Re[2]: authentetication with mysql and NAS type= other
oh, sorry but that username could be authenticated) mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 11 | user | Cleartext-Password | := | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ 08 декабря 2011, 11:51 от Alan DeKok-2 [via FreeRadius] ml-node+s1045715n5057987...@n5.nabble.com: Толик Шавловский wrote: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | Change that to Cleartext-Password and :=, like the other entries. all usernames are authenticated for WiFi. Wimax cannot. Post the debug output for WiMAX. Honestly, I don't see why *anyone* needs to be told this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5057987.html To unsubscribe from authentetication with mysql and NAS type= other, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5058005.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: authentetication with mysql and NAS type= other
= Framed-User NAS-IP-Address = 10.169.33.11 Acct-Delay-Time = 15 # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 13258,Client-IP-Address = 10.169.33.11,NAS-IP-Address = 10.169.33.11,Acct-Session-Id = 3308,User-Name = user' [acct_unique] Acct-Unique-Session-ID = 45341f9e68e705da. ++[acct_unique] returns ok [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.169.33.11/detail-20111207 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.169.33.11/detail-20111207 [detail] expand: %t - Wed Dec 7 10:17:51 2011 ++[detail] returns ok ++[unix] returns fail Finished request 88. Cleaning up request 88 ID 90 with timestamp +229 Going to the next request Ready to process requests. === simulteneous-use not working(( mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 11 | user | Cleartext-Password | := | user | | 3 | [hidden email] | Cleartext-Password | := | test | | 5 | [hidden email] | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ 08 декабря 2011, 11:59 от tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru: oh, sorry but that username could be authenticated) mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 11 | user | Cleartext-Password | := | user | | 3 | [hidden email] | Cleartext-Password | := | test | | 5 | [hidden email] | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | [hidden email] | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ 08 декабря 2011, 11:51 от Alan DeKok-2 [via FreeRadius] [hidden email]: Толик Шавловский wrote: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | Change that to Cleartext-Password and :=, like the other entries. all usernames are authenticated for WiFi. Wimax cannot. Post the debug output for WiMAX. Honestly, I don't see why *anyone* needs to be told this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5057987.html To unsubscribe from authentetication with mysql and NAS type= other, click here. NAML -- View this message in context: Re[2]: authentetication with mysql and NAS type= other Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[6]: authentetication with mysql and NAS type= other
Actually the 5.x GHz Extreme product is a fully 16e protocol, just not WiMax certified. The 4-Motion product is fully WiMax certified as you point out. WiMax as a protocol uses EAP-TTLS/TLS and does not send the username in the outer tunnel. If you watch the debug you will see the username unencrypted in the inner-tunnel portion of the authentication. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Thursday, December 08, 2011 2:34 AM To: freeradius-users@lists.freeradius.org Subject: Re[6]: authentetication with mysql and NAS type= other David, usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but for nonWiMAX band = 5 GHz. All Alvarion hexes username, like [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5057918i=0 So, you just gess it was Extreme?)) 07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5057918i=1 : I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like [hidden email] David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 11:03 AM To: [hidden email] Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]: The only
RE: Re[2]: authentetication with mysql and NAS type= other
Hey Alan, I responded off list by accident but his real problem is that his Framed-Filter-Id is not formatted properly for his NAS. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Thursday, December 08, 2011 2:58 AM To: freeradius-users@lists.freeradius.org Subject: Re[2]: authentetication with mysql and NAS type= other oh, sorry but that username could be authenticated) mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 11 | user | Cleartext-Password | := | user | | 3 | [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5058005i=0 | Cleartext-Password | := | test | | 5 | [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5058005i=1 | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5058005i=2 | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5058005i=3 | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ 08 декабря 2011, 11:51 от Alan DeKok-2 [via FreeRadius] [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5058005i=4 : Толик Шавловский wrote: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | Change that to Cleartext-Password and :=, like the other entries. all usernames are authenticated for WiFi. Wimax cannot. Post the debug output for WiMAX. Honestly, I don't see why *anyone* needs to be told this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5057987.html To unsubscribe from authentetication with mysql and NAS type= other, click here. http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewerid=instant_html%21nabble%3Aemail.namlbase=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.InstantMailNamespacebreadcrumbs=instant+emails%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml NAML _ View this message in context: Re[2]: authentetication with mysql and NAS type= other http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5058005.html Sent from the FreeRadius - User mailing list archive http://freeradius.1045715.n5.nabble.com/FreeRadius-User-f2740693.html at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[8]: authentetication with mysql and NAS type= other
