.

john
-- 
John Morrissey  _o/\   __o
j...@horde.net_- \_  /  \   \,
www.horde.net/__(_)/_(_)/\___(_) /_(_)__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: TTLS to require client cert

[Yoni Levin]

Hi.
After configuring the parameter in user configuration file
I get the following log
However sniffing show that no request was sent to get the certificate.
Are any of you familiar with this problem?


[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls]  TLS 1.0 Handshake [length 005f], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls]  TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls]  TLS 1.0 Handshake [length 0aab], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls]  TLS 1.0 Handshake [length 030d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls]  TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate




-Original Message-
From:
freeradius-users-bounces+yoni.levin=altair-semi@lists.freeradius.org
[mailto:freeradius-users-bounces+yoni.levin=altair-semi@lists.freera
dius.org] On Behalf Of Yoni Levin
Sent: Monday, August 24, 2009 5:38 PM
To: FreeRadius users mailing list; t...@kalik.net
Subject: RE: TTLS to require client cert

I have similar problem
I also try to force TTLs to request client certificate but it just does
not happen. The radius does not send the request.
Maybe the reason is that I added EAP-TLS-Require-client-cert = YES in
the wrong section?
I uncommented it in the tls section of eap.conf

Thanks for your help.


-Original Message-
From:
freeradius-users-bounces+yoni.levin=altair-semi@lists.freeradius.org
[mailto:freeradius-users-bounces+yoni.levin=altair-semi@lists.freera
dius.org] On Behalf Of Petar Marinkovic
Sent: Thursday, July 16, 2009 12:43 AM
To: t...@kalik.net; FreeRadius users mailing list
Subject: Re: TTLS to require client cert

Yes, it does,  but something isnt working, he is just not checking the
client certificate

On 07/15/2009, Ivan Kalik t...@kalik.net wrote:
 Hi all, I need help once again. I want TTLS to require client cert. I
put
 EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's
not
 working. What I am doing wrong here?

 What isn't working? Freeradius can request a certificate - does your
 supplicant support that?

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 
 


This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals 
computer viruses.






-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 
 


This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals 
computer viruses.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Dynamic VLAN attribute in LDAP or AD?

[Gary Gatten]

So, by looking at this more carefully I'll have to do a bunch of
if/else's or cases?  What if for instance I have 500 departments/groups
- 500 different vlans?  I'll have to test each one?

I guess what I was hoping to do was something like:

Get attribute n for user y (where n = a value used for
Tunnel-Private-Group-Id

THEN do the processing you mentioned:

update reply {
 Tunnel-Type := VLAN
 Tunnel-Medium-Type := IEEE-802
 Tunnel-Private-Group-Id := n
}

Thoughts?

G


-Original Message-
From: Gary Gatten 
Sent: Monday, August 24, 2009 10:34 AM
To: 'FreeRadius users mailing list'
Cc: 'Jason Alderfer'
Subject: RE: Dynamic VLAN attribute in LDAP or AD?

I'm assuming I can do roughly the same thing with NTLM_AUTH?  I have
to use NTLM_Auth for 8021x (right? - at least all docs say this), so if
I don't HAVE to use LDAP all the better.

TIA!

Gary


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.or
g] On Behalf Of Jason Alderfer
Sent: Tuesday, August 18, 2009 2:18 PM
To: FreeRadius users mailing list
Subject: Re: Dynamic VLAN attribute in LDAP or AD?


 So, I'm trying to use 802.1x dynamic VLAN assignment.  I have this
 working when I conf the users file.  However, I don't want to
 create/maintain the users file for 2,000 users!

 Is there an attribute in AD / LDAP I can use for the dynamic VLAN?
 Ideally I could do this at the Group level, such that when a user
 moves from one group to another their automagically assigned to the
 correct VLAN.

If you're using version 2.0.5 or higher you can do this with unlang as
follows.  This example sets the vlan based on the user's DN, but you
should be able to modify it to look at your group membership attribute. 
Repeat for all relevant ldap groups.

if (control:Ldap-UserDn =~ /ou=div,o=org/i) {
update reply {
 Tunnel-Type := VLAN
 Tunnel-Medium-Type := IEEE-802
 Tunnel-Private-Group-Id := 9
}
}


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP MSCHAP error

[Larry Ross]

LOL, K.  Just found it interesting that with so little data you were able to 
devine our schema.  The problem here is our LDAP tree will not or cannot change 
(political reasons... Long story sucks for me, but as they say wish in one hand 
and poop in the other, get back to me when you figure out which on fills 
first...)

So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd thing 
is it works for 95% of our users, it seems there is a character combo that 
causes the truncation.

So I was thinking I would use a perl script (thank you rlm_perl, and PERL-LDAP 
modules) to perform the LDAP query and then convert the data to ASCII and 
insert the converted String Data into the NT-Password variable.

