FreeRADIUS vs Aradial RADIUS
Aldo Zavala
aldo at cleartalk.net
Mon Dec 15 21:39:24 CET 2008
Thanks for the input Alan, definitely I am sure FreeRADIUS is much better...what can be better than thousand of users, open source, free, and feature rich as itself... I apologize to all for the Subject of my inquiry, I wanted somebody to have tested Aradial and FreeRADIUS and tell me how professional can be this "Aradial".
I am like scared because I am about to deploy a RADIUS AAA server in my network, and I was looking into commercial options... such as: Huawei: $500,000 DLLS (yes... DAMN!) Juniper: $100,000 DLLS ( !!! )... and here is FreeRADIUS... but I have no idea how to configure it... it like scares me because there are no manual to tell me step by step how to configure it to fit my needs and to feet my equipment....
I am in a cellular network (CDMA2000), I need to create two domains in AAA, one for EVDO and other internet services, the other for MMSC services, In order to have the capability of adding different subscribers in AAA under different domains, that way we can bill MMS and EVDO as separate services.
I downloaded the FreeRADIUS mysql port in one FreeBSD box, I have no idea how to start configuring it there are many .conf files, and each config file is huge..., you told me in another reply that I have to configure FreeRADIUS to respond with the correct attributes that are needed by the PDSN, how can I know that? The Huawei PDSN documentation I have only tells how to configure the NAS with the "Huawei AAA" and dont say much about attributes.... can please tell what you mean with "attributes that are needed by PDSN?" what are those attributes and what they does?
This is the relevant part of the PDSN config that I think is related to RADIUS:
[conf]
#
interface Piif3/0/0
ip address 192.168.1.2 255.255.255.255
#
interface Rpif3/0/0
ip address 192.168.1.1 255.255.255.255
#
a11 enable
pcf 192.168.0.200 192.168.1.1 256 skey 1234567891234567
#
construct domain huawei
domain enable
domain AAAclientsig 1
domain address-group huawei 0 0 10.0.0.51 50
domain dns huawei 0 209.145.204.26 bip 209.145.204.20
#
charge enable
weekday 6 1
weekday 5 0
weekday 4 0
weekday 3 0
weekday 2 0
weekday 1 0
weekday 0 1
#
[/conf]
Thanks,
Aldo Zavala
Mobile (760) 556-5050
GTalk: aldo.zavala at gmail.com
----- Original Message -----
From:
freeradius-users-request at lists.freeradius.org
To:
freeradius-users at lists.freeradius.org
Sent: Mon, 15 Dec 2008 13:08:36
-0700
Subject: Freeradius-Users Digest, Vol 44, Issue 82
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Attributes Bandwidth in radgrouprepy table (tnt at kalik.net)
> 2. Re: MAC Auth (new problem) (tnt at kalik.net)
> 3. Re: calling-station-id filtering with checkval (tnt at kalik.net)
> 4. Re: calling-station-id filtering with checkval (tnt at kalik.net)
> 5. Re: MAC Auth (new problem) (Nataniel Klug)
> 6. Re: FreeRADIUS vs Aradial RADIUS (Alan DeKok)
> 7. Re: Somewhat OT: Captive portal on acess points instead
> complex?supplicant at level end user? (Alexander Clouter)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 15 Dec 2008 19:36:48 +0100
> From: <tnt at kalik.net>
> Subject: Re: Attributes Bandwidth in radgrouprepy table
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <Y0HT6pSa.1229366208.9737470.tnt at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> >[sql] expand: SELECT id, username, attribute, value, op FROM radcheck
> >WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
> >attribute, value, op FROM radcheck WHERE username =
> >'pepe at dominio.com' ORDER BY id
> >WARNING: Found User-Password == "...".
> >WARNING: Are you sure you don't mean Cleartext-Password?
> >WARNING: See "man rlm_pap" for more information.
>
> Fix that.
