unlang - delete attribute - !*
Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply { Aruba-Admin-Role := } } The man page of unlang says: !* Delete all occurances of the named attribute, no matter what the value. I think this is the better way than just to clear the attribute value. But how can I use this, what's the correct syntax? I have tested the following without success: Aruba-Admin-Role !* Aruba-Admin-Role !* !* Aruba-Admin-Role Thanks in advance, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang - delete attribute - !*
On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de wrote: Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply { Aruba-Admin-Role := } } The man page of unlang says: !* Delete all occurances of the named attribute, no matter what the value. I think this is the better way than just to clear the attribute value. But how can I use this, what’s the correct syntax? I have tested the following without success: Aruba-Admin-Role !* Aruba-Admin-Role !* !* Aruba-Admin-Role update reply { Aruba-Admin-Role !* ANY } Will delete all. update reply { Aruba-Admin-Role -= %{reply:Aruba-Admin-Role} } Will delete the first instance. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: unlang - delete attribute - !*
Hello Arran, thanks for the answer. This has worked! Regards, Tobias Hachmer -Ursprüngliche Nachricht- Von: freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org [mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org] Im Auftrag von Arran Cudbard-Bell Gesendet: Mittwoch, 9. Oktober 2013 08:22 An: FreeRadius users mailing list Betreff: Re: unlang - delete attribute - !* On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de wrote: Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply { Aruba-Admin-Role := } } The man page of unlang says: !* Delete all occurances of the named attribute, no matter what the value. I think this is the better way than just to clear the attribute value. But how can I use this, what's the correct syntax? I have tested the following without success: Aruba-Admin-Role !* Aruba-Admin-Role !* !* Aruba-Admin-Role update reply { Aruba-Admin-Role !* ANY } Will delete all. update reply { Aruba-Admin-Role -= %{reply:Aruba-Admin-Role} } Will delete the first instance. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usage of Session-Timeout
Hi, we upgraded a freeradius setup from 1.x to 2.1.10+dfsg-2+squeeze1 on Debian Squeeze. Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` With new version freeradius send an error while looking in debug mode like: Tue Oct 1 16:15:23 2013 : Info: [sql] expand: 06:00 - 06:00 Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00 Tue Oct 1 16:15:23 2013 : Info: [sql] expand: %{expr:06:00} - Can you explain why this value isnt working with new version or what we have to change to set the Session-Timeout that user get disconnected e.g. at 06:00 am? Regards, Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well almost got FR 3.0 to compile on OS X :-)
Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing radius with F5 devices
Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Dear Aran C. Bell Thanks for everything, Here is update. 1.) All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . Saying other way, if the user is online, he would remain online until he log off him self or stop browsing. But point to be noted that counter prevents from login him again. user cannot login again if he has already hit quota threshold. Please look the example of reject. This user is allowed for 7GB, please mind that *check_item which shows 7168*is specified in MB. *[gigawordcounter] expand: %{sql:SELECT SUM(AcctInputOctets) / (1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='quotauser'} - 7389.1705* *rlm_sqlcounter: (Check item - counter) is less than zero* *rlm_sqlcounter: Rejected user quotauser, check_item=7168, counter=7389* *++[gigawordcounter] returns reject* Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Counter: sqlcounter gigawordcounter { counter-name = Max-All-MB check-name = Max-All-MB reply-name = Max-All-MB reply-message = You have reached your bandwidth limit sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctInputOctets) / (1024*1024) + SUM(AcctOutputOctets) / (1024*1024) FROM radacct WHERE UserName='%{%k}' } *2.) Solution offered by You. * I tried your recommendations also, i tried to maintain following in local FR dictionary */etc/freeradius/dictionary* and Chilli dictionary ATTRIBUTE Acct-Input-Octets64 3005integer64 ATTRIBUTE Acct-Output-Octets643006integer64 Results: failed to start FR reason for failing: : un recognized value specified in * /etc/freeradius/dictionary* reason for failing: : un recognized value specified in * /usr/share/freeradius/dictionary.chillihotspot* Thanks / Regards RM -- On Tue, Oct 8, 2013 at 3:38 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 8 Oct 2013, at 15:40, Russell Mike radius@gmail.com wrote: Dear Arran C. Bell, Thank you very much, i am extremely