FreeRADIUS time based authentication with MySQL
Hello ! Maybe somebody knows, how to configure FreeRADIUS server with my SQL for authentication at the specific time? For example: There is a reservation page. Users can reserve specific time slot, for 1-3hours. Random username and password would be generated for that user to log in at that time. How to configure freeradius server for this type of authentication? That user can log in just at that specific time? Thank you very much for your time and answers! -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
You should use the Login-Time attribute. look here to see how its used -> http://wiki.freeradius.org/Rlm_logintime Ideally, you would add a row for each user (not optimal) with Login-Time attribute with value like 'Al1600-1700' which means they will be able to login only between 1600 and 1700 on all days. We use it in the radgroupcheck table for groups of users and in unlang for groups of NAS's. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 2012-04-13 06:27 PM, shiv wrote:
You should use the Login-Time attribute. look here to see how its used -> http://wiki.freeradius.org/Rlm_logintime Ideally, you would add a row for each user (not optimal) with Login-Time attribute with value like 'Al1600-1700' which means they will be able to login only between 1600 and 1700 on all days. We use it in the radgroupcheck table for groups of users and in unlang for groups of NAS's.
Use the freeradius-dialupadmin package. There is some similar function, but I haven't tried it.
Hello guys. Thank you for your answers. I just installed dialup admin. There is no functions to manage at what time users can connect and at what time they can not. :( I'm looking for solution like Jeremy Stretch already has on his lab : http://packetlife.net/wiki/how-community-lab-works/ -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 2012-04-13 09:49 PM, jomajo wrote:
Hello guys.
Thank you for your answers. I just installed dialup admin. There is no functions to manage at what time users can connect and at what time they can not. :(
I'm looking for solution like Jeremy Stretch already has on his lab : http://packetlife.net/wiki/how-community-lab-works/
Dialup admin can manage so many attributes. Read through the package's readme, faq, howto etc... The features are hidden. Freeradius 2.1 is so feature rich. One cannot learn it enough in a few months. ;)
jomajo wrote:
Thank you for your answers. I just installed dialup admin. There is no functions to manage at what time users can connect and at what time they can not. :(
What you are trying to do is relatively unusual. There is no pre-existing solution for you. You will need to create it yourself. Alan DeKok.
Hi! I am talking just about time-based authentication, at the specific time. But now there is a problem with MD5 encryption. Take a look please: <...> ++[sql] returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair ++[daily] returns noop rlm_checkval: Item Name: Calling-Station-Id, Value: 10.0.0.254 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "test" [pap] Using MD5 encryption. [pap] Configured MD5 password has incorrect length [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 43 to 10.0.0.1 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 43 with timestamp +11 Ready to process requests. <...> -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
With ClearText Password this is working! -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Yes, the problem is clear: [pap] Configured MD5 password has incorrect length [pap] Passwords don't match But I'm looking how to solve this problem. Password is correct. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
jomajo wrote:
Yes, the problem is clear:
[pap] Configured MD5 password has incorrect length [pap] Passwords don't match
But I'm looking how to solve this problem.
Password is correct.
Really? The debug message says otherwise. I guess it's impossible to solve. The passwords are clearly *so* secret that you can't post them. It's not like the configuration file for the "pap" module contains a URL that tells you how to create a *correct* MD5 password. That information is super-secret, too. Alan DeKok.
Dear Alan, I can post everything to you. I installed and configured "Dialup Administration". I am able to create groups and users. As I'm not so famillar with freeradius, I'm trying to do the basics. Create user: http://freeradius.1045715.n5.nabble.com/file/n5638927/user.png There is a table in database: http://freeradius.1045715.n5.nabble.com/file/n5638927/database.png And there is a full "freeradius -X " command output: http://www.text-upload.com/read.php?id=341355&c=6535796 Thank you for your time Alan! -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
And there is a full "freeradius -X " command output:
yep : [pap] Configured MD5 password has incorrect length did you read the txt that Alan already mentioned? I'd personally choose cleartext-password with {md5} at the beginning of the value with auto_header = yes in pap module.. alan
Thanks guys, but I got the same error with these in the pap module configuration. : pap { auto_header = yes } -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Need I change something / somewhere once more? -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Sun, Apr 15, 2012 at 4:58 PM, jomajo <ster.efx@gmail.com> wrote:
Need I change something / somewhere once more?
