Freeradius-Users Digest, Vol 49, Issue 117
Marco De Magistris
marco.de.magistris at ericsson.com
Tue May 26 18:13:03 CEST 2009
Hi Alan
Thanks for your help.
Marco
-----Original Message-----
From: freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: martedì 26 maggio 2009 17.58
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 117
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Statistic Counter (Alan DeKok)
2. problem with rlm_counter module when reset option is set to
never (Ahmed Nifaz Faizabadi)
3. Re: problem with rlm_counter module when reset option is set
to never (Ivan Kalik)
4. Re: problem with rlm_counter module when reset option is set
to never (Ahmed Nifaz Faizabadi)
5. Re: problem with rlm_counter module when reset option is set
to never (Alan DeKok)
6. Assigning IP address from RADIUS to Cisco PPTP users (up at 3.am)
7. wired 802.1x for desktops (offtopic) (Mikael Kermorgant)
8. FW: freeradius2.1.4--Simultaneous (??)
----------------------------------------------------------------------
Message: 1
Date: Tue, 26 May 2009 13:29:51 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Statistic Counter
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4A1BD2AF.5050101 at deployingradius.com>
Content-Type: text/plain; charset=UTF-8
Marco De Magistris wrote:
> Can I enable other counters for AuthRadiusClientAccessRetransmissions,
> AuthRadiusClientTimeouts, AuthRadiusClientCounterDiscontinuity)?
The server does not currently track those statistics.
As always, patches are welcome.
> Or I should use ?counter? module of FreeRadius?
No. It won't do what you want.
Alan DeKok.
------------------------------
Message: 2
Date: Tue, 26 May 2009 18:13:59 +0530
From: Ahmed Nifaz Faizabadi <ahmednifaz at gmail.com>
Subject: problem with rlm_counter module when reset option is set to
never
To: freeradius-users at lists.freeradius.org
Message-ID:
<d49df1900905260543k4228999ai4aeb7ff46b595237 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi all,
Here is the issue I am facing with rlm_counter module.
I am using freeradius-server-2.1.4 and configuring Max session time
for each user.
for example:
user1 Max-Session-Time := 1800, Auth-Type := Reject
Reply-Message = "Your time limit is used"
user2 Max-Session-Time := 3600, Auth-Type := Reject
Reply-Message = "Your time limit is used"
and rlm_counter options are :
counter daily {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
key = User-Name
reset = never
}
I am observing that the user accounting record is not deleted from
rlm_counter module once the user has used his allocated time. For
example when user1 has used 1800 seconds allocated to him then I will
be deleting the user from users config and then add the same user
back. I am getting the "Your time limit is used" message :(.
Does somebody has information about how to delete the records from
rlm_counter module once they are expired with reset-option set to
never.
Regards
Ahmed Nifaz
------------------------------
Message: 3
Date: Tue, 26 May 2009 14:15:35 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: Re: problem with rlm_counter module when reset option is set
to never
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<30874.194.176.105.44.1243343735.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
> Here is the issue I am facing with rlm_counter module.
> I am using freeradius-server-2.1.4 and configuring Max session time
> for each user.
>
> for example:
> user1 Max-Session-Time := 1800, Auth-Type := Reject
> Reply-Message = "Your time limit is used"
>
> user2 Max-Session-Time := 3600, Auth-Type := Reject
> Reply-Message = "Your time limit is used"
>
> and rlm_counter options are :
>
> counter daily {
> counter-name = Max-All-Session-Time
> check-name = Max-All-Session
> key = User-Name
> reset = never
> }
>
>
> I am observing that the user accounting record is not deleted from
> rlm_counter module once the user has used his allocated time.
And what makes you think it would be.
> For
> example when user1 has used 1800 seconds allocated to him then I will
> be deleting the user from users config and then add the same user
> back. I am getting the "Your time limit is used" message :(.
>
> Does somebody has information about how to delete the records from
> rlm_counter module once they are expired with reset-option set to
> never.
Yes. Delete accounting records as well when you delete user details.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Tue, 26 May 2009 19:03:34 +0530
From: Ahmed Nifaz Faizabadi <ahmednifaz at gmail.com>
Subject: Re: problem with rlm_counter module when reset option is set
to never
To: tnt at kalik.net, FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<d49df1900905260633k59bc4b28peeeeb6f6f36d9223 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
>> Here is the issue I am facing with rlm_counter module.
>> I am using freeradius-server-2.1.4 and configuring Max session time
>> for each user.
>>
>> for example:
>> user1 ? ? ? ? ?Max-Session-Time := 1800, Auth-Type := Reject
>> ? ? ? ? ? ? ? ? Reply-Message = "Your time limit is used"
>>
>> user2 ? ? ? ? ?Max-Session-Time := 3600, Auth-Type := Reject
>> ? ? ? ? ? ? ? ? Reply-Message = "Your time limit is used"
>>
>> and rlm_counter options are :
>>
>> counter daily {
>> ? ? ? ?counter-name = Max-All-Session-Time
>> ? ? ? ?check-name = Max-All-Session
>> ? ? ? ?key = User-Name
>> ? ? ? ?reset = never
>> ? ?}
>>
>>
>> I am observing that the user accounting record is not deleted from
>> rlm_counter module once the user has used his allocated time.