how can i see inner-tunnel portion? from debug? so, u didn't answer, how did u know it was extreme?) 08 декабря 2011, 16:20 от David Peterson-19 [via FreeRadius] ml-node+s1045715n5058598...@n5.nabble.com: Actually the 5.x GHz Extreme product is a fully 16e protocol, just not WiMax certified. The 4-Motion product is fully WiMax certified as you point out. WiMax as a protocol uses EAP-TTLS/TLS and does not send the username in the outer tunnel. If you watch the debug you will see the username unencrypted in the inner-tunnel portion of the authentication. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Thursday, December 08, 2011 2:34 AM To: [hidden email] Subject: Re[6]: authentetication with mysql and NAS type= other David, usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but for nonWiMAX band = 5 GHz. All Alvarion hexes username, like [hidden email] So, you just gess it was Extreme?)) 07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] [hidden email]: I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like [hidden email] David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 11:03 AM To: [hidden email] Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]: The only requests
authentetication with mysql and NAS type= other
Dear All, i installed FR v 2.1.2 and mysql 5.1.55. user database is in mysql DB. 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. what can be a problem? thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5055689.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentetication with mysql and NAS type= other
tolik_shavlov...@mail.ru wrote: 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. See the FAQ for it doesn't work 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. Without the debug log, it's impossible to know. what can be a problem? You didn't follow the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: authentetication with mysql and NAS type= other
/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:00:22 2011 ++[detail] returns ok ++[unix] returns fail Finished request 101. Cleaning up request 101 ID 11 with timestamp +645 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:00:27 2011 ++[detail] returns ok ++[unix] returns fail Finished request 102. Cleaning up request 102 ID 11 with timestamp +650 Going to the next request Ready to process requests. 07 декабря 2011, 18:37 от Alan DeKok-2 [via FreeRadius] ml-node+s1045715n5055831...@n5.nabble.com: [hidden email] wrote: 1. I was lucky to auth Wifi users via cisco AP (NAS type cisco). but Simulteneous-Use is not working. See the FAQ for it doesn't work 2. my wimax users (vendor Alvarion) cannot authenticate. Althou, i can authenticate them from users file. Without the debug log, it's impossible to know. what can be a problem? You didn't follow the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5055831.html To unsubscribe from authentetication with mysql and NAS type= other, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/authentetication-with-mysql-and-NAS-type-other-tp5055689p5055921.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: authentetication with mysql and NAS type= other
The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Wednesday, December 07, 2011 10:05 AM To: freeradius-users@lists.freeradius.org Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 16:59:07 2011 ++[detail] returns ok ++[unix] returns fail Finished request 98. Cleaning up request 98 ID 10 with timestamp +570 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 16:59:12 2011 ++[detail] returns ok ++[unix] returns fail Finished request 99. Cleaning up request 99 ID 10 with timestamp +575 Going to the next request Ready to process requests. rad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=11, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:00:17 2011 ++[detail] returns ok ++[unix] returns fail Finished
Re[4]: authentetication with mysql and NAS type= other
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli )=== login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] ml-node+s1045715n5055966...@n5.nabble.com: The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d
Re: Re[4]: authentetication with mysql and NAS type= other
On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[4]: authentetication with mysql and NAS type= other
I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like da...@wimax.com David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of tolik_shavlov...@mail.ru Sent: Wednesday, December 07, 2011 11:03 AM To: freeradius-users@lists.freeradius.org Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email] http://e.mail.ru/user/SendEmail.jtp?type=nodenode=5056103i=0 : The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct-Session-Id = KeepAliveSessionId # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns
Re[6]: authentetication with mysql and NAS type= other
