FreeRADIUS time based authentication with MySQL

classic Classic list List threaded Threaded
21 messages Options
12
| Threaded
Open this post in threaded view
|

FreeRADIUS time based authentication with MySQL

jomajo
Hello !

Maybe somebody knows, how to configure FreeRADIUS server with my SQL for authentication at the specific time?

For example:

There is a reservation page. Users can reserve specific time slot, for 1-3hours. Random username and password would be generated for that user to log in at that time. How to configure freeradius server for this type of authentication? That user can log in just at that specific time?

Thank you very much for your time and answers!
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

shiv
You should use the Login-Time attribute. look here to see how its used -> http://wiki.freeradius.org/Rlm_logintime
Ideally, you would add a row for each user (not optimal) with Login-Time attribute with value like 'Al1600-1700' which means they will be able to login only between 1600 and 1700 on all days.
We use it in the radgroupcheck table for groups of users and in unlang for groups of NAS's.
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

Timmy
On 2012-04-13 06:27 PM, shiv wrote:
> You should use the Login-Time attribute. look here to see how its used ->
> http://wiki.freeradius.org/Rlm_logintime
> Ideally, you would add a row for each user (not optimal) with Login-Time
> attribute with value like 'Al1600-1700' which means they will be able to
> login only between 1600 and 1700 on all days.
> We use it in the radgroupcheck table for groups of users and in unlang for
> groups of NAS's.
>
>
Use the freeradius-dialupadmin package.  There is some similar function,
but I haven't tried it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
Hello guys.

Thank you for your answers. I just installed dialup admin. There is no functions to manage at what time users can connect and at what time they can not. :(

I'm looking for solution like Jeremy Stretch already has on his lab :
http://packetlife.net/wiki/how-community-lab-works/ 

| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

Timmy
On 2012-04-13 09:49 PM, jomajo wrote:
> Hello guys.
>
> Thank you for your answers. I just installed dialup admin. There is no
> functions to manage at what time users can connect and at what time they can
> not. :(
>
> I'm looking for solution like Jeremy Stretch already has on his lab :
> http://packetlife.net/wiki/how-community-lab-works/
>
Dialup admin can manage so many attributes.  Read through the package's
readme, faq, howto etc...  The features are hidden.  Freeradius 2.1 is
so feature rich.  One cannot learn it enough in a few months.   ;)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

Alan DeKok-2
In reply to this post by jomajo
jomajo wrote:
> Thank you for your answers. I just installed dialup admin. There is no
> functions to manage at what time users can connect and at what time they can
> not. :(

  What you are trying to do is relatively unusual.  There is no
pre-existing solution for you.

  You will need to create it yourself.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
Hi!

I am talking just about time-based authentication, at the specific time.

But now there is a problem with MD5 encryption. Take a look please:

<...>
++[sql] returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
++[daily] returns noop
rlm_checkval: Item Name: Calling-Station-Id, Value: 10.0.0.254
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using MD5 encryption.
[pap] Configured MD5 password has incorrect length
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 43 to 10.0.0.1 port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 43 with timestamp +11
Ready to process requests.
<...>
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
With ClearText Password this is working!
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

Alan DeKok-2
In reply to this post by jomajo
jomajo wrote:
> I am talking just about time-based authentication, at the specific time.
>
> But now there is a problem with MD5 encryption. Take a look please:

  No.  *You* need to read the output.  The problem is clear.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
Yes, the problem is clear:

[pap] Configured MD5 password has incorrect length
[pap] Passwords don't match

But I'm looking how to solve this problem.

Password is correct.
| Threaded
Open this post in threaded view
|

Some question about Athorization of FreeRadius.

snan4love
In reply to this post by jomajo
Hello Everybody:
I just set a FreeRadius server for a few days,it works fine, but i still have a lot of confusions about to understand this server.
The first one, Athoriztion! FreeRadius is AAA server, I know what the Authentication does,I know what the Accounting does, but I dont know what the Athorization does.
I read some document, i know the Athorization working with the concept of "Attribute",and today, i read some source code of a  Radius Client(ChilliSpot),right now my understanding of Athorization and Attributes is: The radius client defines some Attributes, when a user try to connect to the NAS who is running the client, the Radius Server will tell the NAS what these Attribute  values of this user should be by using radreply or groupreply. Depends on different Attributes value, The NAS will know what a user could do and what he could not do,and this will defined in some other program running in NAS. That is what we call Authorization. Does my understanding correct or not?
Second question, the Attribute belong to a NAS or Belong to a user or some is NAS's attribute ,some is user;s attribute?
 
Right now,i have a project which require different user will get different bandwidth when sharing a NAS, i read the Radius Client program (chillispot),it has a Attribute "Radius_BANDWIDTH_DOWN_MAX",after trace this attribute in the source code of the client program, i find that , finally,it set a enviroment variable named "WISPR_BANDWIDTH_DOWN_MAX"of the NAS OS,does any one knows,how the NAS control the bandwidth after set this enviroment varibale???
 
and one more question,does anyone have experience of set the Attribute  "BANDWIDTH_DOWN_MAX"(of course different name in different NAS) for radreply?, the MAX BANDWIDTH means  the NAS have this MAX bandwidth, all user will share these bandwidth? or the specific user whose reply from Radius Server contain this attribute has this limit, there is no affect on other users who do not have this attribute?
 
sorry for so many questions, any hint will be really appreciate.
Thank you in advanced.
Joey

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Some question about Athorization of FreeRadius.

