Freeradius-Users Digest, Vol 30, Issue 105
Maribel Hernandez
mhernandezl at yahoo.com
Tue Oct 30 18:55:35 CET 2007
Hola:
freeradius-users-request at lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: web based admin (Peter Nixon)
2. RE: web based admin (Hawkins, Michael)
3. Class attribute in accounting record. (Mark J Elkins)
4. Re: Class attribute in accounting record.
(Michael da Silva Pereira)
5. Re: Class attribute in accounting record. (tnt at kalik.co.yu)
6. Re: Class attribute in accounting record. (Mark Elkins)
----------------------------------------------------------------------
Message: 1
Date: Mon, 29 Oct 2007 15:58:13 +0200
From: Peter Nixon
Subject: Re: web based admin
To: freeradius-users at lists.freeradius.org
Cc: "Hawkins, Michael"
Message-ID: <200710291558.13895.listuser at peternixon.net>
Content-Type: text/plain; charset="iso-8859-1"
On Mon 29 Oct 2007, Hawkins, Michael wrote:
> Hi all,
>
> I am very familiar with Cisco Secure ACS for AAA of Cisco devices. I am
> considering using FreeRadius at another customer site instead of Cisco
> Secure ACS.
>
> Will I still be able to control command execution (authorization) etc
> via FreeRadius? Or would I be restricted to authentication only?
By using the word "still" it implies that SecureACS can do this also, but as
far as I know, unless something has changed recently, cisco equipment only
supports this feature with TACACS+ and not RADIUS.. Comparing a SecureACS
TACACS+ server with FreeRADIUS is comparing apples and oranges...
FreeRADIUS is generally MUCH more powerfull than SecureACS in its RADIUS
functionality.. FreeRADIUS, doe not however support TACACS+ at present..
--
Peter Nixon
http://peternixon.net/
------------------------------
Message: 2
Date: Mon, 29 Oct 2007 10:21:32 -0400
From: "Hawkins, Michael"
Subject: RE: web based admin
To:
Message-ID:
<89FC1CD18AC0884B80C7B5E80A10DC0209FCDEB4 at NYEXCHG1.na.ad.tullib.com>
Content-Type: text/plain; charset="us-ascii"
Peter,
Yes, I was comparing TACACS+ to RADIUS - my mistake.
Any recommendations on the most appropriate web front end for FreeRadius
when managing a Cisco network that is pointing at a FreeRadius AAA
server?
Mike Hawkins
Office: 212-208-3888
Mobile: 917-887-3614
-----Original Message-----
From: Peter Nixon [mailto:listuser at peternixon.net]
Sent: Monday, October 29, 2007 9:58 AM
To: freeradius-users at lists.freeradius.org
Cc: Hawkins, Michael
Subject: Re: web based admin
On Mon 29 Oct 2007, Hawkins, Michael wrote:
> Hi all,
>
> I am very familiar with Cisco Secure ACS for AAA of Cisco devices. I
am
> considering using FreeRadius at another customer site instead of Cisco
> Secure ACS.
>
> Will I still be able to control command execution (authorization) etc
> via FreeRadius? Or would I be restricted to authentication only?
By using the word "still" it implies that SecureACS can do this also,
but as
far as I know, unless something has changed recently, cisco equipment
only
supports this feature with TACACS+ and not RADIUS.. Comparing a
SecureACS
TACACS+ server with FreeRADIUS is comparing apples and oranges...
FreeRADIUS is generally MUCH more powerfull than SecureACS in its RADIUS
functionality.. FreeRADIUS, doe not however support TACACS+ at present..
--
Peter Nixon
http://peternixon.net/
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
------------------------------
Message: 3
Date: Mon, 29 Oct 2007 16:45:14 +0200
From: Mark J Elkins
Subject: Class attribute in accounting record.
To: freeradius-users at lists.freeradius.org
Message-ID: <4725F1FA.6010800 at posix.co.za>
Content-Type: text/plain; charset=ISO-8859-1
My access provider is setting and sending me the "Class" attribute in an
accounting record...
