Freeradius-Users Digest, Vol 49, Issue 117

Marco De Magistris marco.de.magistris at ericsson.com
Tue May 26 18:13:03 CEST 2009


Hi Alan


Thanks for your help.

Marco

-----Original Message-----
From: freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: martedì 26 maggio 2009 17.58
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 117

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: Statistic Counter (Alan DeKok)
   2. problem with rlm_counter module when reset option is set to
      never (Ahmed Nifaz Faizabadi)
   3. Re: problem with rlm_counter module when reset option is set
      to never (Ivan Kalik)
   4. Re: problem with rlm_counter module when reset option is set
      to never (Ahmed Nifaz Faizabadi)
   5. Re: problem with rlm_counter module when reset option is set
      to never (Alan DeKok)
   6. Assigning IP address from RADIUS to Cisco PPTP users (up at 3.am)
   7. wired 802.1x for desktops (offtopic) (Mikael Kermorgant)
   8. FW:  freeradius2.1.4--Simultaneous (??)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 May 2009 13:29:51 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Statistic Counter
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A1BD2AF.5050101 at deployingradius.com>
Content-Type: text/plain; charset=UTF-8

Marco De Magistris wrote:
> Can I enable other counters for  AuthRadiusClientAccessRetransmissions,
> AuthRadiusClientTimeouts, AuthRadiusClientCounterDiscontinuity)?

  The server does not currently track those statistics.

  As always, patches are welcome.

> Or I should use ?counter? module of FreeRadius?

  No.  It won't do what you want.

  Alan DeKok.



------------------------------

Message: 2
Date: Tue, 26 May 2009 18:13:59 +0530
From: Ahmed Nifaz Faizabadi <ahmednifaz at gmail.com>
Subject: problem with rlm_counter module when reset option is set to
	never
To: freeradius-users at lists.freeradius.org
Message-ID:
	<d49df1900905260543k4228999ai4aeb7ff46b595237 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hi all,

Here is the issue I am facing with rlm_counter module.
I am using freeradius-server-2.1.4 and configuring Max session time
for each user.

for example:
user1          Max-Session-Time := 1800, Auth-Type := Reject
                Reply-Message = "Your time limit is used"

user2          Max-Session-Time := 3600, Auth-Type := Reject
                Reply-Message = "Your time limit is used"

and rlm_counter options are :

counter daily {
       counter-name = Max-All-Session-Time
       check-name = Max-All-Session
       key = User-Name
       reset = never
   }


I am observing that the user accounting record is not deleted from
rlm_counter module once the user has used his allocated time. For
example when user1 has used 1800 seconds allocated to him then I will
be deleting the user from users config and then add the same user
back. I am getting the "Your time limit is used" message :(.

Does somebody has information about how to delete the records from
rlm_counter module once they are expired with reset-option set to
never.

Regards
Ahmed Nifaz


------------------------------

Message: 3
Date: Tue, 26 May 2009 14:15:35 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: problem with rlm_counter module when reset option is set
	to never
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<30874.194.176.105.44.1243343735.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8

> Here is the issue I am facing with rlm_counter module.
> I am using freeradius-server-2.1.4 and configuring Max session time
> for each user.
>
> for example:
> user1          Max-Session-Time := 1800, Auth-Type := Reject
>                 Reply-Message = "Your time limit is used"
>
> user2          Max-Session-Time := 3600, Auth-Type := Reject
>                 Reply-Message = "Your time limit is used"
>
> and rlm_counter options are :
>
> counter daily {
>        counter-name = Max-All-Session-Time
>        check-name = Max-All-Session
>        key = User-Name
>        reset = never
>    }
>
>
> I am observing that the user accounting record is not deleted from
> rlm_counter module once the user has used his allocated time.

And what makes you think it would be.

> For
> example when user1 has used 1800 seconds allocated to him then I will
> be deleting the user from users config and then add the same user
> back. I am getting the "Your time limit is used" message :(.
>
> Does somebody has information about how to delete the records from
> rlm_counter module once they are expired with reset-option set to
> never.