With that strategy in mind I have a couple questions.

1:  Sanity check.  Before I begin down this path, does this sound plausible?
2:  Suggestions or samples would be greatly appreciated.

Thank you
Larry

-Original Message-
From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org 
[mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Friday, August 21, 2009 11:35 PM
To: FreeRadius users mailing list
Subject: Re: LDAP MSCHAP error

Larry Ross wrote:
 Hmm interesting, how were you able to divine that that is how we are storing 
 the has values... 

  C programming 101.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP MSCHAP error

[Alan DeKok]

Larry Ross wrote:
 LOL, K.  Just found it interesting that with so little data you were able to 
 devine our schema.  The problem here is our LDAP tree will not or cannot 
 change (political reasons... Long story sucks for me, but as they say wish in 
 one hand and poop in the other, get back to me when you figure out which on 
 fills first...)

  As I said... it's C programming 101.  It's trivial for anyone who's
spent 10 minutes with C.

 So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd 
 thing is it works for 95% of our users, it seems there is a character combo 
 that causes the truncation.

  Yes.  00.  This is C 101.

 So I was thinking I would use a perl script (thank you rlm_perl, and 
 PERL-LDAP modules) to perform the LDAP query and then convert the data to 
 ASCII and insert the converted String Data into the NT-Password variable.

  That might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP MSCHAP error

[Larry Ross]

passwords that are effected do not contain 00
FYI

-Original Message-
From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org 
[mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Monday, August 24, 2009 11:03 AM
To: FreeRadius users mailing list
Subject: Re: LDAP MSCHAP error

Larry Ross wrote:
 LOL, K.  Just found it interesting that with so little data you were able to 
 devine our schema.  The problem here is our LDAP tree will not or cannot 
 change (political reasons... Long story sucks for me, but as they say wish in 
 one hand and poop in the other, get back to me when you figure out which on 
 fills first...)

  As I said... it's C programming 101.  It's trivial for anyone who's
spent 10 minutes with C.

 So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd 
 thing is it works for 95% of our users, it seems there is a character combo 
 that causes the truncation.

  Yes.  00.  This is C 101.

 So I was thinking I would use a perl script (thank you rlm_perl, and 
 PERL-LDAP modules) to perform the LDAP query and then convert the data to 
 ASCII and insert the converted String Data into the NT-Password variable.

  That might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP MSCHAP error

[Larry Ross]

Also any ideas as to how I may insert the variable from perl would be nice.

-Original Message-
From: freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org 
[mailto:freeradius-users-bounces+lfross=ucdavis@lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Monday, August 24, 2009 11:03 AM
To: FreeRadius users mailing list
Subject: Re: LDAP MSCHAP error

Larry Ross wrote:
 LOL, K.  Just found it interesting that with so little data you were able to 
 devine our schema.  The problem here is our LDAP tree will not or cannot 
 change (political reasons... Long story sucks for me, but as they say wish in 
 one hand and poop in the other, get back to me when you figure out which on 
 fills first...)

  As I said... it's C programming 101.  It's trivial for anyone who's
spent 10 minutes with C.

 So yeah I am stuck with Binary NT hash's to use for MSCHAP auth. The odd 
 thing is it works for 95% of our users, it seems there is a character combo 
 that causes the truncation.

  Yes.  00.  This is C 101.

 So I was thinking I would use a perl script (thank you rlm_perl, and 
 PERL-LDAP modules) to perform the LDAP query and then convert the data to 
 ASCII and insert the converted String Data into the NT-Password variable.

  That might work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Dynamic VLAN attribute in LDAP or AD?

[Jason Alderfer]

 Interesting...  I'm assuming I could use existing LDAP attribs and remap
 them as needed?  Ie: Fax Number could be mapped to Tunnel ID?
 Extending the schema is like getting teeth pulled.

Resist the temptation and extend the schema now instead of later.  When
you need the Fax Number, what will you do?

If you don't want to tackle LDAP, you could write a script to generate a
separate file of unlang if-then blocks and pull it into the FR conf file
with an $INCLUDE statement.

 Also, no way to do this with NTLM auth is there?

No.  NTLM_auth is an authentication tool that returns 0 or 1 depending on
the correctness of a password.  This is an authorization question - what
kind of access will the authenticated user be given?



 -Original Message-
 From: Jason Alderfer [mailto:j...@emu.edu]
 Sent: Monday, August 24, 2009 2:10 PM
 To: Gary Gatten
 Subject: RE: Dynamic VLAN attribute in LDAP or AD?


 So, by looking at this more carefully I'll have to do a bunch of
 if/else's or cases?  What if for instance I have 500
 departments/groups
 - 500 different vlans?  I'll have to test each one?