grateful for your advise and guidelines for troubleshoot also. i am currently experimenting a different rlm_sqlcounter using CoovaChilli dictionary All-In-MB. In result, i can store short number in db. This counter would reset at 2TB with same 32bit number. i have actually tested up to 6GB. it just works!!!. Next test is in progress to logout user when 7GB downloaded. i really appreciated your input and TIME. i will try your proposed solution as well after All-In-MB has tested. After the successful practical of both solutions. i would like to document this topic on one page for archives, so that it can help others. i may need your support incase i came across some challenges during the test of your solution. wiki.freeradius.org is the place to do that :) Thanks once again !!! No problem, glad I could help. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 10:41, Alex Sharaz wrote: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. I have f5 loadbalancers but atm I don't use them for our RADIUS trafic As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. Point 2 should be setup carefully. I recommend using the iApp to deploy your radius through the f5 [1] (they use Freeradius as an example) I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You can play with an iRule to statically assign one of your two pool member to your RAS servers. you can even decode the radius packet and base your load-balancing decision based on radius attributes [2] As you said, the most important thing is to ensure that a Client/NAS always talk to the same pool member, otherwise EAP won't work. Olivier [1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf [2] https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 9 Oct 2013, at 10:16, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote: While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Have you asked F5? At the very least, common load balancers (e.g. keepalived on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. You had a nose round the f5 site and subscribed to some of the communities. Shall we say that the response wasn't that great! A -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing radius with F5 devices
Hi, Just to give some infos if I can help (this mailing has helped me a lot !) I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a shared IP (not activated in VLANs used to communicate between the 2 DC to avoid IP conflits, a much simple config for NAS - only one IP address for server). Everything works fine with the following config : The Virtual Server ( IP is A.B.C.D has it's public for external DC ...) ltm virtual /Common/VS-RADIUS-AUTH { destination /Common/A.B.C.D:1812 ip-protocol udp mask 255.255.255.255 pool /Common/POOL-RADIUS-AUTH profiles { /Common/radiusLB { } /Common/udp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans { [...] } vlans-enabled } The pool used : ltm pool /Common/POOL-RADIUS-AUTH { members { /Common/10.10.6.7:1812 { address 10.10.6.7 } /Common/10.20.6.3:1812 { address 10.20.6.3 } } monitor /Common/Radius-Auth } The monitor : ltm monitor radius /Common/Radius-Auth { debug no defaults-from /Common/radius destination *:* interval 30 nas-ip-address 10.16.81.11 password Monitor secret ** time-until-up 0 timeout 31 username radius@domain } Profile radiusLB is the following : ltm profile radius radiusLB { clients none persist-avp none } And one other not used but available in default config. ltm profile radius radiusLB-subscriber-aware { defaults-from radiusLB subscriber-aware enabled } If I look at pool statistics, each servers has equivalent volume of requests (48.1k against 48.2k). You could play with Priority Group depending location or failover architecture of Radius if you want Fabien VINCENT Ingénieur Réseaux Sécurité / ASSR Produits Niveau 3 - Infrastructure Produits fabien.vinc...@coreye.fr De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org] De la part de Michael Schwartzkopff Envoyé : mercredi 9 octobre 2013 11:17 À : FreeRadius users mailing list Objet : Re: load balancing radius with F5 devices Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
you don't know how hard it was to wait till the official release :-) A On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Many thanks for this Olivier, much appreciated Rgds A On 9 Oct 2013, at 11:07, Olivier Beytrison oliv...@heliosnet.org wrote: On 09.10.2013 11:25, Olivier Beytrison wrote: On 09.10.2013 10:41, Alex Sharaz wrote: I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 10:19, a.l.m.bu...