Syed Jahanzaib Personal Blog to Share Knowledge !

November 8, 2019

Freeradius 3 with Mikrotik – Part-1 # Time to upgrade

Filed under: freeradius — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 11:25 AM

freeradius-ldaps-e1380323478337

fr logo



Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logics & create or modify the solutions as per your network scenario. Never follow copy paste blindly, [unfortunately this has become our national culture]

My humble request is that kindly donot consider me as an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and try to help others

Regard's
Syed Jahanzaib~

This is another post about installation & configuration of ISP related billing system called Freeradius version 3.0.19. My aim is to let people know that creating your own Radius Billing system is not a ROCKET SCIENCE.

The only thing required is your ultimate passion to achieve the goal & with the right search, reading, understanding logic’s, you can do all on your own. I strongly encourage all to read the FR mailing list and Google search

For older version of Freeradius ver 2.x series, you may read below

https://aacable.wordpress.com/2016/03/11/mikrotik-with-freeradiusmysql-part-1/


Make your own Billing system in Linux with Latest version of Freeradius 3.0.19 / MySQL 5.7.27

by Syed Jahanzaib / aacable[at]hotmail[dot]com

[This Guide will be updated with many further supporting posts)

The aim of writing this post was that there are number of radius products available on the internet with lots of features, each have some unique features. But this is also true that none of them is 100% perfect for every type of ISP. The reason is that every ISP/Network have different sort of local requirements and billing mode. If you have searched on google you will find that there are tons of guides for freeradius implementation, but most of them have either incomplete data , or difficult explanation, or does not meet the practical requirements of Desi ISP. That’s why I started this guide so that info that is not common on the net can be shared here. plus most important you can learn on your own using this baby step.

In this post I have made some quick guide to install a very basic level of billing system by using Freeradius/mysql on UBUNTU 18.4 [64bit]. Mikrotik routerboard with firmware version 6.45.7 is being used as NAS to connect user and freeradius will be used for authentication/accounting billing system.

Let’s Rock …

blog-header-collaboration-between-hardware-software-teams_0

Hardware Software components used in this post

Hardware:

  • Xeon 2Ghz CPU x 2
  • 64 GB RAM
  • 480GB SSD x 8 disks in RAID-10
  • Vmware ESXI 6.5 installed on bare metal hardware
  • VM guest created for Radius role with following config
    40 GB RAM / 12 CORES VCPU / 300 GB Disk Space

Software:

  • OS: Ubuntu 18.04.3 LTS Server Edition [Click here for Download Link]
  • FreeRADIUS: Version 3.0.19 [using apt-get with custom repository]
  • Mysql Version: mysql Ver 14.14 Distrib 5.7.27, for Linux (x86_64) using EditLine wrapper [using apt-get]
  • IP scheme

    Radius IP = 101.11.11.254
    Mikrotik IP = 101.11.11.255

 


 

Quick Tips for Ubuntu OS before rolling out FR

helpful_tips1

Network address configuration

18.04_beaver_wp_8192x4608_AW

In Ubuntu 18, network addresses are configured slightly differently as compared to earlier version of ubuntu series. To add / modify IP addresses, edit 50-cloud-init.yaml file

nano /etc/netplan/50-cloud-init.yaml

A working configuration file is attached as below. Make sure to follow syntaxes as defined. U18 is quite sensitive regarding this section.

# Ubuntu 18 Network Config file # Syed Jahanzaib
network:
ethernets:
# Interface Name
ens33:
# Interface IP Address
addresses:
- 101.11.11.254/24
gateway4: 101.11.11.1
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
version: 2

<span style="color:var(--color-text);">


 

ROOT Login Access on local machine is not Allowed by Default on Fresh installation of Ubuntu 18

After fresh installation of Ubuntu 18 server edition, you cannot login with root ID by default. & to perform various functions, you may need ROOT access.

Therefore using your normal user account , issue below cmd’s to change root password in order to enable root login access

sudo passwd root

it will ask you to enter current user password, then it will ask to enter new root password two times. Do so and then you can change to use root user by using

# su

and it will ask you to enter root password, Enter the password that you setup in above steps. and you will be switched to ROOT.

Allow SSH Login for remote access using PUTTY or any other tool

permit-ssh-root-login-ubuntu

By default, Ubuntu 18 will not allow you to remotely login via SSH.

Edit file

nano /etc/ssh/sshd_config

now search for

PermitRootLogin prohibit-password

Change it to

PermitRootLogin yes

Save & Exit , Restart ssh service

service ssh restart

Another quick copy paste method to enable root ssh access

sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
service ssh restart

NTP configuration for timezone configuration &

Automatic time update from the internet [for KHI/PK]

apt-get -y install ntp ntpdate
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

Disable iPV6

disable-ipv6-on-ubuntu

if ipv6 not required, its a good idea to disable it from beginning.

