Hi, I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql For example, I have inserted such data in the database: radcheck: +------+----------+------------------+----+-------+ | id | UserName | Attribute | op | Value | +------+----------+------------------+----+-------+ | 5272 | test | User-Password | := | test | | 5262 | test | Simultaneous-Use | := | 5 | +------+----------+------------------+----+-------+ radreply: +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 42 | test | Reply-Message | := | Wellcome | +----+----------+---------------+----+----------+ usergroup: +----------+-----------+----------+ | UserName | GroupName | priority | +----------+-----------+----------+ | test | group2 | 2 | | test | group1 | 1 | +----------+-----------+----------+ radgroupcheck: +----+-----------+----------------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+----------------+----+-------+ | 42 | group1 | NAS-Identifier | != | 123 | | 52 | group2 | NAS-Identifier | == | 123 | +----+-----------+----------------+----+-------+ radgroupreply: +----+-----------+---------------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+---------------+----+--------+ | 52 | group1 | Reply-Message | += | group1 | | 62 | group2 | Reply-Message | += | group2 | +----+-----------+---------------+----+--------+ When I try to login with username 'test' and password 'test' I get debug messages like these: Sending Access-Accept of id 30 to 192.168.252.47 port 2053 Reply-Message := "Wellcome" Reply-Message += "group1" Reply-Message += "group2" It seems to me that this is not according to the behavior described in the documentation above. Am I right or I am missing something? Regards, Dashamir
Hi, Actually, what I am trying to do is this: I have several access points that have hotspot and use radius for AAA. I would like to register users in radius so that they are able to login using some of the access points, and not able to login using the others. The way that I was trying to do it is like this: Suppose that there are the access points A1, A2, A3 and the user 'test' should be able to access the internet only from A1 and A3. The data in radius that would make this scenario work, could be like this: radcheck: +------+----------+------------------+----+-------+ | id | UserName | Attribute | op | Value | +------+----------+------------------+----+-------+ | 5272 | test | User-Password | := | test | | 5262 | test | Simultaneous-Use | := | 5 | +------+----------+------------------+----+-------+ radreply: +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 42 | test | Auth-Type | := | Reject | | 43 | test | Fall-Through | := | Yes | +----+----------+---------------+----+----------+ usergroup: +----------+-----------+----------+ | UserName | GroupName | priority | +----------+-----------+----------+ | test | A1 | 1 | | test | A2 | 1 | | test | A3 | 1 | +----------+-----------+----------+ radgroupcheck: +----+-----------+----------------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+----------------+----+-------+ | 42 | A1 | NAS-Identifier | == | ID-A1 | | 43 | A2 | NAS-Identifier | == | ID-A2 | | 44 | A2 | NAS-Identifier | == | ID-A3 | +----+-----------+----------------+----+-------+ radgroupreply: +----+-----------+---------------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+---------------+----+--------+ | 52 | A1 | Auth-Type | := | Accept | | 53 | A1 | Fall-Through | := | No | | 54 | A2 | Auth-Type | := | Reject | | 55 | A2 | Fall-Through | := | Yes | | 56 | A3 | Auth-Type | := | Accept | | 57 | A3 | Fall-Through | := | No | +----+-----------+---------------+----+--------+ However, if the radius does not follow the algorithm described in http://wiki.freeradius.org/Rlm_sql, then this setup should not work. Do you have any suggestion or idea on how to make the scenario above work? Regards, Dashamir Dashamir Hoxha wrote:
I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql
pershendetje/Hi dashamir. sorry for my english , not my mother language. i use the same scenario at our isp but we check the MAC address of the NAS where the client comes from. In mysql we have: +----+----------+--------------------+----+--------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+--------------+ | 1 | orion | Calling-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test | | 3 | orioni | Simultaneous-Use | := | 2 | +----+----------+--------------------+----+--------------+ shnet e pare / bye. On 17/01/2008, Dashamir Hoxha <dhoxha@albaniaonline.net> wrote:
Hi,
Actually, what I am trying to do is this: I have several access points that have hotspot and use radius for AAA. I would like to register users in radius so that they are able to login using some of the access points, and not able to login using the others.