David, usually Alvarion WIMAX 802.16 is 4M products. Extreme is 802.16 standard but for nonWiMAX band = 5 GHz. All Alvarion hexes username, like 97697...@wimax.com So, you just gess it was Extreme?)) 07 декабря 2011, 20:33 от David Peterson-19 [via FreeRadius] ml-node+s1045715n5056216...@n5.nabble.com: I know it’s Extreme because we sell Alvarion WiMax for all of North America J Keepaliveusernameandpassword is a generic request coming from the BTS which can either be accepted or denied. Either response is fine. The Extreme uses EAP-TTLS as does all WiMax so the username should be something like [hidden email] David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 11:03 AM To: [hidden email] Subject: Re[4]: authentetication with mysql and NAS type= other [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.152.98.23,NAS-IP-Address = 10.152.98.23,Acct-Session-Id = KeepAliveSessionId,User-Name = KeepAliveUserNameAndPassword' [acct_unique] Acct-Unique-Session-ID = d83a716ff7f93aa5. ++[acct_unique] returns ok [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radacct/10.152.98.23/detail-20111206 [detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radacct/10.152.98.23/detail-20111206 [detail] expand: %t - Tue Dec 6 17:57:06 2011 ++[detail] returns ok ++[unix] returns fail Finished request 247. Cleaning up request 247 ID 56 with timestamp +1802 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.152.98.23 port 49154, id=177, length=181 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Message-Authenticator = 0x892bc16577cd6753b2a7e0c0a3499523 Acct-Session-Id = KeepAliveSessionId User-Password = KeepAliveUserNameAndPassword # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = KeepAliveUserNameAndPassword, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} - KeepAliveUserNameAndPassword [sql] sql_set_user escaped user -- 'KeepAliveUserNameAndPassword' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User KeepAliveUserNameAndPassword not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [KeepAliveUserNameAndPassword/KeepAliveUserNameAndPassword] (from client 10.152.98.23/16 port 0 cli ) === login and password are correct! ow did you jnow that its extreme by NAS identifirer? 07 декабря 2011, 19:16 от David Peterson-19 [via FreeRadius] [hidden email]: The only requests I see are User-Name = KeepAliveUserNameAndPassword This is just a keep-alive packet all Alvarion Extreme base stations send out. I do not see the CPE attempting to authenticate. David From: freeradius-users-bounces+david.peterson=[hidden email] [mailto:freeradius-users-bounces+david.peterson=[hidden email]] On Behalf Of [hidden email] Sent: Wednesday, December 07, 2011 10:05 AM To: [hidden email] Subject: Re[2]: authentetication with mysql and NAS type= other here is debug: ad_recv: Accounting-Request packet from host 10.152.98.23 port 49157, id=10, length=135 User-Name = KeepAliveUserNameAndPassword NAS-IP-Address = 10.152.98.23 NAS-Port-Type = Wireless-802.16 NAS-Port = 0 Calling-Station-Id = \000\000\000\000\000 NAS-Identifier = 1137128000 WiMAX-GMT-Timezone-offset = 0 Acct-Status-Type = Stop Acct
Re[6]: authentetication with mysql and NAS type= other
Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user| Simultaneous-Use | := | 1| | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ user is for WiFi test and tes1 is for WimAX. all usernames are authenticated for WiFi. Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? when i used users file in FR with the same usernames, it was ok. I really use same usernames for auth in my Wimax CPEs. 07 декабря 2011, 20:17 от Fajar A. Nugraha l...@fajar.net: On Wed, Dec 7, 2011 at 11:02 PM, tolik_shavlov...@mail.ru tolik_shavlov...@mail.ru wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY id SELECT groupname FROM radusergroup WHERE username = 'KeepAliveUserNameAndPassword' ORDER BY priority What do you get when you execute those two queries in mysql directly? [sql] User KeepAliveUserNameAndPassword not found the sql module says the user is not found. It doesn't lie. === login and password are correct! And how did you know that? Did you setup the tables correctly? Hint: execute those two queries above. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[6]: authentetication with mysql and NAS type= other
2011/12/8 Толик Шавловский tolik_shavlov...@mail.ru: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username | attribute | op | value | ++-+++--+ | 1 | user | Password | == | user | | 3 | t...@wimax.com | Cleartext-Password | := | test | | 5 | te...@wimax.com | Cleartext-Password | := | test | | 10 | user | Simultaneous-Use | := | 1 | | 8 | t...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | | 9 | te...@wimax.com | Framed-Filter-Id | := | SP=data:MSF=data | ++-+++--+ There's no user called 'KeepAliveUserNameAndPassword' Wimax cannot. I don't know why it uses username = 'KeepAliveUserNameAndPassword', like in the debug?? Because the NAS sends it. If you think it shouldn't, examine the NAS config. Or ask the NAS vendor. The log doesn't lie. Did you ACTUALLY test authentication with a client connecting to the NAS? Or did you just start up FR in debug mode and hope there would be a packet from the NAS? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentetication with mysql and NAS type= other
Толик Шавловский wrote: Hi, mysql use freeradius; Database changed mysql select * from radcheck; ++-+++--+ | id | username| attribute | op | value| ++-+++--+ | 1 | user| Password | == | user | Change that to Cleartext-Password and :=, like the other entries. all usernames are authenticated for WiFi. Wimax cannot. Post the debug output for WiMAX. Honestly, I don't see why *anyone* needs to be told this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