Use below CMD

echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6=1" /etc/sysctl.conf
sysctl -p

for further ensurity, now edit

nano /etc/default/grub

& change

FROM:
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""
TO:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
GRUB_CMDLINE_LINUX="ipv6.disable=1"

Save & exit & run below cmd to update GRUB

sudo update-grub



Installing components required for general operations including MYSQL as well

Install supporting tools like mysql / phpmyadmin etc

#During installation, it will ask you to enter PASSWORD, dont let it skip, be vigilant 

apt-get -y install apache2 mc wget make gcc mysql-server mysql-client curl
apt-get -y install phpmyadmin

NOTE# mySQL Empty Root Password 

Try to login to mysql with your defined password. In case if mysql is letting you in with any random or empty password, use this CMD to change mysql root password

Use these steps only if you have mysql login issue with empty/any password

mysql -uroot -pANYPASS
UPDATE mysql.user SET authentication_string= '' WHERE User='root';
UPDATE mysql.user SET plugin = '' WHERE user = 'root';
UPDATE mysql.user SET authentication_string=PASSWORD('zaib1234') WHERE User='root';
UPDATE mysql.user SET plugin = 'mysql_native_password' WHERE user = 'root';
exit

Don’t forget to restart mySQL service, this part wasted some time of mine

service mysql restart

fr logo with hatFR logo new .png

~ Installation & Configuration part ~
~ Freeradius version 3.0.19 ~

To install freeradius 3.0.19 via apt-get on ubuntu 18.4 server, first update the repository by using following

echo "deb http://packages.networkradius.com/releases/ubuntu-bionic bionic main" >> /etc/apt/sources.list

Save and exit, and issue below cmd

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x41382202
sudo apt-get update

~

Now using apt-get install method , we will install FR ver 3.0.19

apt-get -y install freeradius freeradius-mysql freeradius-utils

Once installed, check the FR version, & it should be similar to this

freeradius -v

radiusd: FreeRADIUS Version 3.0.19 (git #ab4c76709), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.19
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

SQL Section:

Create DB in mysql

# Make sure to change password which you setup while installing mySQL

mysql -uroot -pzaib1234
create database radius;
grant all on radius.* to radius@localhost identified by "zaib1234";
exit

Now import sql schema file into the mysql

mysql -u root -pzaib1234 radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql

Now create SQL link

ln -s /etc/freeradius/mods-available/sql /etc/freeradius/mods-enabled/

FREERADIUS CONFIG Section

now edit /etc/freeradius/mods-enabled/sql

nano /etc/freeradius/mods-enabled/sql

& make modification like in SQL { section

change to below

sql {
dialect = "mysql"
driver = "rlm_sql_${dialect}"
mysql {
# there are few lines related to certs, delete them as we donot require them
warnings = auto
}

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "zaib1234"
# Change password as you configured in initial steps/zaib
# Database table configuration for everything except Oracle
radius_db = "radius"

Save & exit.

Adding your NAS in mysql NAS table

TIP: Quick CMD to add NAS in table,

mysql -uroot -pzaib1234 -e "use radius; INSERT INTO nas (id, nasname, shortname, type, ports, secret, server, community, description) VALUES (NULL, '101.11.11.255', NULL, 'other', NULL, '123456', NULL, NULL, 'RADIUS Client');"

OUTPUT:

mysql> select * from nas;
+----+---------------+-----------------+-------+-------+--------+--------+-----------+---------------+
| id | nasname | shortname | type | ports | secret | server | community | description |
+----+---------------+-----------------+-------+-------+--------+--------+-----------+---------------+
| 1 | 101.11.11.255 | NULL  | other | 3799 | 123456 | | NULL | RADIUS Client |
+----+---------------+-----------------+-------+-------+--------+--------+-----------+---------------+
1 row in set (0.00 sec)


Create TEST USER for validating freeradius & mysql installation

We will now create a simple Test USER in mySQL RADIUS DB for verification / test purposes. It will have

  1. Username Password
  2. Mikrotik Rate Limit for Bandwidth Limitation, example 1mb/1mb
  3. Expiration date time
  4. Simultaneous Use set to 1 , to prevent Multiple login of same ID (it requires further modifications in DEFAULT section of sites enabled)
mysql -uroot -pzaib1234
use radius;
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES ( NULL , 'zaib', 'Cleartext-Password', ':=', 'zaib');
INSERT INTO radreply (username, attribute, op, value) VALUES ('zaib', 'Mikrotik-Rate-Limit', '==', '1024k/1024k');
INSERT INTO radcheck ( id , UserName , Attribute , op , Value ) VALUES (NULL , 'zaib', 'Expiration', ':=', '13 Jan 2029 11:00');
INSERT INTO radcheck (username,attribute,op,value) VALUES ('zaib', 'Simultaneous-Use', ':=', '1');
exit

effective-software-testing-tips-testers-on-the-go

Testing FREERADIUS connection using FR built-in tools

It’s time that we should test freeradius connectivity. in first Terminal, issue below cmd to start freeradius in DEBUG mode

service freeradius stop
freeradius -X

If FR configurall are configured correctly, then you will see something like below

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 48178
Listening on proxy address :: port 38713
Ready to process requests

If you see Ready to process requests  , than all good to Go, Else it will show you the particular errors and lines that you must FIX in order to proceed further.