>
> And what makes you think it would be.
>
This would increase the accounting file size indefenitely and cause
some other problems as the user records are not at all being deleted.
>> For
>> example when user1 has used 1800 seconds allocated to him then I will
>> be deleting the user from users config and then add the same user
>> back. I am getting the "Your time limit is used" message :(.
>>
>> Does somebody has information about how to delete the records from
>> rlm_counter module once they are expired with reset-option set to
>> never.
>
> Yes. Delete accounting records as well when you delete user details.
>
I tried that but that accounting file is in binary or some other
encrypted format. Will you please let me know about how to delete that
accounting record or how to convert that to simple text file ( which
would make easy deleting expired records) .
Ahmed Nifaz
------------------------------
Message: 5
Date: Tue, 26 May 2009 15:49:26 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: problem with rlm_counter module when reset option is set
to never
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4A1BF366.5020409 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Ahmed Nifaz Faizabadi wrote:
....
>>> counter daily {
>>> counter-name = Max-All-Session-Time
>>> check-name = Max-All-Session
>>> key = User-Name
>>> reset = never
...
>>> I am observing that the user accounting record is not deleted from
>>> rlm_counter module once the user has used his allocated time.
...
> This would increase the accounting file size indefenitely and cause
> some other problems as the user records are not at all being deleted.
See the configuration: "reset = never" means "never reset". Which
means "don't reset".
> I tried that but that accounting file is in binary or some other
> encrypted format. Will you please let me know about how to delete that
> accounting record or how to convert that to simple text file ( which
> would make easy deleting expired records) .
It's just a DBM file. See the "rad_counter.pl" file in the source
tree. It shows how to edit the file.
Alan DeKok.
------------------------------
Message: 6
Date: Tue, 26 May 2009 11:34:41 -0400 (EDT)
From: up at 3.am
Subject: Assigning IP address from RADIUS to Cisco PPTP users
To: freeradius-users at lists.freeradius.org
Message-ID: <Pine.BSF.4.64.0905261122570.14312 at richard2.pil.net>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Hi:
I've used Livingston and Cistron radiusd's in the past with dialup ppp
users and Cisco/Lucent NASes and have been able to do this with no
problems.
Users are currently authenticating fine and getting assigned IPs from the
IP pool as defined in the Cisco NAS. However, I'd like to have a few,
select users assigned static IPs from outside that pool, but the Cisco
(2811) is simply ignoring the raddb/users file entry for that user and
assigning an IP from the pool on the NAS.
Here is my Cisco config::
--------------------
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa session-id common
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
interface Loopback0
ip address 99.99.99.99 255.255.255.255
ip nat inside
ip virtual-reassembly
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip policy route-map VPN-Client
peer match aaa-pools
peer default ip address pool vpnpool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
!
ip local pool vpnpool 172.16.30.2 172.16.30.254
---------
Here is the raddb/users file entry:
---------
testuser Service-Type == Framed-User
Framed-Protocol == PPP,
Framed-IP-Address = 172.16.1.2,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
--------------
The DEFAULT entry allows users in /etc/passwd to authenticate fine, but
"testuser" still gets an IP from the NAS pool instead of the one above..
Any pointers appreciated!
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
------------------------------
Message: 7
Date: Tue, 26 May 2009 17:49:03 +0200
From: Mikael Kermorgant <mikael.kermorgant at gmail.com>
Subject: wired 802.1x for desktops (offtopic)
To: freeradius-users at lists.freeradius.org
Message-ID:
<9711147e0905260849o189c2601w5c1e378769668760 at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hello,
Sorry for this off-topic message, I have a question about 802.1x deployment
and don't know where to ask. As freeradius is one of the element I think of,
maybe someone here can help me find the solution ?
My Goals :
1) authenticate access to the network from Open Public Access Catalog (OPAC)
desktop machines available to every user of a biblioteque.
2) have a guest account with limited LAN access (no access to internet, or
just a very short whitelist)
3) Keep the machines reachable from some servers (ghost server, monitoring,
etc). (this criteria eliminates the solution of a captive portal)
I thought 802.1x with dynamic vlans would be a nice solution as it should
permit to put the guest account in a specific vlan.
But how would it be possible to reach the machine from the management
servers before someone authenticates ? Is it possible to have a default vlan
activated on startup of the machine ?
Or do you know where I should ask this question ?
Regards,
--
Mikael Kermorgant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/37c1e41c/attachment.html>
------------------------------
Message: 8
Date: Tue, 26 May 2009 23:57:27 +0800
From: ?? <jiangshu at seec.com.cn>
Subject: FW: freeradius2.1.4--Simultaneous
To: <freeradius-users at lists.freeradius.org>
Message-ID: <FED9EB928DE94C60A0BED02F2524259E at IT0508023>
Content-Type: text/plain; charset="gb2312"
HI:
I use freebsd7.0+mysql+freeradius2.1.4
Can use the raidus data base to be hit by a consumer at the same time,
by verifying with a consumer. But, I am put into use coming to control a
consumer "Simultaneous" in raidus. When condition now is that second
consumers log on,before acctstoptime in billing form renew with classics.