That's also the way we do it. On Sat, Oct 8, 2011 at 7:48 PM, Michael Hartwick hartw...@hartwick.comwrote: It may not be pretty, but why not just sent all 3 sets of VSA’s. If the NAS doesn’t recognize it won’t it just ignore the attribute? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Stefan A. wrote: If you read it ‚one of the ideas of having different virtual servers is separation of policies for different NASses’ you are right. Suman was asking on how to send several NASses into the same policy. The simplest way to do it is to set *generic* policies, and then re-write them in post-auth. For example, define a Policy-Name attribute in the dictionary, and set it somewhere in the authorize section. Then: post-auth { ... if (%{client:nas_type} == foo) { // map policies for client foo } elsif (%{client:nas_type} == bar) { // map policies for client bar } ... } The underlying issue is that different NAS vendors have defined different attributes for the same functionality. An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Last night i also dreamt of sending all VSA to NAS but i was not sure what will be the outcome so thanks for the info. I have never worked with policies but it seems to be important so i will try to learn the same. Regards Suman On Sun, Oct 9, 2011 at 2:01 PM, Alan DeKok al...@deployingradius.comwrote: Stefan A. wrote: If you read it ‚one of the ideas of having different virtual servers is separation of policies for different NASses’ you are right. Suman was asking on how to send several NASses into the same policy. The simplest way to do it is to set *generic* policies, and then re-write them in post-auth. For example, define a Policy-Name attribute in the dictionary, and set it somewhere in the authorize section. Then: post-auth { ... if (%{client:nas_type} == foo) { // map policies for client foo } elsif (%{client:nas_type} == bar) { // map policies for client bar } ... } The underlying issue is that different NAS vendors have defined different attributes for the same functionality. An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Dynamic Attributes Based on NAS Type !
I personnally use post-auth sections of each of my virtual server to send diffrenet attributes. I find It to be very clean way to achieve this. regards Le 08/10/2011 20:02, Wegener, Norbert a écrit : The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. *Von:* freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] *Gesendet:* Samstag, 8. Oktober 2011 16:39 *Bis:* FreeRadius users mailing list *Betreff:* Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.horoa.net Alexandre Chapellon Ingénierie des systèmes open sources et réseaux. Follow me on twitter: @alxgomz http://www.twitter.com/alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Alan wrote: if (%{client:nas_type} == foo) { // map policies for client foo } What would you recommend to do, if your client is a proxy server? NAS-ID? An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Nice idea, as long as a NAS vendor does not introduce another or additional way(/attribute) to do things in never NAS OS Versions. In that case you would possible get in trouble if you have both NAS OS versions in your network and feed them with mixed attributes. Starent did this in the past, where they had a bunch of QoS attributes in one Version and a single Attribute (177) to handle them all at once in never versions. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Stefan A. wrote: What would you recommend to do, if your client is a proxy server? NAS-ID? No. Don't send policies back. You don't control the NAS. So you have no business sending it NAS-specific policies. Nice idea, as long as a NAS vendor does not introduce another or additional way(/attribute) to do things in never NAS OS Versions. In that case you would possible get in trouble if you have both NAS OS versions in your network and feed them with mixed attributes. Starent did this in the past, where they had a bunch of QoS attributes in one Version and a single Attribute (177) to handle them all at once in never versions. Yes, well, NAS vendors have been known for doing weird things. Hence RFC 6158. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Alan wrote: What would you recommend to do, if your client is a proxy server? NAS-ID? No. Don't send policies back. You don't control the NAS. So you have no business sending it NAS-specific policies. I never talked about sending policies to the NAS. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Would one use %{NAS-ID} instead of %{client:nas_type}? Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Dynamic Attributes Based on NAS Type !
I would like to have some insight in using virtual servers. But I am really stuck at the point that if i use virtual server how will be the DB entry look like i.e radreply / radgroup reply ? As far i understand , the reply attributes with value should be available in the reply table which matches to those of the NAS. Regards Suman On Sun, Oct 9, 2011 at 4:32 PM, Alexandre Chapellon a.chapel...@horoa.netwrote: I personnally use post-auth sections of each of my virtual server to send diffrenet attributes. I find It to be very clean way to achieve this. regards Le 08/10/2011 20:02, Wegener, Norbert a écrit : The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, --**--** Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wegener@atos.**net norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. --**--** *Von:* freeradius-users-bounces+**norbert.wegener=atos.net@** lists.freeradius.org atos@lists.freeradius.org[freeradius-users-bounces+ **norbert.wegener=atos.net@**lists.freeradius.orgatos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] *Gesendet:* Samstag, 8. Oktober 2011 16:39 *Bis:* FreeRadius users mailing list *Betreff:* Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- http://www.horoa.net Alexandre Chapellon Ingénierie des systèmes open sources et réseaux. Follow me on twitter: @alxgomz http://www.twitter.com/**alxgomzhttp://www.twitter.com/alxgomz - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Stefan A. wrote: I never talked about sending policies to the NAS. That *was* the subject of conversation. If you're not going to talk about that, start a new thread. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Uh... the nas_type field is whatever you want. Put in nas_type = proxy for a proxy server. You can then key off of that, and send *no* NAS-specific attributes back. Would one use %{NAS-ID} instead of %{client:nas_type}? No. The NAS-Identifier is created by the NAS, which may be 2-3 hops away from the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Dynamic Attributes Based on NAS Type !