Moving forward, Open second Terminal window, & try below cmd’s to test the user credentials/authentication

Test#1 using RADCLIENT tool with particular calling MAC address

echo "User-Name=zaib,User-Password=zaib,Calling-Station-Id=00:0C:29:71:60:DA" | radclient -s localhost:1812 auth testing123

Result:

Sent Access-Request Id 38 from 0.0.0.0:37282 to 127.0.0.1:1812 length 63
Received Access-Accept Id 38 from 127.0.0.1:1812 to 127.0.0.1:37282 length 26
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0

Test#2 using RADTEST tool

radtest zaib zaib localhost 1812 testing123

Result:

Sent Access-Request Id 26 from 0.0.0.0:53486 to 127.0.0.1:1812 length 74
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address = 101.11.11.254
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "zaib"
Received Access-Accept Id 26 from 127.0.0.1:1812 to 127.0.0.1:53486 length 26
Session-Timeout = 289854175

Freeradius Debug Window:

Ready to process requests
(0) Received Access-Request Id 57 from 127.0.0.1:56913 to 127.0.0.1:1812 length 63
(0) User-Name = "zaib"
(0) User-Password = "zaib"
(0) Calling-Station-Id = "00:0C:29:71:60:DA"
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "zaib", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'zaib' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'zaib' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "zaib"
(0) sql: Expiration := "Jan 13 2029 11:00:00 PKT"
(0) sql: Simultaneous-Use := 1
(0) sql: Calling-Station-Id := "00:0C:29:71:60:DA"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'zaib' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'zaib' ORDER BY id
(0) sql: User found in radreply table, merging reply items
(0) sql: Mikrotik-Rate-Limit == "1024k/1024k"
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.27-0ubuntu0.18.04.1, protocol version 10
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'zaib' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'zaib' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) if (notfound){
(0) if (notfound) -> FALSE
(0) expiration: Account will expire at 'Jan 13 2029 11:00:00 PKT'
(0) [expiration] = ok
(0) if (userlock){
(0) if (userlock) -> FALSE
(0) [pap] = updated
(0) if (&request:Calling-Station-Id != &control:Calling-Station-Id) {
(0) if (&request:Calling-Station-Id != &control:Calling-Station-Id) -> FALSE
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'zaib' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'zaib' AND acctstoptime IS NULL
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) } # session = ok
(0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql: EXPAND %{User-Name}
(0) sql: --> zaib
(0) sql: SQL-User-Name set to 'zaib'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%{reply:Reply-Message}', '%S', '%{NAS-IP-Address}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( 'zaib', 'zaib', 'Access-Accept', '', '2019-11-07 15:58:05', '127.0.0.1', '00:0C:29:71:60:DA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, reply_msg, authdate, nasipaddress, mac) VALUES ( 'zaib', 'zaib', 'Access-Accept', '', '2019-11-07 15:58:05', '127.0.0.1', '00:0C:29:71:60:DA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) [exec] = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 57 from 127.0.0.1:1812 to 127.0.0.1:56913 length 0
(0) Session-Timeout = 289854115
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 57 with timestamp +2
Ready to process requests

Above output shows OK status. You can inspect any errors in the freeradius config or with the user credentials here like, invalid mac, expiratione etc


Workaround to open existing session in RADACCT

welcoem_back_500x143

When there is an disconnection between NAS & RADIUS, following situation will be observed

NAS:

User session will be online on NAS, but NAS will not send interim updates to the Radius because communication between NAS/Radius is lost

RADIUS:

Radius will not receive any interim updates from the NAS & his session will keep alive (acctstoptime IS NULL), But for some local requirements we scheduled a bash script which checks stale session checking last acct update time . Example if the radius doesn’t receives interim update for 10 minutes, it will close this user session in radacct table by setting acctstoptime to current date/time.

Now when the connectivity restore between the NAS & Radius, and since NAS has this user online, it will send Interim Update to the radius, BUT our radius have closed this session already earlier (via bash script), therefore this update packet will only update the old entry using unique acct ID, but acctstoptime will not be set to NULL.

This will create confusion for frontend, because when you will search online users by searching entries whose acctstoptime is NULL. this session will not appear which will create FALSE assumption on your frontend that this user is offline whereas this user is actually online in NAS.

To settle this , I made some dirty workaround by poking in freeradius SQL queries.conf  file. I am not aware if this trick is is already being used or not,but its working fine on my end.

Add below code

acctstoptime = NULL, \

in queries.conf

Edit file by

nano /etc/freeradius/mods-config/sql/main/mysql/queries.conf
interim-update {
#
# Update an existing session and calculate the interval
# between the last data we received for the session and this
# update. This can be used to find stale sessions.
#
query = "\
UPDATE ${....acct_table1} \
SET \
acctupdatetime = (@acctupdatetime_old:=acctupdatetime), \
acctupdatetime = FROM_UNIXTIME(\
%{integer:Event-Timestamp}), \
acctinterval = %{integer:Event-Timestamp} - \
UNIX_TIMESTAMP(@acctupdatetime_old), \
acctstoptime = NULL, \
framedipaddress = '%{Framed-IP-Address}', \
framedipv6address = '%{Framed-IPv6-Address}', \
framedipv6prefix = '%{Framed-IPv6-Prefix}', \
framedinterfaceid = '%{Framed-Interface-Id}', \
delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', \
acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Input-Octets}:-0}', \
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
<< 32 | '%{%{Acct-Output-Octets}:-0}' \
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"

& as always reload freeradius

service freeradius reload


Prevent Multiple User login [ Simultaneous Login :=1 ]

To prevent multiple login for same user , we have to first enable SQL base session logging , so that our control can check the session details for already logged in user

Edit file

nano /etc/freeradius/sites-enabled/default

& then uncomment sql under session { section

# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
sql

Now we need to add UNLAG query in DEFAULT config to check for MAC address if control is defined in RADCHECK table

edit file

nano /etc/freeradius/sites-enabled/default

Under authorize { section, add below code

if (&request:Calling-Station-Id != &control:Calling-Station-Id) {
update reply {
Reply-Message := "Incorrect Mac"
}
reject
}

 

 

After every change in config files, reload freeradius by

service freeradius reload

Now you can simulate test using below CMD

RADCLIENT test with particular calling MAC address

echo "User-Name=zaib,User-Password=zaib,Calling-Station-Id=00:0C:29:71:60:DA" | radclient -s localhost:1812 auth testing123

Note: If there is no Calling-Station-ID defined in RADCHECK , test will success and in FREERADIUS Debug log, you will see line that failed to evaluate control. but user will be able to connect if no mac defined in radcheck.