But, nas does not initiate consumer time line information kit. (The consumer
continues using a network). Feel that the radius does not send out
acc-reject or acc-stop Bao Lai stops using a family.
Thank you!
System
localhost# whereis perl
perl: /usr/bin/perl /usr/local/man/man1/perl.1
localhost# whereis snmpget
snmpget: /usr/local/bin/snmpget /usr/local/man/man1/snmpget.1
Cisco config
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 2
dot1x guest-vlan 3
dot1x auth-fail vlan 4
dot1x auth-fail max-attempts 2
spanning-tree portfast
redius.conf
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
INSERT INTO `radius`.`radgroupcheck` (`groupname` ,`attribute` ,`op`
,`value` )VALUES ( 'user', 'Simultaneous-Use', ':=', '1');
?????????????mysql?radacct?????????????????
???????????
mysql> select username,acctstarttime,acctstoptime from radacct where
username="jsh";
+----------+---------------------+---------------------+
| username | acctstarttime | acctstoptime |
+----------+---------------------+---------------------+
| jsh | 2009-05-19 07:34:57 | 2009-05-19 07:35:49 |
| jsh | 2009-05-19 07:35:49 | NULL |
+----------+---------------------+---------------------+
2 rows in set (0.00 sec)
mysql>
sites-available/default
accounting {
radutmp
...
sql
....
}
session {
#radutmp
sql
}
?
?..
Mysql query is radacct,radpostauth
radacct
username
acctstarttime
acctstoptime
count(*)
jsh
2009-05-26 07:45:09
NULL
1
radpostauth
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke
n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+%
3D+14&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b
30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6
0radpostauth%60.%60id%60+%3D+14+LIMIT+1&zero_rows=The+row+has+been+deleted&g
oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a
59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2
6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php>
Delete
14
jsh
Access-Accept
2009-05-26 07:30:04
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke
n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+%
3D+15&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b
30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6
0radpostauth%60.%60id%60+%3D+15+LIMIT+1&zero_rows=The+row+has+been+deleted&g
oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a
59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2
6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php>
Delete
15
jsh
Access-Accept
2009-05-26 07:45:08
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radpostauth&toke
n=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radpostauth%60.%60id%60+%
3D+16&sql_query=SELECT+%2A+FROM+%60radpostauth%60&goto=sql.php> Edit
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radpostauth&token=9954b
30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radpostauth%60+WHERE+%6
0radpostauth%60.%60id%60+%3D+16+LIMIT+1&zero_rows=The+row+has+been+deleted&g
oto=sql.php%3Fdb%3Dradius%26table%3Dradpostauth%26token%3D9954b30f278d52fb0a
59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radpostauth%2560%2
6zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structure.php>
Delete
16
jsh
Access-Accept
2009-05-26 07:45:08
?Radgroupcheck
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radgroupcheck&sql_query
=SELECT+%2A+FROM+%60radgroupcheck%60&goto=tbl_structure.php&dontlimitchars=1
&token=9954b30f278d52fb0a59651606dd9117> Full Texts
id
groupname
attribute
op
value
<http://192.168.0.1/phpadmin/tbl_change.php?db=radius&table=radgroupcheck&to
ken=9954b30f278d52fb0a59651606dd9117&primary_key=+%60radgroupcheck%60.%60id%
60+%3D+1&sql_query=SELECT+%2A+FROM+%60radgroupcheck%60&goto=sql.php> Edit
<http://192.168.0.1/phpadmin/sql.php?db=radius&table=radgroupcheck&token=995
4b30f278d52fb0a59651606dd9117&sql_query=DELETE+FROM+%60radgroupcheck%60+WHER
E+%60radgroupcheck%60.%60id%60+%3D+1+LIMIT+1&zero_rows=The+row+has+been+dele
ted&goto=sql.php%3Fdb%3Dradius%26table%3Dradgroupcheck%26token%3D9954b30f278
d52fb0a59651606dd9117%26sql_query%3DSELECT%2B%252A%2BFROM%2B%2560radgroupche
ck%2560%26zero_rows%3DThe%2Brow%2Bhas%2Bbeen%2Bdeleted%26goto%3Dtbl_structur
e.php> Delete
1
user
Simultaneous-Use
:=
1
Nas
nasname
shortname
type
ports
secret
community
description
192.168.0.100
cisco3560
cisco
1812
cisco
cisco3560
RADIUS Client
????
? ? ? ? ? ?__?????
????????????22?????10? 100020
Tel?010-85650282 Mobi:13810174932
Fax?010-65880126
MSN?mousejsh at hotmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 401 bytes
Desc: not available
Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 201 bytes
Desc: not available
Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 235 bytes
Desc: not available
Url : <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090526/9e40acf8/attachment-0002.gif>
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 49, Issue 117
*************************************************
More information about the Freeradius-Users
mailing list