Suman Dash wrote: I would like to have some insight in using virtual servers. But I am really stuck at the point that if i use virtual server how will be the DB entry look like i.e radreply / radgroup reply ? Exactly the same. You just have check reply attributes. As far i understand , the reply attributes with value should be available in the reply table which matches to those of the NAS. Sure. You don't really need a virtual server for that, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
I give up... No time for distorting arguments. Regards Stefan -Original Message- From: freeradius-users- bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius- users-bounces+a.freeradius=premit...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, October 09, 2011 7:35 PM To: FreeRadius users mailing list Subject: Re: Dynamic Attributes Based on NAS Type ! Stefan A. wrote: I never talked about sending policies to the NAS. That *was* the subject of conversation. If you're not going to talk about that, start a new thread. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Uh... the nas_type field is whatever you want. Put in nas_type = proxy for a proxy server. You can then key off of that, and send *no* NAS-specific attributes back. Would one use %{NAS-ID} instead of %{client:nas_type}? No. The NAS-Identifier is created by the NAS, which may be 2-3 hops away from the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic Attributes Based on NAS Type !
Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the existence of a specific VSAs (specified per NAS type) in the request to select the VSAs to be used in responses. e.g: if we found the Starent Networks VSA 'SN-Service-Type' in the request, we reply with 'SN-QOS-Profile' to set up QoS This is save, as we won't see any Starent VSAs in Cisco or Chillispot NASses. To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org ] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 4:40 PM To: FreeRadius users mailing list Subject: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
To be specific , I am concerned about the QoS VSA's . For Example. Mikrotik NAS - Mikrotik-Rate-Limit Chillispot - Chillispot-Max-UP , Chillispot-Max-Down Cisco - Cisco-Policy-UP , Cisco-Policy-Down Now if the user logged from different NAS's the VSA will differ so it is not possible to have a single entry in radgroupreply or radreply pertaining to a kind of NAS. I guess that this is not an out of the box feature in freeradius , instead i need to use some kind of custom script in Post-Auth section which will check the NAS Type and reply out the correct VSA's I am looking for a unique identifier from NAS by which freeradius can understand what type of NAS it is. I tried it and it seems that i have no control on the Access-Request sent by NAS to freeradius. The only idea which currently comes into my mind is to use nas.type value in DB but incase the NAS Type is incorrectly specified reply attributes will go nuts . So any idea if there are any unique identifiers ? Regards Suman On Sat, Oct 8, 2011 at 9:40 PM, Stefan A. a.freerad...@premit.de wrote: ** ** Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: ** ** we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the “existence of a specific VSAs” (specified per NAS type) in the request to select the VSAs to be used in responses. ** ** e.g: if we found the Starent Networks VSA ‘SN-Service-Type’ in the request, we reply with ‘SN-QOS-Profile’ to set up QoS This is save, as we won’t see any Starent VSAs in Cisco or Chillispot NASses. ** ** To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. ** ** Regards Stefan ** ** *From:* freeradius-users-bounces+a.freeradius= premit...@lists.freeradius.org [mailto: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org] *On Behalf Of *Suman Dash *Sent:* Saturday, October 08, 2011 4:40 PM *To:* FreeRadius users mailing list *Subject:* Dynamic Attributes Based on NAS Type ! ** ** Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
It may not be pretty, but why not just sent all 3 sets of VSA's. If the NAS doesn't recognize it won't it just ignore the attribute? From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 13:08 To: FreeRadius users mailing list Subject: Re: Dynamic Attributes Based on NAS Type ! To be specific , I am concerned about the QoS VSA's . For Example. Mikrotik NAS - Mikrotik-Rate-Limit Chillispot - Chillispot-Max-UP , Chillispot-Max-Down Cisco - Cisco-Policy-UP , Cisco-Policy-Down Now if the user logged from different NAS's the VSA will differ so it is not possible to have a single entry in radgroupreply or radreply pertaining to a kind of NAS. I guess that this is not an out of the box feature in freeradius , instead i need to use some kind of custom script in Post-Auth section which will check the NAS Type and reply out the correct VSA's I am looking for a unique identifier from NAS by which freeradius can understand what type of NAS it is. I tried it and it seems that i have no control on the Access-Request sent by NAS to freeradius. The only idea which currently comes into my mind is to use nas.type value in DB but incase the NAS Type is incorrectly specified reply attributes will go nuts . So any idea if there are any unique identifiers ? Regards Suman On Sat, Oct 8, 2011 at 9:40 PM, Stefan A. a.freerad...@premit.de wrote: Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the existence of a specific VSAs (specified per NAS type) in the request to select the VSAs to be used in responses. e.g: if we found the Starent Networks VSA 'SN-Service-Type' in the request, we reply with 'SN-QOS-Profile' to set up QoS This is save, as we won't see any Starent VSAs in Cisco or Chillispot NASses. To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius mailto:freeradius-users-bounces%2Ba.freeradius =premit...@lists.freeradius.org] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 4:40 PM To: FreeRadius users mailing list Subject: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Dynamic Attributes Based on NAS Type !