Modifying RADPOSTAUTH section for recording user login attempts in sql table

To record all users login attempts with our customized RADPOSTAUTH table, we can following

First edit queries.conf in /etc/freeradius/mods-config/sql/main/mysql

nano /etc/freeradius/mods-config/sql/main/mysql/queries.conf

Goto End & search for section (usually its in the last)

#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query - Insert some info after authentication
#######################################################################

Delete existing query & use this one


query = "\
INSERT INTO ${..postauth_table} \
(username, pass, reply, reply_msg, authdate, nasipaddress, mac) \
VALUES ( \
'%{SQL-User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{reply:Packet-Type}', \
'%{reply:Reply-Message}', \
'%S', \
'%{NAS-IP-Address}', \
'%{Calling-Station-Id}')"
}

Save and Exit.

Modify RADPOSTAUTH table

Now modify the RADPOSTAUTH table in radius DB so that reply messages can be stored here in the way want it to be

mysql -uroot -pzaib1234
use radius;
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
DROP TABLE IF EXISTS `radpostauth`;
CREATE TABLE `radpostauth` ( `id` int(11) NOT NULL, `username` varchar(64) NOT NULL DEFAULT '', `pass` varchar(64) NOT NULL DEFAULT '', `reply` varchar(256) NOT NULL DEFAULT '', `reply_msg` varchar(256) DEFAULT NULL, `authdate` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `nasipaddress` varchar(100) DEFAULT NULL, `mac` text ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
ALTER TABLE `radpostauth` ADD PRIMARY KEY (`id`), ADD KEY `username` (`username`(32));
ALTER TABLE `radpostauth` MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=12;
exit

As always reload freeradius service after any modification in the configuration files using

service freeradius reload

Try to auth any user and then look into RADPOSTAUTH table & you will see entries like


mysql> select * from radpostauth;
+----+-----------+-------+---------------+-------------------------------------------+---------------------+---------------+-------------------+
| id | username | pass | reply | reply_msg | authdate | nasipaddress | mac |
+----+-----------+-------+---------------+-------------------------------------------+---------------------+---------------+-------------------+
| 14 | zaib | zaib | Access-Accept | | 2019-11-05 19:21:37 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 15 | zaib | zaib | Access-Accept | | 2019-11-05 19:21:50 | 127.0.0.1 | 00:0C:29:35:F8:21 |
| 16 | zaib | zaib | Access-Reject | | 2019-11-05 19:22:12 | 127.0.0.1 | 00:0C:29:35:F8:21 |
| 17 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:23:51 | 127.0.0.1 | 00:0C:29:35:F8:21 |
| 18 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:23:57 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 19 | zaib | zaib | Access-Accept | | 2019-11-05 19:24:14 | 127.0.0.1 | 11:11:11:11:11:11 |
| 20 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:24:21 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 21 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-05 19:25:23 | 127.0.0.1 | 00:0C:29:35:F8:2F |
| 22 | zaib | zaib | Access-Accept | | 2019-11-05 19:25:29 | 127.0.0.1 | 11:11:11:11:11:11 |
| 23 | zaib | zaib | Access-Reject | Your account has expired=2C zaib | 2019-11-05 19:25:44 | 127.0.0.1 | 11:11:11:11:11:11 |
| 24 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:26:16 | 127.0.0.1 | 11:11:11:11:11:11 |
| 25 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:26:25 | 101.11.11.254 | |
| 26 | zaib | zaib | Access-Accept | Account Expired | 2019-11-05 19:27:22 | 101.11.11.254 | |
| 27 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:27:41 | 101.11.11.254 | |
| 28 | zaib1 | zaib | Access-Reject | | 2019-11-05 19:27:55 | 101.11.11.254 | |
| 29 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:29:04 | 101.11.11.254 | |
| 30 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:29:12 | 101.11.11.254 | |
| 31 | zaib | zaib1 | Access-Reject | Account Expired | 2019-11-05 19:30:28 | 101.11.11.254 | |
| 32 | zaib | zaib1 | Access-Reject | Wrong Password | 2019-11-05 19:30:46 | 101.11.11.254 | |
| 33 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:30:54 | 101.11.11.254 | |
| 34 | zaib1 | zaib | Access-Reject | Username not found | 2019-11-05 19:32:45 | 101.11.11.254 | |
| 35 | zaib | zaib | Access-Accept | | 2019-11-05 19:32:51 | 101.11.11.254 | |
| 36 | zaib | zaib | Access-Accept | | 2019-11-05 19:33:01 | 101.11.11.254 | |
| 37 | zaib | zaib | Access-Reject | You are already logged in - access denied | 2019-11-05 19:33:57 | 101.11.11.254 | |
| 38 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:21 | 101.11.11.254 | |
| 39 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:28 | 127.0.0.1 | 11:11:11:11:11:11 |
| 40 | zaib | zaib | Access-Accept | | 2019-11-05 19:35:51 | 127.0.0.1 | |
| 41 | zaib | | Access-Reject | Incorrect Mac | 2019-11-05 19:37:23 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 42 | zaib | | Access-Accept | | 2019-11-05 19:37:38 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 43 | zaib | | Access-Reject | Incorrect Mac | 2019-11-05 19:39:13 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 44 | zaib | zaib | Access-Reject | You are already logged in - access denied | 2019-11-06 08:37:04 | 101.11.11.254 | |
| 45 | zaib | zaib | Access-Accept | | 2019-11-06 08:37:24 | 101.11.11.254 | |
| 46 | zaib | | Access-Reject | Incorrect Mac | 2019-11-07 07:56:07 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 47 | zaib | | Access-Reject | You are already logged in - access denied | 2019-11-07 07:57:03 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 48 | zaib | | Access-Accept | | 2019-11-07 07:57:18 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 49 | zaib@zaib | | Access-Reject | Wrong Password | 2019-11-07 07:57:23 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 50 | zaib@zaib | | Access-Accept | | 2019-11-07 08:00:37 | 101.11.11.255 | 00:0C:29:71:60:DA |
| 51 | zaib | zaib | Access-Reject | Incorrect Mac | 2019-11-07 15:54:53 | 127.0.0.1 | 11:11:11:11:11:11 |
| 52 | zaib | zaib | Access-Accept | | 2019-11-07 15:56:12 | 127.0.0.1 | 00:0C:29:71:60:DA |
| 53 | zaib | zaib | Access-Accept | | 2019-11-07 15:57:05 | 101.11.11.254 | |
| 54 | zaib | zaib | Access-Accept | | 2019-11-07 15:58:05 | 127.0.0.1 | 00:0C:29:71:60:DA |
+----+-----------+-------+---------------+-------------------------------------------+---------------------+---------------+-------------------+