@lboro.ac.uk wrote: Hi, Just got a wee bit of trouble linking in the talloc libraries, but I'm sure its not insurmountable Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff present - you should have been compiling it before the official release ;-) Ah! that explains it. When I 1st compiled FR 2.x.x on my Lion box I do remember being impressed with the fact that it just talked to the back end open directory without doing anything . Looking forward to setting up radsec in FR3 A alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to section 2. :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Rebuilt manually and with dhcp it started the server, when dhcp request came it crashed. I did use --enable-development when configuring All i got in logs is kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000] no other coredump available except from gdb Generated gdb http://pastebin.com/raw.php?i=C1NYzckb Also debug from radiusd -X http://pastebin.com/raw.php?i=B8tRs1xh config options were: ./configure --build x86_64-linux-gnu --config-cache --enable-developer --prefix=/usr --exec-prefix=/usr --mandir=/usr/share/man --sysconfdir=/etc --libdir=/usr/lib/freeradius --datadir=/usr/share --localstatedir=/var --with-raddbdir=/etc/freeradius --with-logdir=/var/log/freeradius --with-large-files --with-udpfromto --without-rlm_eap_tnc --without-rlm_eap_ikev2 --without-rlm_sql_oracle --without-rlm_sql_unixodbc on Ubuntu 12.04 kernel 3.2.0-29-generic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage of Session-Timeout
Volker Lieder wrote: Within the old version, we used a database config for groups with an attribute Session-Timeout and the value `%{expr:06:00}` Which never worked. 06:00 isn't a number. You can't just invent syntax and use i. With new version freeradius send an error while looking in debug mode like: Tue Oct 1 16:15:23 2013 : Info: [sql]expand: 06:00 - 06:00 Tue Oct 1 16:15:23 2013 : Info: [sql] Not a number at :00 Tue Oct 1 16:15:23 2013 : Info: [sql]expand: %{expr:06:00} - Can you explain why this value isnt working with new version or what we have to change to set the Session-Timeout that user get disconnected e.g. at 06:00 am? It didn't work in the old version, either. It just didn't complain. You should use the Expiration attribute: bob Cleartext-Password := hello, Expiration := 06:00 That should work. Or, calculate the Session-Timeout manually. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Case statement error
Hi All. I have some code in an sql policy: sql_check_user_present { update control { Tmp-String-0 := %{sql_pwifi:SELECT COUNT(*) from voucher v left join state s on v.id=s.voucher_id where v.id=s.voucher_id and v.code='%{User-Name}' and (s.state='Inactive' or s.state='Active')} } switch %{control:Tmp-String-0} { case 0 { update control { User-RejectInformation := Sorry, that voucher code is invalid or has expired. Debug-RejectInformation := Voucher code not present in database table, or voucher expired } reject } case 1 { noop } case { # voucher has multiple table entries, oooh errr. update control { User-RejectInformation := Sorry, there has been an error. Please contact IT. Debug-RejectInformation := Multiple voucher codes the same, or database error - SQL count not = 0 or 1. This should never happen due to primary key constraint! } reject } } } This works fine in 3.0, git version #f66d411, but I have a problem with a regex related thing causing a segfault in that version and wouldn't mind trying the latest version to see if it's fixed. Trying version #d166290 results in /usr/local/etc/raddb/policy.d/sql[6]: case statements may only appear within a switch section /usr/local/etc/raddb/policy.d/sql[6]: Failed to parse case subsection. /usr/local/etc/raddb/policy.d/sql[5]: Failed to parse switch subsection. /usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing authorize section. Do I need to change how the switch statement works? The unlang page doesn't seem to have changed as far as I can tell. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR3 Debugging Switches
It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging '-fXxx -l stdout' reacts in the same way, but '-fxxx -l stdout' does run and produce timestamps, so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 and DHCP
On 9 Oct 2013, at 11:56, Rok Kosir rok.ko...@cosylab.com wrote: On 10/08/2013 07:09 PM, Arran Cudbard-Bell wrote: On 8 Oct 2013, at 17:44, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/10/13 17:01, Rok Kosir wrote: authentication to mysql), when i run freeradius -X, i get Segmentation Fault when it reaches dhcp listner. See doc/bugs. and skip to section 2. :) Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Rebuilt manually and with dhcp it started the server, when dhcp request came it crashed. I did use --enable-development when configuring All i got in logs is kernel: [7949524.015421] radiusd[19648] general protection ip:7fa7082c1670 sp:7fff9dcc1a48 error:0 in libc-2.15.so[7fa70817f000+1b5000] no other coredump available except from gdb Generated gdb http://pastebin.com/raw.php?i=C1NYzckb Thanks for that. git clone g...@github.com:FreeRADIUS/freeradius-server.git cd freeradius-server git checkout v3.0.x Should no longer segv. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case statement error