The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] Gesendet: Samstag, 8. Oktober 2011 16:39 Bis: FreeRadius users mailing list Betreff: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Norbert, sorry, but you are taking a sledgehammer to crack the nut. If you read it one of the ideas of having different virtual servers is separation of policies for different NASses you are right. Suman was asking on how to send several NASses into the same policy. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org ] On Behalf Of Wegener, Norbert Sent: Saturday, October 08, 2011 8:02 PM To: FreeRadius users mailing list Subject: AW: Dynamic Attributes Based on NAS Type ! The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, _ Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. _ Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] Gesendet: Samstag, 8. Oktober 2011 16:39 Bis: FreeRadius users mailing list Betreff: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic clients and nas-type
On Wed, Oct 6, 2010 at 6:35 PM, Alan DeKok al...@deployingradius.comwrote: Peter Lambrechtsen wrote: I'm trying to setup my dynamic clients and specify a nas-type. In my dynamic-clients I have: ... Then in my sites-enabled/default in the authorize section I have: A completely independent virtual server. The only way for the two virtual servers to communicate is by having one store attributes in a database, and then the other reads the database. Ahh ok, thanks for that. I was wondering why I could use the %Client-Shortname, and not the NAS-Type. That explains it. I'll stick with just using Client-Shortname, as that gives me all I need so far. Cheers again. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic clients and nas-type
I'm trying to setup my dynamic clients and specify a nas-type. In my dynamic-clients I have: server dynamic_client_server { authorize { FreeRADIUS-Client-Shortname = Cisco FreeRADIUS-Client-NAS-Type = other ... Then in my sites-enabled/default in the authorize section I have: update request { # NAS-Vendor is a local custom dict addition FreeRADIUS-Client-Shortname := %{Client-Shortname} FreeRADIUS-Client-NAS-Type := %{FreeRADIUS-Client-NAS-Type} } To see what my Client-Shortname and NasType are set to using unlang. But in the debug output I get: ++[request] returns notfound expand: %{Client-Shortname} - Cisco expand: %{FreeRADIUS-Client-NAS-Type} - ++[request] returns notfound What field should I be trying to lookup to find out what value I set my NAS-Type to in Dynamic Clients while in the Authorize section in my default?? And as per the docs: http://wiki.freeradius.org/Clients.conf Are the list of permitted nastypes valid, or can I use any string and do further checks for it later? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic clients and nas-type
Peter Lambrechtsen wrote: I'm trying to setup my dynamic clients and specify a nas-type. In my dynamic-clients I have: ... Then in my sites-enabled/default in the authorize section I have: A completely independent virtual server. The only way for the two virtual servers to communicate is by having one store attributes in a database, and then the other reads the database. What field should I be trying to lookup to find out what value I set my NAS-Type to in Dynamic Clients while in the Authorize section in my default?? Use a database. And as per the docs: http://wiki.freeradius.org/Clients.conf Are the list of permitted nastypes valid, or can I use any string and do further checks for it later? You can use any string. The valid values are there only for the checkrad.pl script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS type with NAS defined in SQL (FR 2.1.6)
I've tried dozens of ways but I can't figure out how to get the NAS type for clients defined in MySQL. The column is populated, the query has the correct fields matching the source code for the module. The module appears to populate the address, shortname, nastype, secret and virtual server. Yet when I expand ${client:nastype} I only get a value for clients defined in the clients file. SQL clients are always blank. I know I could do a special SQL query on each request, but I shouldn't have to. The data should already be in a variable. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type with NAS defined in SQL (FR 2.1.6)
John Doppke wrote: I've tried dozens of ways but I can't figure out how to get the NAS type for clients defined in MySQL. The column is populated, the query has the correct fields matching the source code for the module. The module appears to populate the address, shortname, nastype, secret and virtual server. Yet when I expand ${client:nastype} I only get a value for clients defined in the clients file. SQL clients are always blank. The client:nastype expansion grabs the nastype field from the *config* files. For SQL... there is no client config file. I know I could do a special SQL query on each request, but I shouldn't have to. The data should already be in a variable. Sure. Send a patch. See src/main/mainconfig.c, function xlat_client(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS type when NAS is stored in SQL?