Unable to login with username like zaib@zaib

If you are unable to login with username like z@ib@zaib , then disable the filter_username module under authorize { section

edit file

nano /etc/freeradius/sites-enabled/default

Navigate to authorize { section, & comment the filter_username

authorize {
#
# Take a User-Name, and perform some checks on it, for spaces and other
# invalid characters. If the User-Name appears invalid, reject the
# request.
# See policy.d/filter for the definition of the filter_username policy.

# filter_username

Mikrotik-Rate-Limit not working with FR 3
(Updated on 9-NOV-2019)

Today I encountered issue at local network, where radius was not sending the Mikrotik-Rate-Limit syntax to the NAS. After doing some troubleshooting it came to my knowledge that you have to change op value from == to := , Example

Mikrotik-Rate-Limit := 1024k/1024k

Trimming RADACCT table to make it SLIM & blazing Responsive

greensboro-tree-solutions-tree-trimming-1-1024x683

Over the period of time, radacct table will grow enormously. This can slow down many queries , therefore its a good idea to move all closed session entries (NOT NULL) to another table like radacct_archive. I created following bash script which helped me to sort many issues.

Note: Make sure to change credentials section

mkdir /temp
touch /temp/radacct_trim.sh
chmod +x /temp/radacct_trim.sh
nano /temp/radacct_trim.sh

& copy paste following

#!/usr/bin/env bash
####!/bin/sh
#set -x
#MYSQL DETAILS
DATE=`date`
logger radacct_trim script started $DATE
SQLUSER="root"
SQLPASS="YOUR_PASSWORD"
DB="radius"
TBL_ARCH="radacct_archive"
TBL_ARCH_EXISTS=$(printf 'SHOW TABLES LIKE "%s"' "$TBL_ARCH")
MONTHS="12"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
# This is one time step.
echo "
Script Started @ $DATE
"
echo "- Step 1 : Checking for DB: $DB / TABLE: $TBL_ARCH ..."
DBCHK=`mysqlshow --user=$SQLUSER $DB | grep -v Wildcard | grep -o $DB`
if [ "$DBCHK" == "$DB" ]; then
echo " > $DB DB found"
else
echo " > $DB not found. Creating now ..."
$CMD "create database if not exists $DB;"
fi
if [[ $(mysql -u$SQLUSER -e "$TBL_ARCH_EXISTS" $DB) ]]
then
echo " > $TBL_ARCH TABLE found IN DB: $DB"
else
echo " > $TBL_ARCH TABLE not found IN DB: $DB / Creating now ..."
$CMD "use $DB; create table if not exists $TBL_ARCH LIKE radacct;"
fi