Franks Andy (RLZ) IT Systems Engineer wrote: Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan. D So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in * session* section. but did not work either. session { sql gigawordcounter } You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Thanks / Regards RM-- On Wed, Oct 9, 2013 at 1:12 PM, Alan DeKok al...@deployingradius.comwrote: Russell Mike wrote: All-In-MB counter works. Please note, when a user has downloaded his quota, counter do not force log off . The counter modules DOES NOT DO THAT. To see why, ask yourself what does FreeRADIUS see when the user has downloaded his quota? The answer is nothing. The users traffic doesn't go through FreeRADIUS, because FreeRADIUS isn't a router. What FreeRADIUS *may* see is an Accounting-Request for the user. Which contains the total traffic for the user. So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. You have to update the SQL database, and then check if the user is over quota. If so, send a Disconnect-Message, or exec a program to kick the user offline. Which basically means that initially authorization is done by SQL then max_all_mb, checks are only done once when the user makes the logon attempt and checks are never done again. Yes. That's what you've configured. If you want more, you need to tell the server to do more This is where i have failed. Since you are more in to this, is there a way to perform this check on frequent basis and send reply to NAS to logoff user? then it should work. Read the debug output. You'll see the server receiving Accounting-Request packets, with the users traffic over quota. THAT is when FreeRADIUS can do something. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging So... what's wrong with following that documentation? '-fXxx -l stdout' reacts in the same way, Because the -X means -f, which is invalid for radsec. but '-fxxx -l stdout' does run and produce timestamps, Which is what the error message says to use. What's wrong with that? so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). The -C code should be changed to remove it's setting of -f. We'll fix that for 3.0.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Hi, It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout yep. if you try 'radiusd -X' it will tell you to run it like that. # radiusd -fXx -l stdout # ./sbin/radiusd -Cfxx -l stdout single thread methods wont work with RADSEC being present. the docs probably need a slight update with the presence of TLS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 9 Oct 2013, at 15:22, Adam Bishop adam.bis...@ja.net wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. # radiusd -fxx -l stdout Works as expected (threaded debugging with no timestamps), however: # radiusd -fXx -l stdout snip Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. Wed Oct 9 14:44:18 2013 : Error: /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging '-fXxx -l stdout' reacts in the same way, but '-fxxx -l stdout' does run and produce timestamps, so I think this one is just a documentation issue - I can't find anything doc/ that says xxx is a valid combination. radiusd --help also indicates that -fXx should still be valid. man radiusd -x Finer-grained debug mode. In this mode the server will print details of every request on it's stdout output. You can specify this option multiple times (-x -x or -xx) to get more detailed output. -X will FORCE the server into single threaded mode, -f -x != -X, and so the server will refuse to start when TCP is required. Similarly, when doing a config check: # ./sbin/radiusd -Cfxx -l stdout snip /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: Threading must be enabled for TLS sockets to function properly. /opt/freeradiuss/etc/raddb/sites-enabled/tls[7]: You probably need to do 'radiusd -fxx -l stdout' for debugging The init scripts for debian (possibly RHEL too) trigger the latter one, as it runs a config check on restart (which bails out due to the error above). Ok that's a legitimate issue and should be fixed. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Russell Mike wrote: So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in *session* section. but did not work either. Uh... you do know that session is not the same as accounting, right? Why are you doing something wrong? I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Do you understand what the server does when it receives an accounting packet? Have you tried running the server in debugging mode, and seeing what happens when it receives an accounting packet? Do that before asking more questions. Watch the server go update SQL. Now... how do you query SQL (independent of RADIUS) to see if the users session is over quota? Then... put that query into the accounting section, via unlang. Check if the user is over quota. If so, send a disconnect message. See raddb/sites-available/originate-coa for examples of originating a disconnect message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: well almost got FR 3.0 to compile on OS X :-)