I'm using the nas table in mysql to store my clients. I've found that if I try to test for client:nastype, a value is returned only for entries from clients.conf. Is there a way to get the nas type for clients in SQL? John Doppke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
John Doppke wrote: I'm using the nas table in mysql to store my clients. I've found that if I try to test for client:nastype, a value is returned only for entries from clients.conf. Is there a way to get the nas type for clients in SQL? Do an SQL query. %{sql: SELECT ...} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
On 3/19/2010 at 1:40 PM, freeradius-users-requ...@lists.freeradius.org wrote: Do an SQL query. %{sql: SELECT ...} Alan DeKok. I was afraid of that. I looked through the code and it appears as if rlm_sql should populate nastype along with shortname, secret, etc. Anyone know why it's not? -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
Hi, I was afraid of that. I looked through the code and it appears as if rlm_sql should populate nastype along with shortname, secret, etc. Anyone know why it's not? it does if the info is there: SELECT id, nasname, shortname, type, secret FROM ${nas_table} (in fact, it can also populate the 'server' too - add that as last option in the SELECT - latest version of FreeRADIUS only!) what does the server say when you start - ie radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS type when NAS is stored in SQL?
-- -John On 3/19/2010 at 4:21 PM, freeradius-users-requ...@lists.freeradius.org wrote: t does if the info is there: SELECT id, nasname, shortname, type, secret FROM ${nas_table} (in fact, it can also populate the 'server' too - add that as last option in the SELECT - latest version of FreeRADIUS only!) what does the server say when you start - ie radiusd -X alan I think this is the relevent part: radius_db = radius read_groups = yes sqltrace = yes sqltracefile = /var/log/radius/sqltrace.sql readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = %{User-Name} default_user_profile = sqldefault nas_query = SELECT id, nasname, shortname, type, secret FROM nas authorize_check_query = SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id authorize_reply_query = SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id authorize_group_check_query = SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id authorize_group_reply_query = SELECT id, groupname, attribute, value, op Also: rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret FROM nas rlm_sql (sql): Read entry nasname=192.168.41.233,shortname= LAFAYETTE-IN-WAP10,secret=xxx rlm_sql (sql): Adding client 192.168.41.233 ( LAFAYETTE-IN-WAP10, server=none) to clients list rlm_sql (sql): Read entry nasname=140.171.181.215,shortname= WAP16,secret=xxx rlm_sql (sql): Adding client 192.168.181.215 ( WAP16, server=none) to clients list ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic check item, based on nas type
On Mon, Feb 15, 2010 at 8:47 AM, YvesDM ydm...@gmail.com wrote: Hi, Situation: All users can login to different nas types. Problem: I need a different value for simult.-use check depending on the nas a user logs on to. Is there a way to do this? (using FR1.1.7 for now) tnx. Yves Edited title, needed to be check-item instead of reply of course, sorry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic reply attribute, based on nas type
Hi, Situation: All users can login to different nas types. Problem: I need a different value for simult.-use check depending on the nas a user logs on to. Is there a way to do this? (using FR1.1.7 for now) tnx. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
Peter Nixon wrote: On Fri 27 Jul 2007, Roberto Greiner wrote: Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. As you have already found the docs you know the answer. The 3Com is obviously type tc. If its not on the list it's other. However, if you write a patch to support the devices you mention, we would be happy to include it in FreeRADIUS. Cheers I've re-checked the available options, and found that there is one nas type for the Total Control, besides 'tc': usrhiper. But there are a few errors in the documentation speaking about it (http://www.freeradius.org/radiusd/doc/Simultaneous-Use). The first is the name itself. The page says usrhyper, when the correct is usrhiper, with i instead of y. The second is that it says that for that option, the naspasswd file is not used, which is partially correct. It can use naspasswd, and in that case the login name declared must be SNMP, or it will fail. For the other two devices (monowall and poptop), I don't know how to proceed yet, since neither of them returns connected user information through SNMP :-( Thanks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
On 7/30/07, Roberto Greiner [EMAIL PROTECTED] wrote: YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the re-authenticate every minute option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
YvesDM wrote: On 7/30/07, *Roberto Greiner* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto Yes indeed, and that way they will never share their credentials again :-) Anyway if you plan to use simultaneous use on your radius, and have the re-authenticate every minute option in monowall enabled, you will need to allow at least 3 (or 2 don't quite remember) sessions or re-authentication will fail and user gets logged out after 1 minute. Kind regards, Yves Yes, I saw that option, but my monowall server has a peak usage of over 200 simultaneous users. Enabling that would put some strain on freeradius (don't need to say, I know it would take it easily), but mostly on monowall. With 200 users we already had to make some modification to make it stay stable. That strain would probably kill it. :-( Thanks anyway, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