I use MySQL to store such info in... and I'm using freeradius 1.1.6
in order to Capture the value - I modified all accounting "Insert"
statements to.... (as an example)
accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, Class)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Telkom-Access-Type:-!SAIX} %{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0',
'%{Class}')"
This captures the info fine.... (yes - also changed the MySQL table)
| RadAcctId | AcctSessionId | AcctUniqueId |
UserName | Realm | NASIPAddress |
NASPortId | NASPortType | AcctStartTime | AcctStopTime |
AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop |
AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId
| AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress |
AcctStartDelay | AcctStopDelay | Class |
+-----------+----------------------+------------------+---------------------------------+--------------+--------------+------------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+----------+
| 21488415 | 7/0/0/2.157_13B0EB0F | 32161edf2c7a5dec |
xxxxxxxxxxxxxxx at xxxxxxxxxxx | realmname | 1.2.3.4 | 1879179421 |
Virtual | 2007-10-29 16:15:07 | 0000-00-00 00:00:00 |
0 | RADIUS | DSL AutoShapedVC | |
0 | 0 | |
| | Framed-User | PPP | 1.2.4.99
| 0 | 0 | 0x4e5331 |
... However - I get a Hex String ... 0x4e5331 - where I was expecting "NS1"
Reading the RFC's (with FreeRadius documentation) - this should be a
Char Octets kindof field...
Should the access provider sent the string in ASCII rather?
Did something in FreeRadius convert the ASCII to Hex?
What can I do to convert this on the fly into ASCII - save a bit of
space in my Database - etc.
Reading the mailing-lists archives - I see that it can contain binary
data - thus the Hex.
Which is "better" - to change the dictionary definition from octet to
string or some sort of mysql function call?
(better ==> less things to remember/patch between updates)
The access provider states that the info provided will always be ascii
(or translate to ascii - if decoded).
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
------------------------------
Message: 4
Date: Mon, 29 Oct 2007 16:52:41 +0200
From: Michael da Silva Pereira
Subject: Re: Class attribute in accounting record.
To: FreeRadius users mailing list
Message-ID: 1ImVyq-00038W-15
Content-Type: text/plain
Hi Mark,
The provider is obviously SAIX (ZA based ISP),
Looks like SAIX are sending it through as ASCII text, on my side?
Tue Sep 18 14:25:53 2007
Acct-Session-Id = "7/0/2/20.557_30429449"
Framed-Protocol = PPP
Framed-IP-Address = 41.242.121.175
User-Name = "XXXXXXX at dsl512.tradepage.co.za"
X-Ascend-Connect-Progress = 60
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Virtual
NAS-Port = 1913913901
NAS-Port-Id = "7/0/2/20.557"
Connect-Info = "AutoShapedVC"
Class = "NS1"
Service-Type = Framed-User
NAS-IP-Address = 196.43.27.23
Check you /share/freeradius/dictionary file and check what you have for
the Class Attribute.
I have the following:
dictionary:ATTRIBUTE Class 25 string
Kind Regards,
Michael da Silva Pereira
Tradepage ;)
-----Original Message-----
From: Mark J Elkins
Reply-To: FreeRadius users mailing list
To: freeradius-users at lists.freeradius.org
Subject: Class attribute in accounting record.
Date: Mon, 29 Oct 2007 16:45:14 +0200
My access provider is setting and sending me the "Class" attribute in an
accounting record...
I use MySQL to store such info in... and I'm using freeradius 1.1.6
in order to Capture the value - I modified all accounting "Insert"
statements to.... (as an example)
accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, Class)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Telkom-Access-Type:-!SAIX} %{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0',
'%{Class}')"
This captures the info fine.... (yes - also changed the MySQL table)
| RadAcctId | AcctSessionId | AcctUniqueId |
UserName | Realm | NASIPAddress |
NASPortId | NASPortType | AcctStartTime | AcctStopTime |
AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop |
AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId
| AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress |
AcctStartDelay | AcctStopDelay | Class |
+-----------+----------------------+------------------+---------------------------------+--------------+--------------+------------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+----------+
| 21488415 | 7/0/0/2.157_13B0EB0F | 32161edf2c7a5dec |
xxxxxxxxxxxxxxx at xxxxxxxxxxx | realmname | 1.2.3.4 | 1879179421 |
Virtual | 2007-10-29 16:15:07 | 0000-00-00 00:00:00 |
0 | RADIUS | DSL AutoShapedVC | |
0 | 0 | |
| | Framed-User | PPP | 1.2.4.99
| 0 | 0 | 0x4e5331 |
... However - I get a Hex String ... 0x4e5331 - where I was expecting "NS1"
Reading the RFC's (with FreeRadius documentation) - this should be a
Char Octets kindof field...
Should the access provider sent the string in ASCII rather?
Did something in FreeRadius convert the ASCII to Hex?
What can I do to convert this on the fly into ASCII - save a bit of
space in my Database - etc.
Reading the mailing-lists archives - I see that it can contain binary
data - thus the Hex.