The way that I was trying to do it is like this: Suppose that there are the access points A1, A2, A3 and the user 'test' should be able to access the internet only from A1 and A3. The data in radius that would make this scenario work, could be like this:
radcheck: +------+----------+------------------+----+-------+ | id | UserName | Attribute | op | Value | +------+----------+------------------+----+-------+ | 5272 | test | User-Password | := | test | | 5262 | test | Simultaneous-Use | := | 5 | +------+----------+------------------+----+-------+
radreply: +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 42 | test | Auth-Type | := | Reject | | 43 | test | Fall-Through | := | Yes | +----+----------+---------------+----+----------+
usergroup: +----------+-----------+----------+ | UserName | GroupName | priority | +----------+-----------+----------+ | test | A1 | 1 | | test | A2 | 1 | | test | A3 | 1 | +----------+-----------+----------+
radgroupcheck: +----+-----------+----------------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+----------------+----+-------+ | 42 | A1 | NAS-Identifier | == | ID-A1 | | 43 | A2 | NAS-Identifier | == | ID-A2 | | 44 | A2 | NAS-Identifier | == | ID-A3 | +----+-----------+----------------+----+-------+
radgroupreply: +----+-----------+---------------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+---------------+----+--------+ | 52 | A1 | Auth-Type | := | Accept | | 53 | A1 | Fall-Through | := | No | | 54 | A2 | Auth-Type | := | Reject | | 55 | A2 | Fall-Through | := | Yes | | 56 | A3 | Auth-Type | := | Accept | | 57 | A3 | Fall-Through | := | No | +----+-----------+---------------+----+--------+
However, if the radius does not follow the algorithm described in http://wiki.freeradius.org/Rlm_sql, then this setup should not work.
Do you have any suggestion or idea on how to make the scenario above work?
Regards, Dashamir
Dashamir Hoxha wrote:
I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sorry for mistakes at first example of mysql table. ( missed a 'i' and 'calling' istead of 'called' ) the correct one is this : -------+----+--------------++----+----------+------------- | id | username | attribute | op | value | +----+----------+--------------------+----+--------------+ | 1 | orioni | Called-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test | | 3 | orioni | Simultaneous-Use | := | 2 | +----+----------+--------------------+----+--------------+ . you can put to record for 'Called-Station-Id' with the mac addresses of the Access Points from wich the client is allowed to login.
Orion wrote:
-------+----+--------------++----+----------+------------- | id | username | attribute | op | value | +----+----------+--------------------+----+--------------+ | 1 | orioni | Called-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test | | 3 | orioni | Simultaneous-Use | := | 2 | +----+----------+--------------------+----+--------------+
.
you can put to record for 'Called-Station-Id' with the mac addresses of the Access Points from wich the client is allowed to login. Thank you, Orion. Your suggestion is useful, it works. I had made up my mind that the best way is to do it with groups and I was not looking at the simple solutions.
However, the solution that you suggest has a restriction. It can be used for only 1 NAS (a user can authenticate himself at only one access point). However I would like the user to be able to access the internet through several access points. This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed. This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2. Regards, Dashamir
Hi,
This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed.
This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2.
in this case, use huntgroups - assign each station or NAS to the huntgroup and then use a huntgroup check for the user alan
A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
This can be done if we use the attribute Called-Station-Id (or NAS-Identifier) with the operator '=~' and a value like this: (00-1b-d1-36-e2-85|11-1b-d1-36-e2-86|22-1b-d1-36-e2-87) This is a regular expression that will match the attribute if its value is one of them that are listed.
This solution still has a restriction. Since the value of an attribute is varchar(253), it cannot contain more than 14 MAC-s listed. So, a user cannot use more than 14 access points for connecting to the internet. For the time being this is acceptable for me, however I am still looking for other solutions. I am also planning to try freeradius 2.
in this case, use huntgroups - assign each station or NAS to the huntgroup and then use a huntgroup check for the user
Thanks for the suggestion, Alan. But does it mean that I should modify the file 'raddb/huntgroups'? If so, than it is not so suitable, because I would like to maintain the data from an external application (which may or may not be located in the same server as radius). But anyway, the database tables radgroupcheck and radgroupreply would be the equivalent of the configuration file 'huntgroups'. Is it true that they don't work as described/expected, or it is just a bug, or maybe I have missed something? Do you think it is better to try radius 2? Thanks, Dashamir
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As I can see Mikrotik wants mac address in next format XX:XX:XX:XX:XX:XX (all letters must be in uppercase) On Jan 17, 2008 7:53 PM, orion <meshkruaj@gmail.com> wrote:
pershendetje/Hi dashamir.
sorry for my english , not my mother language.
i use the same scenario at our isp but we check the MAC address of the NAS where the client comes from.