Yes. Delete accounting records as well when you delete user details.

Ivan Kalik
Kalik Informatika ISP



------------------------------

Message: 4
Date: Tue, 26 May 2009 19:03:34 +0530
From: Ahmed Nifaz Faizabadi <ahmednifaz at gmail.com>
Subject: Re: problem with rlm_counter module when reset option is set
	to never
To: tnt at kalik.net,	FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID:
	<d49df1900905260633k59bc4b28peeeeb6f6f36d9223 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

>> Here is the issue I am facing with rlm_counter module.
>> I am using freeradius-server-2.1.4 and configuring Max session time
>> for each user.
>>
>> for example:
>> user1 ? ? ? ? ?Max-Session-Time := 1800, Auth-Type := Reject
>> ? ? ? ? ? ? ? ? Reply-Message = "Your time limit is used"
>>
>> user2 ? ? ? ? ?Max-Session-Time := 3600, Auth-Type := Reject
>> ? ? ? ? ? ? ? ? Reply-Message = "Your time limit is used"
>>
>> and rlm_counter options are :
>>
>> counter daily {
>> ? ? ? ?counter-name = Max-All-Session-Time
>> ? ? ? ?check-name = Max-All-Session
>> ? ? ? ?key = User-Name
>> ? ? ? ?reset = never
>> ? ?}
>>
>>
>> I am observing that the user accounting record is not deleted from
>> rlm_counter module once the user has used his allocated time.
>
> And what makes you think it would be.
>

   This would increase the accounting file size indefenitely and cause
some other problems as the user records are not at all being deleted.

>> For
>> example when user1 has used 1800 seconds allocated to him then I will
>> be deleting the user from users config and then add the same user
>> back. I am getting the "Your time limit is used" message :(.
>>
>> Does somebody has information about how to delete the records from
>> rlm_counter module once they are expired with reset-option set to
>> never.
>
> Yes. Delete accounting records as well when you delete user details.
>
  I tried that but that accounting file is in binary or some other
encrypted format. Will you please let me know about how to delete that
accounting record or how to convert that to simple text file ( which
would make easy deleting expired records) .

Ahmed Nifaz



------------------------------

Message: 5
Date: Tue, 26 May 2009 15:49:26 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: problem with rlm_counter module when reset option is set
	to never
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A1BF366.5020409 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Ahmed Nifaz Faizabadi wrote:
....
>>> counter daily {
>>>        counter-name = Max-All-Session-Time
>>>        check-name = Max-All-Session
>>>        key = User-Name
>>>        reset = never
...
>>> I am observing that the user accounting record is not deleted from
>>> rlm_counter module once the user has used his allocated time.
...
>    This would increase the accounting file size indefenitely and cause
> some other problems as the user records are not at all being deleted.

  See the configuration: "reset = never" means "never reset".  Which
means "don't reset".

>   I tried that but that accounting file is in binary or some other
> encrypted format. Will you please let me know about how to delete that
> accounting record or how to convert that to simple text file ( which
> would make easy deleting expired records) .

  It's just a DBM file.  See the "rad_counter.pl" file in the source
tree.  It shows how to edit the file.

  Alan DeKok.


------------------------------

Message: 6
Date: Tue, 26 May 2009 11:34:41 -0400 (EDT)
From: up at 3.am
Subject: Assigning IP address from RADIUS to Cisco PPTP users
To: freeradius-users at lists.freeradius.org
Message-ID: <Pine.BSF.4.64.0905261122570.14312 at richard2.pil.net>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


Hi:

I've used Livingston and Cistron radiusd's in the past with dialup ppp 
users and Cisco/Lucent NASes and have been able to do this with no 
problems.

Users are currently authenticating fine and getting assigned IPs from the 
IP pool as defined in the Cisco NAS.  However, I'd like to have a few, 
select users assigned static IPs from outside that pool, but the Cisco 
(2811) is simply ignoring the raddb/users file entry for that user and 
assigning an IP from the pool on the NAS.