o.k. different method of getting talloc onto machine :-) I used curl -s https://raw.github.com/rudix-mac/package-manager/master/rudix.py | sudo python - install rudix then rudix install talloc :-)) On 9 Oct 2013, at 11:54, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 9 Oct 2013, at 11:21, Alex Sharaz alex.sha...@york.ac.uk wrote: you don't know how hard it was to wait till the official release :-) A brew install talloc brew link talloc ./configure make make install ? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 9 Oct 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote: Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. Isn't it required for doing any RADIUS over TCP? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Managing Data Volume Control More Than 4GB FR CoovaChilli
Thanks Alan D understood. I will use unlang in accounting. Thanks On Wednesday, October 9, 2013, Alan DeKok wrote: Russell Mike wrote: So if you want to do something when the users traffic is over the quota, you have to do it in the accounting section. Could you please kindly indicate what should i do there ? i tried to perform the check again when user is online by adding counter entry in *session* section. but did not work either. Uh... you do know that session is not the same as accounting, right? Why are you doing something wrong? I am not very clear how to update mysql db perform the check on frequent basis. base on the output from the counter module (ok,noop,etc..), i understand how to update the reply from un-lang to log off user. Do you understand what the server does when it receives an accounting packet? Have you tried running the server in debugging mode, and seeing what happens when it receives an accounting packet? Do that before asking more questions. Watch the server go update SQL. Now... how do you query SQL (independent of RADIUS) to see if the users session is over quota? Then... put that query into the accounting section, via unlang. Check if the user is over quota. If so, send a disconnect message. See raddb/sites-available/originate-coa for examples of originating a disconnect message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
On 10/07/2013 04:18 PM, Alan DeKok wrote: After many years of development, the FreeRADIUS team is happy to announce Version 3 of the world's most popular server. The release was delayed from June in order to track down and solve a number of last-minute issues. We'd like to thank all of the beta testers for helping with that process. The release announcement is available on the web site: http://freeradius.org/press/index.html#3.0.0 3.0 is not on the download page http://freeradius.org/download.html nor is there a download link on the above announcement page. BTW, I do know I can get it directly from ftp://ftp.freeradius.org/pub/freeradius/ but there should be links. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
On 09/10/13 16:36, Arran Cudbard-Bell wrote: On 9 Oct 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote: Adam Bishop wrote: It appears the debugging switches don't work quite as I'd expect in FreeRADIUS 3 when RadSec is configured. Yes. Because of OpenSSL limitations, the server MUST have multiple threads when using radsec. Isn't it required for doing any RADIUS over TCP? Perhaps architecturally, but not inherently; you could, at least in theory: 1. Receive 4-byte length 2. Sanity-check the length 3. Allocate buffer 4. Read on TCP socket non-blocking in normal select loop until you've filled the buffer 5. Parse packet from buffer, dispatch packet SSL presents the slight (ahem) complication of having to route the read/write via a memory BIO and check for the want read / want write state (same way EAP does). So... it's almost certainly *easier* and more sanity-preserving from a development PoV to use threads ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
John Dennis wrote: 3.0 is not on the download page http://freeradius.org/download.html nor is there a download link on the above announcement page. The announcement says: Version 3.0.0 (sig) has been released... The 3.0.0 is a link. I've added a link on the download page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Arran Cudbard-Bell wrote: Isn't it required for doing any RADIUS over TCP? Nope. Only SSL. The reason is that sometimes reading from an SSL socket requires SSL writing data to the other end. So you end up with both ends waiting for something. And that knowledge is buried inside of OpenSSL. Having threads means that each thread can wait without blocking anything else. It can probably be fixed, but it's hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR3 Debugging Switches
Phil Mayers wrote: Perhaps architecturally, but not inherently; you could, at least in theory: 1. Receive 4-byte length 2. Sanity-check the length 3. Allocate buffer 4. Read on TCP socket non-blocking in normal select loop until you've filled the buffer 5. Parse packet from buffer, dispatch packet That is *exactly* what the server does for TCP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html