In mysql we have:
+----+----------+--------------------+----+--------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+--------------+ | 1 | orion | Calling-Station-Id | == | 001bd136e285 | | 2 | orioni | Cleartext-Password | := | test | | 3 | orioni | Simultaneous-Use | := | 2 | +----+----------+--------------------+----+--------------+
s
Hi, I have installed and tested freeradius-2 for a short while. I tested the behavior of the groups in the sql module, because this is what I am interested for right now. In general it works as described in the docs. However I still find some things that do not work as expected (or at least as I expect them to work). In case that somebody is interested in bug reports, this is what I have found out: * Setting the attribute User-Profile in the table radcheck or radreply doesn't work as described in the docs: 7. Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of. * Setting the attribute Auth-Type:=Accept or Auth-Type:=Reject in the table radgroupreply doesn't work. Maybe it is not supposed to work, but why not? * Trying to set the password with Cleartext-Password:=xyz in radgroupcheck or radgroupreply doesn't work. Maybe it is not supposed to work, but why not? Regards, Dashamir Dashamir Hoxha wrote:
Hi,
Actually, what I am trying to do is this: I have several access points that have hotspot and use radius for AAA. I would like to register users in radius so that they are able to login using some of the access points, and not able to login using the others.
The way that I was trying to do it is like this: Suppose that there are the access points A1, A2, A3 and the user 'test' should be able to access the internet only from A1 and A3. The data in radius that would make this scenario work, could be like this:
radcheck: +------+----------+------------------+----+-------+ | id | UserName | Attribute | op | Value | +------+----------+------------------+----+-------+ | 5272 | test | User-Password | := | test | | 5262 | test | Simultaneous-Use | := | 5 | +------+----------+------------------+----+-------+
radreply: +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 42 | test | Auth-Type | := | Reject | | 43 | test | Fall-Through | := | Yes | +----+----------+---------------+----+----------+
usergroup: +----------+-----------+----------+ | UserName | GroupName | priority | +----------+-----------+----------+ | test | A1 | 1 | | test | A2 | 1 | | test | A3 | 1 | +----------+-----------+----------+
radgroupcheck: +----+-----------+----------------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+----------------+----+-------+ | 42 | A1 | NAS-Identifier | == | ID-A1 | | 43 | A2 | NAS-Identifier | == | ID-A2 | | 44 | A2 | NAS-Identifier | == | ID-A3 | +----+-----------+----------------+----+-------+
radgroupreply: +----+-----------+---------------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+---------------+----+--------+ | 52 | A1 | Auth-Type | := | Accept | | 53 | A1 | Fall-Through | := | No | | 54 | A2 | Auth-Type | := | Reject | | 55 | A2 | Fall-Through | := | Yes | | 56 | A3 | Auth-Type | := | Accept | | 57 | A3 | Fall-Through | := | No | +----+-----------+---------------+----+--------+
However, if the radius does not follow the algorithm described in http://wiki.freeradius.org/Rlm_sql, then this setup should not work.
Do you have any suggestion or idea on how to make the scenario above work?
Regards, Dashamir
Dashamir Hoxha wrote:
I have installed freeradius-1.1.7 in fedora8. However I find that the module rlm_sql does not work as described in this page: http://wiki.freeradius.org/Rlm_sql
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
* Setting the attribute Auth-Type:=Accept or Auth-Type:=Reject in the table radgroupreply doesn't work. Maybe it is not supposed to work, but why not?
It's a check item, so it goes into radcheck or radgroupcheck. Ivan Kalik Kalik Informatika ISP
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Dashamir Hoxha -
Marinko Tarlac -
orion -
tnt@kalik.co.yu