# Start Action: copy data from radacct to new db/archive table
NOTULL_COUNT=`$CMD "use $DB; select count(*) from radacct WHERE acctstoptime is not null;"`
echo "- Step 2 : Found $NOTULL_COUNT records in radacct table , Now copying $NOTULL_COUNT records to $TBL_ARCH table ..."
$CMD "use $DB; INSERT IGNORE INTO $TBL_ARCH SELECT * FROM radacct WHERE acctstoptime is not null;"
echo "- Step 3 : Deleting $NOTULL_COUNT records old data from radacct table (which have acctstoptime NOT NULL) ..."
# --- Now Delete data from CURRENT RADACCT table so that it should remain fit and smart ins size
$CMD "use $DB; DELETE FROM radacct WHERE acctstoptime is not null;"
echo "- Step 4 : Copying old data from $TBL_ARCH older then $MONTHS months ..."
# --- Now Delete data from RADACCT_ARCHIVE table so that it should not grow either more than we required i.e 1 Year - one year archived data is enough IMO
$CMD "use $DB; DELETE FROM $TBL_ARCH WHERE date(acctstarttime) < (CURDATE() - INTERVAL $MONTHS MONTH);"
DATE=`date`
logger radacct_trim script ended with $NOTULL_COUNT records processed for trimming @ $DATE
echo "
radacct_trim script ended with $NOTULL_COUNT records processed for trimming @ $DATE"

Schedule this BASH script to run every minute (or as per required)

1 * * * * /temp/radacct_trim.sh

Check for STALE Sessions in RADACCT [for FR ver3 in particular]

This bash script will close sessions in RADACCT whose interim updates have not received in last XX minutes. You can schedule it to run every minute or as required

#!/usr/bin/env bash
###!/bin/sh
#set -x
#trap "set +x; set -x" DEBUG
# BASH base script to close STALE sessions from freeradius, whose accounting is not updated in last X minutes in RADACCT table
# By Syed Jahanzaib
# CREATED on : 25-July-2018
# Local Variables

# Mysql credentials
SQLID="root"
SQLPASS="YOUR_PASSWORD"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLID --skip-column-names -s -e"
DB="radius"
INTERVAL="11"
DB="radius"
#Table which contain main users information
TBL="users"
#Rad user group in which we will update user profile like from 1mb to expired or likewise
TBL_LOG="log"
STALE_USR_LIST="/tmp/stale_sessions.txt"
# Date Time Variables
DATE=$(date +%d-%m-%Y)
DT_HMS=$(date +'%H:%M:%S')
FULL_DATE=`date`
CURR_HOUR=$(date +%H)
TODAY=$(date +"%Y-%m-%d")
WEEK=`date -d "-1000 days" '+%Y-%m-%d'`
BEGIN="1970-01-01"
H=$(date +'%-H')

#Check and close session for staleness
$CMD "use $DB; select username,radacctid,nasipaddress from radacct WHERE acctstoptime IS NULL AND acctupdatetime  $STALE_USR_LIST
# IF no user found , show error and exit - zaib
CHK=`wc -m $STALE_USR_LIST | awk {'print $1}'`
if [ "$CHK" -eq 0 ]
then
echo "No stall sesion found (which accounting session have not updated in last $INTERVAL minutes) , exiting ..."
exit 1
fi
$CMD "use $DB; UPDATE radacct SET acctstoptime = NOW(), acctterminatecause = 'Clear-Stale-Session' WHERE acctstoptime IS NULL AND acctupdatetime /dev/null 2>&1

WordPress is not letting pasting of code. look for this line

wp post problem.PNG


TIPS for MYSQL:

following are some mySQL tuning made according to the hardware. These are just my assumptions that this setting will work fine. However you may tune your setup according to your hardware. Install & run MYSQLTUNER tool which will better guide you as per the actual hardware/software scneario.

/etc/mysql/mysql.conf.d/mysqld.cnf

[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
bind-address = 127.0.0.1
skip_name_resolve
key_buffer_size = 4G
thread_stack = 192K
thread_cache_size = 8
myisam-recover-options = BACKUP
max_connections = 2000
table_open_cache = 15000
query_cache_limit = 200M
query_cache_size = 0
query_cache_type = 0
#log_error = /var/log/mysql/error.log
expire_logs_days = 10
max_binlog_size = 100M
innodb_buffer_pool_size = 22G
innodb_log_file_size = 11G
innodb_buffer_pool_instances = 22

MYSQLTUNER to see mySQL performance

It is good idea to install mysqltuner

apt-get install mysqltuner

Let your mysql Run for 1-2 days, then run this tool

mysqltuner

MYSQL FIND ENGINE TYPE FOR DB

mysql -uroot -pzaib1234
use radius;
SHOW TABLE STATUS\G

OUTPUT:

mysql> SHOW TABLE STATUS\G
*************************** 2. row ***************************
Name: radacct
Engine: InnoDB
Version: 10
Row_format: Dynamic
Rows: 1
Avg_row_length: 16384
Data_length: 16384
Max_data_length: 0
Index_length: 212992
Data_free: 0
Auto_increment: 2323234
Create_time: 2019-11-05 19:06:21
Update_time: 2019-11-07 10:27:08
Check_time: NULL
Collation: latin1_swedish_ci
Checksum: NULL
Create_options:
Comment:

In above OUTPUT, You can see the type, with 5.5+ its generally innodb

 


Monitor Disk Read Write

To monitor all disks read/write speed install this tool

apt-get install -y iotop

Run it using below cmd

iotop -o

HTOP – Monitor ALL Processes / CPU Cores Usage Monitor

install this

apt-get install -y htop
htop

Additional:

Doing Stress Test on Radius using BASH scripts

stress test on fr 3

FREERADIUS Stress Test Using BASH script – Zaib


Regard’s
Syed Jahanzaib

August 7, 2019

Exploiting Mikrotik for Good ?