YvesDM wrote: Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves Yes, I've seen that option, and I actually have it enabled. What I don't like with it, is that instead of blocking a user, it accepts the new session and simply disconnects the session that was active. Anyway, thank you very much, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
On 7/27/07, Roberto Greiner [EMAIL PROTECTED] wrote: Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. Thank you very much, Roberto Greiner -- Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the diable concurrent logins option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nas Type
Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. Thank you very much, Roberto Greiner -- - Marcos Roberto Greiner The optimists believe we are in the best of worlds The pessimists are afraid that this is true Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Nas Type
On Fri 27 Jul 2007, Roberto Greiner wrote: Hi, I was starting to look at checkrad, and found (based on http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using other as the NAS-type will actually check only radutmp instead of looking at the actual NAS. Now, Could someone point me what would be the proper NAS type to use for each of the devices below(or the proper reference document to use)? I'm using the following NASes in my network: Monowall pfSense (3Com) Total Control PopTop (in Linux) What I want to do is to use checkrad as one of the steps to make sure that whoever appears as logged is really logged in, because I'm trying to use Simultaneous-use check, and some of the above (notably monowall) doesn't seem to be clearing properly sometimes. As you have already found the docs you know the answer. The 3Com is obviously type tc. If its not on the list it's other. However, if you write a patch to support the devices you mention, we would be happy to include it in FreeRADIUS. Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RG: NAS Type specific PEAP problem
Hello, Ive got a problem with one specific NAS Type. Im using PEAP on Windows XP SP2 without checking certificates and without using Windows login data, the username and passwords are stored in a mysql database. It seems that the EAP process is starting but is not properly answered by the Client. Could it be a problem with certification ? All other tested NAS Types are working fine using same environment. Please see the attached log Any help would be highly appreciated Thank you Georg Brandt --- Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.120:50004, id=43, length=147 EAP-Message = 0x0201000a016d7973716c Calling-Station-Id = 00-02-72-02-0F-62 Called-Station-Id = 00-80-37-85-FF-32 User-Name = mysql NAS-IP-Address = 0.0.0.0 NAS-Port = 33 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = wireless Framed-MTU = 1300 Message-Authenticator = 0x797b374be2122f1988c2e145c050b4ac Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = mysql, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 180 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'mysql' rlm_sql (sql): sql_set_user escaped user -- 'mysql' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'mysql' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'mysql' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mysql' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mysql' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'mysql' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'mysql' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'mysql' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'mysql' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 43 to 192.168.0.120:50004 Framed-Protocol = PPP Service-Type = Framed-User EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe4753bdfe99f86ed839df951deeaf8a9 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 43 with timestamp 41c2e728 Nothing to do. Sleeping until we see a request. --- -- Georg Brandt CTO InventCon Europe GmbH Mainzer Landstr. 27-31 60329 Frankfurt am Main T: +49 (0) 700 INVENTCON +49 (0) 700 46836826 M: +49 (0)179 6905307 Email: [EMAIL PROTECTED] Web: www.inventconeurope.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return proper reply attributes per nas type
Kevin Jeoung [EMAIL PROTECTED] wrote: I am wondering if there is a way to return proper reply attributes per nas type. The server doesn't have the concept of NAS type that you can use in the users file. In short, I need to return some sort of pre-listed attributes not by users but by nastype. So key off of the NAS IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to return proper reply attributes per nas type
Hi, I am wondering if there is a way to return proper reply attributes per nas type. In short, I need to return some sort of pre-listed attributes not by users but by nastype. For example, I want to return some USR VSAs for a request from usrhiper type and Ascend VSAs for a request from max40xx type. Kevin, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html