Matthew Newton
Hi Joey,

On Sat, Apr 14, 2012 at 12:06:06AM +0800, ZhenJoey wrote:
> The first one, Athoriztion! FreeRadius is AAA server, I know
> what the Authentication does,I know what the Accounting does,
> but I dont know what the Athorization does.

Try reading doc/aaa.rst in the source, which gives a good
overview.

Also, the PDFs on http://aureliengeron.free.fr/livrewifi/ are good
- see http://aureliengeron.free.fr/livrewifi/freeradius-en-part3.pdf
for example - all of it is good, but p23 onwards might help you
the most. It shows how packets make their way through the server.

> Second question, the Attribute belong to a NAS or Belong to a
> user or some is NAS's attribute ,some is user;s attribute?

Attributes/values are passed between the NAS (which is the RADIUS
'client') and the RADIUS server. They have nothing (directly) to
do with the end user. Of course, user login information is placed
into the attributes by the NAS.

> a enviroment variable named "WISPR_BANDWIDTH_DOWN_MAX"of the NAS
> OS,does any one knows,how the NAS control the bandwidth after
> set this enviroment varibale???

I suggest you read the documentation on your NAS. The RADIUS
server just sends attributes back, and it's up to the NAS to
implement what it's told.

> and one more question,does anyone have experience of set the
> Attribute  "BANDWIDTH_DOWN_MAX"(of course different name in
> different NAS) for radreply?, the MAX BANDWIDTH means  the NAS
> have this MAX bandwidth, all user will share these bandwidth? or
> the specific user whose reply from Radius Server contain this
> attribute has this limit, there is no affect on other users who
> do not have this attribute?

It's up to the NAS - read the documentation for that.

In terms of coovachilli, setting

DEFAULT
                WISPr-Bandwidth-Max-Up = 1000000,
                WISPr-Bandwidth-Max-Down = 2000000

in your users file (there are plenty of other ways to do this -
unlang, sql, etc) will mean that all users get 1Mbit up and 2Mbit
down. You can send these with different values per user if you
want.

Cheers,

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

Alan DeKok-2
In reply to this post by jomajo
jomajo wrote:
> Yes, the problem is clear:
>
> [pap] Configured MD5 password has incorrect length
> [pap] Passwords don't match
>
> But I'm looking how to solve this problem.
>
> Password is correct.

  Really?  The debug message says otherwise.

  I guess it's impossible to solve.  The passwords are clearly *so*
secret that you can't post them.

  It's not like the configuration file for the "pap" module contains a
URL that tells you how to create a *correct* MD5 password.  That
information is super-secret, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Some question about Athorization of FreeRadius.

jomajo
In reply to this post by snan4love
Dear Snan.

I appreciate your question, but I think you need to create another thread for it.

| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
This post was updated on .
In reply to this post by Alan DeKok-2
Dear Alan, I can post/show everything to you.

I installed and configured "Dialup Administration". I am able to create groups and users.

As I'm not so famillar with freeradius, I'm trying to do the basics.

Create user:



There is a table in database:



And there is a full "freeradius -X " command output:

http://www.text-upload.com/read.php?id=341355&c=6535796

Thank you for your time Alan!

| Threaded
Open this post in threaded view
|

Re: Some question about Athorization of FreeRadius.

A.L.M.Buxey
In reply to this post by snan4love
Authorization , is someone actually allowed to use the resource they are logging into. Eg time of day, belong to right group, coming from right place, still have data allowance etc

Authentication, is their password correct


alan

--
This smartphone has free WiFi worldwide with eduroam, now that IS smart


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

A.L.M.Buxey
In reply to this post by jomajo
Hi,

> And there is a full "freeradius -X " command output:

yep  :

[pap] Configured MD5 password has incorrect length

did you read the txt that Alan already mentioned?

I'd personally choose cleartext-password with {md5} at the beginning of the
value with auto_header = yes  in pap module..

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
Thanks guys,

 but I got the same error with these in the pap module configuration. :

pap {
        auto_header = yes
}
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

jomajo
Need I change something / somewhere once more?
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS time based authentication with MySQL

Fajar A. Nugraha-2
On Sun, Apr 15, 2012 at 4:58 PM, jomajo <[hidden email]> wrote:
> Need I change something / somewhere once more?

To repeating what was already written:

"
[pap] Configured MD5 password has incorrect length

did you read the txt that Alan already mentioned?
"

Did you read that? What have you done to correct that?

How did you create the MD5-password? Is it a copy-paste error?

An example of correct MD5-password and how to create them:

$ echo -n password | md5sum
5f4dcc3b5aa765d61d8327deb882cf99  -

you can then put "5f4dcc3b5aa765d61d8327deb882cf99" in MD5-Password.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
12