>
> >[sql] User found in radcheck table
> >rlm_sql (sql): Released sql socket id: 4
> >++[sql] returns ok
> >
>
> And what happened to authorize_reply_query? It would be helpful to see
> part of the server startup debug where sql module is instatiated.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> >It's checking the query in radcheck but not in radgroupreply. And I've
> >tested the query in dialup.conf and seems correct
> >
> > authorize_group_reply_query = "SELECT ${groupreply_table}.id,
> >${groupreply_table}.GroupName,${groupreply_table}.Attribute,
> >${groupreply_table}.Value,${groupreply_table}.op FROM
> >${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username
> >= '%{SQL-User-Name}' AND ${usergroup_table}.GroupName =
> >${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
> >
> >Thanks in advance
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 15 Dec 2008 19:45:40 +0100
> From: <tnt at kalik.net>
> Subject: Re: MAC Auth (new problem)
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <hGU36snT.1229366740.7674820.tnt at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3,
> >length=69
> > User-Name = "00:19:79:0F:98:3D"
> > User-Password = "cnett1298"
> > NAS-IP-Address = 172.30.0.165
> > NAS-Port = 0
> >server proxim {
> >+- entering group authorize {...}
> >++[preprocess] returns ok
> >[suffix] No '@' in User-Name = "00:19:79:0F:98:3D", looking up realm NULL
> >[suffix] No such realm "NULL"
> >++[suffix] returns noop
> >[sql_ap2000] expand: %{User-Name} -> 00:19:79:0F:98:3D
> >[sql_ap2000] sql_set_user escaped user --> '00:19:79:0F:98:3D'
> >rlm_sql (sql_ap2000): Reserving sql socket id: 4
> >[sql_ap2000] expand: SELECT id, username, attribute, value,
> >op FROM radcheck WHERE value =
> >'%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
> >attribute, value, op FROM radcheck WHERE value =
> >'00:19:79:0F:98:3D' ORDER BY id
> >[sql_ap2000] expand: SELECT groupname FROM
> >usergroup WHERE username = '%{SQL-User-Name}' ORDER
> >BY priority -> SELECT groupname FROM usergroup WHERE
> >username = '00:19:79:0F:98:3D' ORDER BY priority
> >rlm_sql (sql_ap2000): Released sql socket id: 4
> >[sql_ap2000] User 00:19:79:0F:98:3D not found
> >++[sql_ap2000] returns notfound
> >++[expiration] returns noop
> >++[logintime] returns noop
> >[pap] WARNING! No "known good" password found for the user.
> >Authentication may fail because of this.
> >++[pap] returns noop
> >No authenticate method (Auth-Type) configuration found for the request:
> >Rejecting the user
> >Failed to authenticate the user.
> >Login incorrect: [00:19:79:0F:98:3D/cnett1298] (from client ap2000 port 0)
> >} # server proxim
> >Delaying reject of request 0 for 1 seconds
> >Going to the next request
> >Waking up in 0.9 seconds.
> >Sending delayed reject for request 0
> >Sending Access-Reject of id 3 to 172.30.0.165 port 6001
> >Waking up in 4.9 seconds.
> >Cleaning up request 0 ID 3 with timestamp +29
> >Ready to process requests.
> >
> > This user (MAC) exists and its in radcheck like this:
> >
> >mysql> SELECT * FROM radcheck WHERE Username="marmatec";
> >+------+----------+--------------------+----+-------------------+--------+------+
> >| id | UserName | Attribute | op | Value | numero
> >| obs |
> >+------+----------+--------------------+----+-------------------+--------+------+
> >| 796 | marmatec | Cleartext-Password | := | 654321 | 00923
> >| |
> >| 1886 | marmatec | Calling-Station-Id | == | 00:19:79:0F:98:3D | 00923
> >| NULL |
> >+------+----------+--------------------+----+-------------------+--------+------+
> >
> > On mysql/sql/ap2000.conf (copy of dialup.conf file) I just changed
> >this on authorize section:
> >
> > WHERE value = '%{SQL-User-Name}' \
> >
> > I really don't know how to make this work. Can someone help me?
>
>
> Lets try again: put the mac address in to the radcheck table as UserName
> field. Without that mac authentication is not going to work. If your
> "adminstartion system" has something against it, throw it away and
> write another one youself. Or use dialup admin (comes with the server)
> or something like daloRadius.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 15 Dec 2008 20:01:15 +0100
> From: <tnt at kalik.net>
> Subject: Re: calling-station-id filtering with checkval
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <2XjDGByZ.1229367675.3010030.tnt at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> Look again. Hint: have a look at you radcheck entry and the one in the
> document.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 15/12/2008, "Justin A. Williams " <justin at justinawilliams.com>
> pi?e:
>
> >Alan,
> >
> >Honestly I have read this document but I do not see what i need to do.
> >
> >
> >
> >
> >
> >
> >On Mon, Dec 15, 2008 at 1:37 AM, Alan DeKok
> <aland at deployingradius.com>wrote:
> >
> >> Justin A. Williams wrote:
> >> > I see that the mac address from the calling-station-id but then it will
> >> > not login with the user.
> >> > If i delete the row 26 with calling-station-id it will permit that user
> >> > to login.
> >>
> >> Read doc/rlm_sql. This is explained.
> >>
> >> Alan DeKok.
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> >
> >--
> >Justin A Williams
> >
> >
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 15 Dec 2008 20:07:43 +0100
> From: <tnt at kalik.net>
> Subject: Re: calling-station-id filtering with checkval
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <LgWmJbfe.1229368063.8923830.tnt at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> PS. You don't need checkval in inner-tunnel or you should copy request
> attributes into the tunnel as well (see eap.conf, peap section).
>
> Ivan Kalik
> Kalik Informatika ISP
>
> Dana 15/12/2008, "Justin A. Williams " <justin at justinawilliams.com>
> pi?e:
>
> >Alan,
> >
> >Honestly I have read this document but I do not see what i need to do.
> >
> >
> >
> >
> >
> >
> >On Mon, Dec 15, 2008 at 1:37 AM, Alan DeKok
> <aland at deployingradius.com>wrote:
> >
> >> Justin A. Williams wrote:
> >> > I see that the mac address from the calling-station-id but then it will
> >> > not login with the user.