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:30 AM

mikrotik exploit logo.png

Last updated: 7-AUGUST-2019 / 1400 hours

Note: Lot have been written on this vulnerability & this is not something NEW, but this vulnerability helped us in accessing one of our remote site old router with forgotten credentials.


In our remote branch network , we had installed one Mikrotik small box RB750 for branch to HO connectivity. This small unit was installed few years back & we never looked into it again. Recently we needed to make some configuration changes but following some bad practices we didn’t added this particular mikrotik in our centralized automated backup system & we didn’t noted down the credentials & IP configurations of its VPN settings after its deployment considering it less important.

Luckily it was running old firmware which was exploitable dueto to its critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords.


Index of this post

  1. Vulnerable Versions
  2. Requirements
  3. Executing scripts in linux
  4. Results
  5. Securing older version with firewalling
  6. Securing the Mikrotik Router at basics

Vulnerable Versions

Versions affected:

  • Affected all bugfix releases from 6.30.1 to 6.40.7, fixed in 6.40.8 on 2018-Apr-23
  • Affected all current releases from 6.29 to 6.42, fixed in 6.42.1 on 2018-Apr-23
  • Affected all RC releases from 6.29rc1 to 6.43rc3, fixed in 6.43rc4 on on 2018-Apr-23

For more information see: https://blog.mikrotik.com/security/winbox-vulnerability.html

Using this exploit we were able to recover the password and after changes we upgraded it immediately.

We can use Windows or Linux to remotely exploit the older mikrotik firmware to query for all user accounts.


Requirements:

The scripts can be run using PYTHON version 3+ & I have uploaded the scripts @ my Google Drive.


Driving in Linux !

  • I have tested it with Ubuntu ver 12 & 16
sudo apt-get update
sudo apt-get install python3

Now extract scripts in any temp folder.

Executing the scripts …

Extract users details using the Remote Mikrotik IP address [default 8291 port]

python3 WinboxExploit.py 10.0.0.1

Extract users details using the Remote Mikrotik IP address [custom port]

python3 WinboxExploit.py 10.0.0.1 1122

Discover Mikrotik on the network

(it will scan the network for Mikrotik, may take some time, or you can press CTRL+C to exit)

python3 MACServerDiscover.py

 

Extract users details using the Remote Mikrotik MAC Address

python3 MACServerExploit.py e4:8d:8c:9a:ed:11

Results:

mikrotik winbox exploit results.PNG

 

If the firmware is latest or not exploitable, it will give error “Exploit failed


# Securing older version with firewalling

If you dont want to upgrade, than at least use firewall filter to secure older versions……

/ip firewall filter
add action=reject chain=input comment="block CVE-2018-14847 exploit by z@ib" content=user.dat
add action=drop chain=input content="user.dat"

# Securing the Mikrotik Router at basics

  • TOP OF THE LINE THING TO DO : apply port scanning filtering !
  • Remotely Accessible Router Services should be limited to few addresses/interfaces
  • Never use default ports for Winbox / SSH & other services
  • Change there ports number to preferably higher unused ports like 50000 or above or likewise
  • If not in use, Disable all services like FTP / SSH & others
  • Never use default usernames like ADMIN , disable or delete them, and make alternate admin accounts with difficult passwords

Disable following

  • MAC-telnet services
    /tool mac-server set allowed-interface-list=none
  • MAC-Winbox
    /tool mac-server mac-winbox set allowed-interface-list=none
  • MAC-Ping service
    /tool mac-server ping set enabled=no
  • MikroTik Neighbor discovery protocol
    /ip neighbor discovery-settings set discover-interface-list=none
    /ipv6 nd set [find] disabled=yes
  • DNS cache
    /ip dns set allow-remote-requests=no
  • Socks proxy
    /ip proxy set enabled=no
    /ip socks set enabled=no
  • UPNP service
    /ip upnp set enabled=no
  • MikroTik dynamic name service or ip cloud
    /ip cloud set ddns-enabled=no update-time=no
  • Enable More Secure SSH access
    /ip ssh set strong-crypto=yes

Regard’s
Syed Jahanzaib

July 23, 2019

RM: Delete Expired Users Record

Filed under: Radius Manager — Tags: — Syed Jahanzaib / Pinochio~:) @ 12:57 PM

expired.jpg


Following script was made for DMA Radius Manager 4.1.x. It can delete X months old Expired users record from the mysql DB.

Sharing for reference purposes …

WordPress is not letting proper pasting of the code …

delete expired uesr.PNG

#!/bin/sh
#set -x
# This script delets users who have expired 2 months ago. and then delete there records from all tables.
# Syed Jahanzaib / June 2019
SQLPASS=”SQLPASS”
export MYSQL_PWD=$SQLPASS
> /tmp/expired.users.txt

#mysql -uroot -e “use radius; select username from rm_users where expiration BETWEEN ‘2010-01-01’ AND ‘2019-04-30’;” |sort > /tmp/expired.users.txt

# Fetch users who have expired 2 months ago & before, (using expired date), BE CAREFUL WHEN USING THIS
mysql -uroot -e “use radius; select username from rm_users where expiration <= DATE_SUB(CURDATE(), INTERVAL 2 MONTH)” |sort > /tmp/expired.users.txt
num=0
cat /tmp/expired.users.txt | while read users
do
num=$[$num+1]
USERNAME=`echo $users | awk ‘{print $1}’`
echo “$USERNAME —- user record from all relevant tables”
mysql -uroot -e “use radius; DELETE FROM rm_cards WHERE cardnum = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM rm_users WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM rm_changesrv WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM radcheck WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM radacct WHERE username = ‘$USERNAME’;”
mysql -uroot -e “use radius; DELETE FROM rm_radacct WHERE username = ‘$USERNAME’;”
done

 

Jz

July 17, 2019

BASH: Exporting MYSQL DB to Remote Server

Filed under: Linux Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:28 AM

mysql-export-import

Disclaimer: This post is shared just for reference & learning purposes. You must modify and add more failsafe check before using it in production.