Here is my Cisco config::
--------------------
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa session-id common

vpdn-group 1
  accept-dialin
   protocol pptp
   virtual-template 1

interface Loopback0
  ip address 99.99.99.99 255.255.255.255
  ip nat inside
  ip virtual-reassembly

interface Virtual-Template1
  ip unnumbered FastEthernet0/0
  ip policy route-map VPN-Client
  peer match aaa-pools
  peer default ip address pool vpnpool
  no keepalive
  ppp encrypt mppe auto
  ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool vpnpool 172.16.30.2 172.16.30.254
---------
Here is the raddb/users file entry:
---------
testuser        Service-Type == Framed-User
                 Framed-Protocol == PPP,
                 Framed-IP-Address = 172.16.1.2,
                 Framed-IP-Netmask = 255.255.255.255,
                 Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP
--------------
The DEFAULT entry allows users in /etc/passwd to authenticate fine, but 
"testuser" still gets an IP from the NAS pool instead of the one above.. 
Any pointers appreciated!

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am

=========================================================================


------------------------------

Message: 7
Date: Tue, 26 May 2009 17:49:03 +0200
From: Mikael Kermorgant <mikael.kermorgant at gmail.com>
Subject: wired 802.1x for desktops (offtopic)
To: freeradius-users at lists.freeradius.org
Message-ID:
	<9711147e0905260849o189c2601w5c1e378769668760 at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hello,

Sorry for this off-topic message, I have a question about 802.1x deployment
and don't know where to ask. As freeradius is one of the element I think of,
maybe someone here can help me find the solution ?

My Goals :
1) authenticate access to the network from Open Public Access Catalog (OPAC)
desktop machines available to every user of a biblioteque.
2) have a guest account with limited LAN access (no access to internet, or
just a very short whitelist)
3) Keep the machines reachable from some servers (ghost server, monitoring,
etc). (this criteria eliminates the solution of a captive portal)

I thought 802.1x with dynamic vlans would be a nice solution as it should
permit to put the guest account in a specific vlan.

But how would it be possible to reach the machine from the management
servers before someone authenticates ? Is it possible to have a default vlan
activated on startup of the machine ?
Or do you know where I should ask this question ?

Regards,

-- 
Mikael Kermorgant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/37c1e41c/attachment.html>

------------------------------

Message: 8
Date: Tue, 26 May 2009 23:57:27 +0800
From: ?? <jiangshu at seec.com.cn>
Subject: FW:  freeradius2.1.4--Simultaneous
To: <freeradius-users at lists.freeradius.org>
Message-ID: <FED9EB928DE94C60A0BED02F2524259E at IT0508023>
Content-Type: text/plain; charset="gb2312"

 

 

 HI:

 

I use freebsd7.0+mysql+freeradius2.1.4

 

     Can use the raidus data base to be hit by a consumer at the same time,
by verifying with a consumer. But, I am put into use coming to control a
consumer "Simultaneous" in raidus. When condition now is that second
consumers log on,before acctstoptime in billing form renew with classics.
But, nas does not initiate consumer time line information kit. (The consumer
continues using a network). Feel that the radius does not send out
acc-reject or acc-stop Bao Lai stops using a family. 

 

Thank you!

 

System

localhost# whereis perl

perl: /usr/bin/perl /usr/local/man/man1/perl.1

localhost# whereis snmpget

snmpget: /usr/local/bin/snmpget /usr/local/man/man1/snmpget.1

 

 

 

 

Cisco config 

aaa authentication enable default none

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting send stop-record authentication failure

aaa accounting suppress null-username

aaa accounting session-duration ntp-adjusted

aaa accounting update newinfo periodic 5

aaa accounting dot1x default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting resource default start-stop-failure group radius

interface FastEthernet0/1

 switchport mode access

 dot1x pae authenticator

 dot1x port-control auto

 dot1x violation-mode protect

 dot1x timeout quiet-period 2

 dot1x guest-vlan 3

 dot1x auth-fail vlan 4

 dot1x auth-fail max-attempts 2

 spanning-tree portfast

 

redius.conf

# Uncomment simul_count_query to enable simultaneous use checking

        simul_count_query = "SELECT COUNT(*) \

                             FROM ${acct_table1} \

                             WHERE username = '%{SQL-User-Name}' \

                             AND acctstoptime IS NULL"

 

 

INSERT INTO `radius`.`radgroupcheck` (`groupname` ,`attribute` ,`op`
,`value` )VALUES ( 'user', 'Simultaneous-Use', ':=', '1');

 

?????????????mysql?radacct?????????????????
???????????