> >> > If i delete the row 26 with calling-station-id it will permit that user
> >> > to login.
> >>
> >> Read doc/rlm_sql. This is explained.
> >>
> >> Alan DeKok.
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> >
> >--
> >Justin A Williams
> >
> >
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 15 Dec 2008 17:30:06 -0200
> From: Nataniel Klug <nata at cnett.com.br>
> Subject: Re: MAC Auth (new problem)
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4946B03E.1000001 at cnett.com.br>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> Ivan,
>
> I can just throw it away... and I still need this to work. There should
> be someway to make this happens...
>
> tnt at kalik.net escreveu:
> >
> > Lets try again: put the mac address in to the radcheck table as UserName
> > field. Without that mac authentication is not going to work. If your
> > "adminstartion system" has something against it, throw it away and
> > write another one youself. Or use dialup admin (comes with the server)
> > or something like daloRadius.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
> --
> Att,
>
> NATANIEL KLUG
> nata at cnett.com.br
>
> LEIA O DIA-A-DIA DO NATA
> http://nataklug.blogspot.com/
>
> Cyber Nett - Internet Banda Larga
> www.cnett.com.br
> (42) 3635-2957
> Rua Diogo Pinto, 1046, Centro
> Laranjeiras do Sul - PR
> Brasil - 85301-290
>
> "... tamb?m os s?bios possuem cora??o tang?vel e podem, por vezes, usar da
> ci?ncia como meio de demonstrar impress?es sentimentais de que muitos n?o os
> julgam suscet?veis."
> Visconde de Taunay
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081215/a73608a8/attachment.html>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 15 Dec 2008 21:03:36 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: FreeRADIUS vs Aradial RADIUS
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4946B818.4090702 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Aldo Zavala wrote:
> > Hello guys, I am a little bit scared how hard can be to deploy the
> FreeRADIUS, I found this in the internet: (aradial.com) this guys claim to
> have a very convenient and professional AAA server with a convenient price,
> does anybody here have experience with that "aradial radius server"? What
> would be the Pros and Cons of purchase it instead of have the FreeRADIUS
> one?
>
> Don't ask us if we think Aradial is better than FreeRADIUS. We
> *know*. FreeRADIUS is better.
>
> However...
>
> Perhaps you could describe your needs in a little more detail. What
> are you trying to do with a RADIUS server? Why are you "scared" to
> deploy FreeRADIUS?
>
> FreeRADIUS is used in nearly 100,000 organizations, from 10 users to
> over 10 million users. It's the most widely used RADIUS server in the
> world. Everyone *else* thinks FreeRADIUS is fine.
>
> And if Aradial has 1/10 the installations of FreeRADIUS, I'll be very
> impressed.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 15 Dec 2008 20:01:08 +0000
> From: Alexander Clouter <alex at digriz.org.uk>
> Subject: Re: Somewhat OT: Captive portal on acess points instead
> complex?supplicant at level end user?
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4lpi16-ft8.ln1 at woodchuck.wormnet.eu>
>
> Sergio Belkin <sebelk at gmail.com> wrote:
> >
> > Thanks for ideas,
> >
> > In fact, some things you suggest I am using right now :) for example:
> >
> > *Automatized SecureW2 installer (ttls)
> > *Web Page with "secondary" password for peap
> >
> > But even so, some users find somewhat hard to use.
> >
> We seem to have no real problems with SecureW2 and our userbase. Mac OS
> X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP
> users get a light time of it would my SecureW2 preconfiguration script
> with some NSIS wrapper action to spoonfeed them during problematic bits.
>
> Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment
> which is out current problem, however that's a grumble for another
> thread.
>
> The only problems we have is that we are 'awkward' and force WPA2 only
> and do not give into those WPA (version 1) TKIP weenies.
>
> > I've tried with no success at this moment use more than one SSID on
> > OpenWRT on Linksys WRT54GL...
> >
> Do not ever go down this route[1]. It completely negates the point of
> having a WPA Enterprise network when someone comes along with an evil
> twin network and gets the user to install a 'springboard' application to
> get onto the better network. It's as counterproductive as using
> PEAP/TTLS without full certificate validation.... :-/
>
> If you want my NSIS and/or SecureW2 INF file do drop me an email. The
> springboard'ing issue we resolved by dumping everything onto a CD and
> distributed them to the masses that way. Even if this is not an option
> for you (like us in education with 'student welcome packs') if you make
> the CD's readily available near hotspots and what not in public areas
> people will find what they need.
>
> Cheers
>
> Alex
>
> [1] I have convinced my self it's safe for a wired network, getting
> non-802.1X clients 802.1X'ified, but just not worth the risk for
> wireless clients
>
> --
> Alexander Clouter
> .sigmonster says: Succumb to natural tendencies. Be hateful and boring.
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 44, Issue 82
> ************************************************
>
More information about the Freeradius-Users
mailing list