To repeating what was already written: " [pap] Configured MD5 password has incorrect length did you read the txt that Alan already mentioned? " Did you read that? What have you done to correct that? How did you create the MD5-password? Is it a copy-paste error? An example of correct MD5-password and how to create them: $ echo -n password | md5sum 5f4dcc3b5aa765d61d8327deb882cf99 - you can then put "5f4dcc3b5aa765d61d8327deb882cf99" in MD5-Password. -- Fajar
Yes... I was looking in wrong location. You are correct. My md5 algorith in dialup-administrator for password creation was "crypt" not "md5" :) Now this is working! Thank you very much guys! -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hello Everybody: I just set a FreeRadius server for a few days,it works fine, but i still have a lot of confusions about to understand this server. The first one, Athoriztion! FreeRadius is AAA server, I know what the Authentication does,I know what the Accounting does, but I dont know what the Athorization does. I read some document, i know the Athorization working with the concept of "Attribute",and today, i read some source code of a Radius Client(ChilliSpot),right now my understanding of Athorization and Attributes is: The radius client defines some Attributes, when a user try to connect to the NAS who is running the client, the Radius Server will tell the NAS what these Attribute values of this user should be by using radreply or groupreply. Depends on different Attributes value, The NAS will know what a user could do and what he could not do,and this will defined in some other program running in NAS. That is what we call Authorization. Does my understanding correct or not? Second question, the Attribute belong to a NAS or Belong to a user or some is NAS's attribute ,some is user;s attribute? Right now,i have a project which require different user will get different bandwidth when sharing a NAS, i read the Radius Client program (chillispot),it has a Attribute "Radius_BANDWIDTH_DOWN_MAX",after trace this attribute in the source code of the client program, i find that , finally,it set a enviroment variable named "WISPR_BANDWIDTH_DOWN_MAX"of the NAS OS,does any one knows,how the NAS control the bandwidth after set this enviroment varibale??? and one more question,does anyone have experience of set the Attribute "BANDWIDTH_DOWN_MAX"(of course different name in different NAS) for radreply?, the MAX BANDWIDTH means the NAS have this MAX bandwidth, all user will share these bandwidth? or the specific user whose reply from Radius Server contain this attribute has this limit, there is no affect on other users who do not have this attribute? sorry for so many questions, any hint will be really appreciate. Thank you in advanced. Joey
Hi Joey, On Sat, Apr 14, 2012 at 12:06:06AM +0800, ZhenJoey wrote:
The first one, Athoriztion! FreeRadius is AAA server, I know what the Authentication does,I know what the Accounting does, but I dont know what the Athorization does.
Try reading doc/aaa.rst in the source, which gives a good overview. Also, the PDFs on http://aureliengeron.free.fr/livrewifi/ are good - see http://aureliengeron.free.fr/livrewifi/freeradius-en-part3.pdf for example - all of it is good, but p23 onwards might help you the most. It shows how packets make their way through the server.
Second question, the Attribute belong to a NAS or Belong to a user or some is NAS's attribute ,some is user;s attribute?
Attributes/values are passed between the NAS (which is the RADIUS 'client') and the RADIUS server. They have nothing (directly) to do with the end user. Of course, user login information is placed into the attributes by the NAS.
a enviroment variable named "WISPR_BANDWIDTH_DOWN_MAX"of the NAS OS,does any one knows,how the NAS control the bandwidth after set this enviroment varibale???
I suggest you read the documentation on your NAS. The RADIUS server just sends attributes back, and it's up to the NAS to implement what it's told.
and one more question,does anyone have experience of set the Attribute "BANDWIDTH_DOWN_MAX"(of course different name in different NAS) for radreply?, the MAX BANDWIDTH means the NAS have this MAX bandwidth, all user will share these bandwidth? or the specific user whose reply from Radius Server contain this attribute has this limit, there is no affect on other users who do not have this attribute?
It's up to the NAS - read the documentation for that. In terms of coovachilli, setting DEFAULT WISPr-Bandwidth-Max-Up = 1000000, WISPr-Bandwidth-Max-Down = 2000000 in your users file (there are plenty of other ways to do this - unlang, sql, etc) will mean that all users get 1Mbit up and 2Mbit down. You can send these with different values per user if you want. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Dear Snan. I appreciate your question, but I think you need to create another thread for it. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-time-based-authentication... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (8)
-
Alan Buxey -
Alan DeKok -
Fajar A. Nugraha -
jomajo -
Matthew Newton -
shiv -
Timmy -
ZhenJoey