 

mysql> select username,acctstarttime,acctstoptime from radacct where
username="jsh";

+----------+---------------------+---------------------+

| username | acctstarttime       | acctstoptime        |

+----------+---------------------+---------------------+

| jsh      | 2009-05-19 07:34:57 | 2009-05-19 07:35:49 | 

| jsh      | 2009-05-19 07:35:49 | NULL                           | 

+----------+---------------------+---------------------+

2 rows in set (0.00 sec)

 

mysql> 

 

sites-available/default 

 

accounting {

 

                    radutmp

                    ...

                    sql

                    ....

   }

session {

    #radutmp

      sql

}

?

?..

 

Mysql query is radacct,radpostauth

radacct


username 

acctstarttime 

acctstoptime 

count(*) 


jsh

2009-05-26 07:45:09

NULL

1

 

radpostauth

 


 

 
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke
n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+%
3D+14&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit

 
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b
30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6
0radpostauth%60.%60id%60+%3D+14+LIMIT+1&zero_rows=The+row+has+been+deleted&g
oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a
59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2
6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php>
Delete

14

jsh

 

Access-Accept

2009-05-26 07:30:04

 


 

 
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke
n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+%
3D+15&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit

 
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b
30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6
0radpostauth%60.%60id%60+%3D+15+LIMIT+1&zero_rows=The+row+has+been+deleted&g
oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a
59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2
6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php>
Delete

15

jsh

 

Access-Accept

2009-05-26 07:45:08

 


 

 
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke
n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+%
3D+16&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit

 
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b
30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6
0radpostauth%60.%60id%60+%3D+16+LIMIT+1&zero_rows=The+row+has+been+deleted&g
oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a
59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2
6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php>
Delete

16

jsh

 

Access-Accept

2009-05-26 07:45:08

 

 

?Radgroupcheck


 
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radgroupcheck&sql_query
=SELECT+%2A+FROM+%60radgroupcheck%60&goto=tbl_structure.php&dontlimitchars=1
&token=9954b30f278d52fb0a59651606dd9117> Full Texts

id 

groupname 

attribute 

op 

value 

 


 

 
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radgroupcheck&to
ken=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radgroupcheck%60.%60id%
60+%3D+1&sql_query=SELECT+%2A+FROM+%60radgroupcheck%60&goto=sql.php> Edit

 
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radgroupcheck&token=995
4b30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radgroupcheck%60+WHER
E+%60radgroupcheck%60.%60id%60+%3D+1+LIMIT+1&zero_rows=The+row+has+been+dele
ted&goto=sql.php%3Fdb%3Dradius%26table%3Dradgroupcheck%26token%3D9954b30f278
d52fb0a59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radgroupche
ck%2560%26zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structur
e.php> Delete

1

user

Simultaneous-Use

:=

1


 

 

 

 

 

 

 

 

 

Nas


nasname 

shortname 

type 

ports 

secret 

community 

description 

 


 

192.168.0.100

cisco3560

cisco

1812

cisco

cisco3560

RADIUS Client


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


????


? ? ? ? ? ?__????? 

????????????22?????10?  100020 
Tel?010-85650282   Mobi:13810174932 
Fax?010-65880126 
MSN?mousejsh at hotmail.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 401 bytes
Desc: not available
Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 201 bytes
Desc: not available
Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 235 bytes
Desc: not available
Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment-0002.gif>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 49, Issue 117
*************************************************




More information about the Freeradius-Users mailing list