Which is "better" - to change the dictionary definition from octet to
string or some sort of mysql function call?
(better ==> less things to remember/patch between updates)
The access provider states that the info provided will always be ascii
(or translate to ascii - if decoded).
This email and all its contents are subject to the following disclaimer:
"http://www.tradepage.net/disclaimer.aspx"
------------------------------
Message: 5
Date: Mon, 29 Oct 2007 16:20:15 +0100
From:
Subject: Re: Class attribute in accounting record.
To: "FreeRadius users mailing list"
Message-ID:
Content-Type: text/plain; charset=ISO-8859-2
You can use CHAR() in the sql statement if you recieving Class attribute
ASCII encoded.
Ivan Kalik
Kalik Informatika ISP
Dana 29/10/2007, "Mark J Elkins" pi?e:
>My access provider is setting and sending me the "Class" attribute in an
>accounting record...
>
>I use MySQL to store such info in... and I'm using freeradius 1.1.6
>
>in order to Capture the value - I modified all accounting "Insert"
>statements to.... (as an example)
>
>accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId,
>AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
>AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
>ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
>CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
>FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, Class)
>values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
>'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
>'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
>'%{Telkom-Access-Type:-!SAIX} %{Connect-Info}', '', '0', '0',
>'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
>'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0',
>'%{Class}')"
>
>This captures the info fine.... (yes - also changed the MySQL table)
>
>| RadAcctId | AcctSessionId | AcctUniqueId |
>UserName | Realm | NASIPAddress |
>NASPortId | NASPortType | AcctStartTime | AcctStopTime |
>AcctSessionTime | AcctAuthentic | ConnectInfo_start | ConnectInfo_stop |
>AcctInputOctets | AcctOutputOctets | CalledStationId | CallingStationId
>| AcctTerminateCause | ServiceType | FramedProtocol | FramedIPAddress |
>AcctStartDelay | AcctStopDelay | Class |
>+-----------+----------------------+------------------+---------------------------------+--------------+--------------+------------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+----------------+-----------------+----------------+---------------+----------+
>| 21488415 | 7/0/0/2.157_13B0EB0F | 32161edf2c7a5dec |
>xxxxxxxxxxxxxxx at xxxxxxxxxxx | realmname | 1.2.3.4 | 1879179421 |
>Virtual | 2007-10-29 16:15:07 | 0000-00-00 00:00:00 |
>0 | RADIUS | DSL AutoShapedVC | |
>0 | 0 | |
>| | Framed-User | PPP | 1.2.4.99
>| 0 | 0 | 0x4e5331 |
>
>
>.... However - I get a Hex String ... 0x4e5331 - where I was expecting "NS1"
>
>Reading the RFC's (with FreeRadius documentation) - this should be a
>Char Octets kindof field...
>
>Should the access provider sent the string in ASCII rather?
>Did something in FreeRadius convert the ASCII to Hex?
>What can I do to convert this on the fly into ASCII - save a bit of
>space in my Database - etc.
>
>Reading the mailing-lists archives - I see that it can contain binary
>data - thus the Hex.
>Which is "better" - to change the dictionary definition from octet to
>string or some sort of mysql function call?
>(better ==> less things to remember/patch between updates)
>The access provider states that the info provided will always be ascii
>(or translate to ascii - if decoded).
>
>--
> . . ___. .__ Posix Systems - Sth Africa
> /| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE
>/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
------------------------------
Message: 6
Date: Mon, 29 Oct 2007 18:22:04 +0200
From: Mark Elkins
Subject: Re: Class attribute in accounting record.
To: FreeRadius users mailing list
Message-ID: <1193674924.11780.8.camel at localhost>
Content-Type: text/plain
On Mon, 2007-10-29 at 16:45 +0200, Mark J Elkins wrote:
> My access provider is setting and sending me the "Class" attribute in an
> accounting record...
>
> I use MySQL to store such info in... and I'm using freeradius 1.1.6
Wisdom prevails.. (touching the dictionaries is probably a bad* thing to do...)
I'm using ...
accounting_stop_query_alt = "INSERT.... , UNHEX(SUBSTR('%{Class}',3)))"
.. which keeps personal changes to one place (sql.conf and files
in /etc/raddb) and saves me from upsetting Alan DeKok's karma* - a bad
thing to do.
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 30, Issue 105
*************************************************
CON CARIÑO
MARIBEL HERNÁNDEZ LÓPEZ
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071030/4aa486c8/attachment.html>
More information about the Freeradius-Users
mailing list