 I guess what I was hoping to do was something like:

 Get attribute n for user y (where n = a value used for
 Tunnel-Private-Group-Id

 You will need to extend your LDAP schema to include the attributes
 needed
 for the VLAN and make sure they are properties of the objects that you
 want them to apply to.

 Then you will need to add these attributes to the FR ldap.attrmap file,
 e.g.

 replyItem   Tunnel-Type radiusTunnelType
 replyItem   Tunnel-Medium-Type  radiusTunnelMediumType
 replyItem   Tunnel-Private-Group-Id
 radiusTunnelPrivateGroupId

 Now the LDAP module should be able to set these attributes automatically
 for each request if you enable it in the authorize or post-auth section.

 Jason


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic VLAN attribute in LDAP or AD?

[Gary Gatten]

Agreed. I didn't know if I could do some group checking with ntlm_auth, more 
accurately get a list of groups a user belongs to? If I used FQDN I could 
prolly parse out the info I need from the user name as well: 
gary.neteng.waddell Ill try LDAP - good learning experience!

- Original Message -
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
To: freeradius-users@lists.freeradius.org 
freeradius-users@lists.freeradius.org
Sent: Mon Aug 24 15:48:40 2009
Subject: RE: Dynamic VLAN attribute in LDAP or AD?


 Interesting...  I'm assuming I could use existing LDAP attribs and remap
 them as needed?  Ie: Fax Number could be mapped to Tunnel ID?
 Extending the schema is like getting teeth pulled.

Resist the temptation and extend the schema now instead of later.  When
you need the Fax Number, what will you do?

If you don't want to tackle LDAP, you could write a script to generate a
separate file of unlang if-then blocks and pull it into the FR conf file
with an $INCLUDE statement.

 Also, no way to do this with NTLM auth is there?

No.  NTLM_auth is an authentication tool that returns 0 or 1 depending on
the correctness of a password.  This is an authorization question - what
kind of access will the authenticated user be given?



 -Original Message-
 From: Jason Alderfer [mailto:j...@emu.edu]
 Sent: Monday, August 24, 2009 2:10 PM
 To: Gary Gatten
 Subject: RE: Dynamic VLAN attribute in LDAP or AD?


 So, by looking at this more carefully I'll have to do a bunch of
 if/else's or cases?  What if for instance I have 500
 departments/groups
 - 500 different vlans?  I'll have to test each one?

 I guess what I was hoping to do was something like:

 Get attribute n for user y (where n = a value used for
 Tunnel-Private-Group-Id

 You will need to extend your LDAP schema to include the attributes
 needed
 for the VLAN and make sure they are properties of the objects that you
 want them to apply to.

 Then you will need to add these attributes to the FR ldap.attrmap file,
 e.g.

 replyItem   Tunnel-Type radiusTunnelType
 replyItem   Tunnel-Medium-Type  radiusTunnelMediumType
 replyItem   Tunnel-Private-Group-Id
 radiusTunnelPrivateGroupId

 Now the LDAP module should be able to set these attributes automatically
 for each request if you enable it in the authorize or post-auth section.

 Jason


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Dynamic VLAN attribute in LDAP or AD?

[Ivan Kalik]

 So, by looking at this more carefully I'll have to do a bunch of
 if/else's or cases?  What if for instance I have 500 departments/groups
 - 500 different vlans?  I'll have to test each one?

 I guess what I was hoping to do was something like:

 Get attribute n for user y (where n = a value used for
 Tunnel-Private-Group-Id

 Thoughts?

Use ms-RADIUS-FramedIntefaceId from AD schema and map it in ldap.attrmap.
IAS uses that for VLAN id.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic VLAN attribute in LDAP or AD?

[Ivan Kalik]

 Agreed. I didn't know if I could do some group checking with ntlm_auth,
 more accurately get a list of groups a user belongs to? If I used FQDN I
 could prolly parse out the info I need from the user name as well:
 gary.neteng.waddell Ill try LDAP - good learning experience!


No need. AD is sort of a Ldap server. You can define it in ldap module and
it will respond to queries. You just need to adjust attribute names in
ldap.attrmap to AD schema names (since MS broke specification).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP MSCHAP error

[Ivan Kalik]

 Also any ideas as to how I may insert the variable from perl would be
 nice.

Read rlm_perl documentation.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying accounting to create a 'tee'

[Ivan Kalik]

 Right. I was hoping there was a way for robust-proxy-accounting to respond
 to the NAS when the proxy isn't responding, since the accounting request
 has
 been successfully processed (i.e., written to the detail log and saved
 for
 later proxying).

So it's still waiting to be processed - it hasn't been successfully
processed.

  I'm adapting robust-proxy-accounting for our environment and can't
  figure out how (or if it's possible) to get FreeRADIUS to respond to
 the
  originating NAS when proxying fails and the detail is logged for later
  proxying.

 Yep that's a good idea if the data is time critical, it also allows
 multiple requests to be forwarded in parallel.

 nod, this is my preference. Unfortunately (as I mentioned above), I
 haven't
 been able to figure out if/how it's possible to have FreeRADIUS always
 respond to the NAS, even when the proxy isn't responding and accounting is
 spooled to the detail file for later processing.

Use appropriate policy (decoupled accounting).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to control users traffic ?

[Andrew Paternoster]

I was trying to dynamically limit the customers speed when they hit their 
download quota. I'm doing this for DSL users connected to a Cisco NAS. Aren't 
the WISPr only for wireless users?


--
Andrew Paternoster
GPK Computers Pty Ltd
T 1300 854 223
F 1300 854 228
Senior System Engineer-Original Message-
From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org 
[mailto:freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] On 
Behalf Of Devinder Singh
Sent: Tuesday, 18 August 2009 5:16 PM
To: FreeRadius users mailing list
Subject: Re: How to control users traffic ?

Hi

Have you tried using WISPr attributes to control bandwidth. These are
set in the Radius database server.

2009/8/18 Andrew Paternoster and...@gpk.net.au:
 Does anyone have any Example policies that they can share. I'm trying to work 
 out how to send attributes to my cisco NAS when the suers reach their traffic 
 limit.

 I have looked around and cannot find how to make these policies mentioned 
 below.

 Can any one point me in the right direction?

 Thanks


 --
 Andrew Paternoster
 GPK Computers Pty Ltd
 T 1300 854 223
 F 1300 854 228
 ---
 The information contained in or accompanying this e-mail is intended only for 
 the use of the stated recipient and may contain information that is 
 confidential and/or privileged. If the reader is not the intended recipient 
 or the agent thereof, you are hereby notified that any dissemination, 
 distribution or copying of this e-mail is strictly prohibited and may 
 constitute a breach of confidence and/or privilege. If you have received this 
 e-mail in error, please notify us immediately. Any views or opinions 
 presented are those solely of the author and do not necessarily represent 
 those of GPK Computers Pty Ltd..
 Warning: Although the company has taken reasonable precautions to ensure no 
 viruses are present in this e-mail, the company cannot accept responsibility 
 for any loss or damage arising from the use of this e-mail or attachments
 ---
 Senior System Engineer-Original Message-
 From: freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org 
 [mailto:freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org] On 
 Behalf Of Ivan Kalik
 Sent: Tuesday, 7 July 2009 7:12 PM
 To: FreeRadius users mailing list
 Subject: Re: How to control users traffic ?

 Which is conventional way for checking online users traffic volume  and
 disconnecting who reach to the limit of every user in freeradius:

 There are no standard radius attributes for this. Your NAS might have
 vendor specific attributes that can be used for data (sql)counters but
 many don't.

 1- using acct-interim packets  to update output or input octets in sql and
 if user reach to the max of its accounting permission disconnect
 him/her.(Is
 there any patch to do this ?)

 Again, this will depend on NAS supporting PoD or CoA. You can make a
 policy that sends instructions to NAS to disconnect the user if he goes
 over the limit on update packet. If it doesn't, you should still be able
 to disconnect the user using SNMP.

 2- freeradius sends Session-Octets-Limit to the NAS and NAS can does this?

 If it has such VSA. You can then use standard (sql)counter.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




--
Devinder

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: files: How to choose SQL entry for users?

[George Koulyabin]

Hi.

On Mon, Aug 24, 2009 at 02:59:27PM +0200, Alan DeKok wrote:
 George Koulyabin wrote:
  On Mon, Aug 24, 2009 at 01:45:11PM +0200, Alan DeKok wrote:
  George Koulyabin wrote:
  I had got success when 'sql_auth' was defined as last entry into 
  instantiate { }. But I think that this
  solution is unsecure and wrong.
Why is that?
  
  For example, I added new sql-module into sql.conf and forgot to fix 
  order of loading of sql-modules 
  into instantiate { }. I tried to do it. The 'users' used last sql-module of 
  sql.conf. 
  Variable 'sqlmod-inst' is used by 'sqlcounter'-module, but why isn't such 
  variable used into 'files'-module?
 
   (a) That doesn't make it unsecure. 

   Your words are true. I can't say that rejecting of authorization is unsecure.

 
   (b) you may have MULTIPLE sql modules, and may be doing MULTIPLE sql
 group comparisons in the files module.  Adding one sqlmod-inst to
 the files module won't help you try to use MULTIPLE sql modules.

Supposing it were available to use MULTIPLE files modules and unlang, I 
could use different
'users'-files. In addition, I can use a few virtual servers.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html