Regards
Syed Jahanzaib


Scenario:

We are using Freeradius server which uses mySQL as its backend DB. Ideally the mysql server should have replica server so that if Primary goes down dueto any fault, the secondary replica should come in action.

For high availability purposes we we want to have a standby server. Mysql Master-Slave or Master-Master replication is ideal for real time replication. We successfully implemented this model at few sites, but yes replication requires constant monitoring, and at one place the secondary replica server backfired & caused data loss.

For one particular Remote Site we wanted to avoid the complications of REPLICATION. What we wanted is a standby server, and the DB from primary should be exported to secondary replica server daily in morning and emails for the actions taken by the script should be emailed to us.

We made custom script that is running successfully from quite some time.

The BASH script performs following function …

  • Checks secondary server PING response
  • Check secondary server SSH access
  • Checks primary server MYSQL DB access
  • Checks secondary server MYSQL DB access
  • Check if exported DB is of valid size, (I set it to min 10 KB, yes you may want to adjust it according to your setup)
  • If all OK, then export primary server DB, and import it to secondary server

Script Requirements:

https://aacable.wordpress.com/2011/11/25/howto-login-on-remote-mikrotik-linux-without-password-to-execute-commands/


BASH Script Code:

  • touch /temp/update_radius_from_10.0.0.1__TO__10.0.0.2.sh
  • chmod +x /temp/update_radius_from_10.0.0.1__TO__10.0.0.2.sh
  • nano /temp/update_radius_from_10.0.0.1__TO__110.0.0.2.sh
#!/bin/bash
clear
#set -x
# Version 1.0 / 10-July-2019
# Syed Jahanzaib / Web: https://aacable.wordpress.com / Email: aacable@hotmail.com
# This script exports mysqldb and restores it to second remote server
# Requires passwordless login on remote server using SSH keys
# Settings various VARIABLES for the script
# adding dns for resolving
echo "nameserver 8.8.8.8" > /etc/resolv.conf
#SET DATE TIME
set $(date)
time=`date |awk '{print $4}'`
YESTERDAY=`date --date='yesterday' +%Y-%m-%d`
TODAY=`date +"%d-%b-%Y__%T"`
SCRIPTST=`date +"%d-%b-%Y__%T"`
HOSTNAME=`hostname | sed 's/ //g'`
IP1=10.0.0.1
IP2=10.0.0.2
IP2ROLE="RADIUS"
IP2_SSH_PORT=22
SQL_DIR="sql_replica"
#MYSQL DETAILS
SQLUSER="root"
SQLPASS="TYPE.YOUR.SQL.ROOT.PASS"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLUSER --skip-column-names -s -e"
DB="radius"
FILE="/$SQL_DIR/$HOSTNAME.$TODAY.IP.$IP1.sql"
GMAILID="YOUR_SENDER_GMAILID@gmail.com"
GMAILPASS="GMAIL_PASS"
ADMINMAIL1="aacableATATAThotmail.com"
COMPANY="ZAIB"
RESULT="/tmp/$IP2.$IP2ROLE.txt"
CLIENTS_FILE="/usr/local/etc/raddb/clients.conf"
PING_ATTEMPTS="2"
PING_RESULT="/tmp/$IP2.$IP2ROLE.ping.result.txt"
IP2_SSH_CHK="/tmp/$IP2.ssh.chk.txt"
touch $RESULT
touch $PING_RESULT
> $RESULT
> $PING_RESULT
rm -f /$SQL_DIR/*.sql
# Test PING to device
count=$(ping -c $PING_ATTEMPTS $IP2 | awk -F, '/received/{print $2*1}')
if [ $count -eq 0 ]; then
echo "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to PING Attempts, cannot continue without it , Please check !"
echo "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to PING Attempts, cannot continue without it , Please check !" > $PING_RESULT
sendemail -t $email -u "ALERT: $IP2 $IP2ROLE NOT RESPONDING!" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$PING_RESULT -o message-content-type=text
exit 1
fi
echo "- Script start time: $SCRIPTST

This report contains DB export results.

- Source Server : $HOSTNAME / $IP1
- Destination Server : $IP2

- PING Result to $IP2 : OK"

echo "- Script start time: $SCRIPTST

This report contains DB export results.

- Source Server : $HOSTNAME / $IP1
- Destination Server : $IP2
- PING Result to $IP2 : OK" >> $RESULT

#Cehck if SSH is accessible
scp -q -P $IP2_SSH_PORT root@$IP2:/etc/lsb-release $IP2_SSH_CHK
# Verify if file is downloaded from remote server via ssh
if [ ! -f $IP2_SSH_CHK ]; then
echo -e "- $COMPANY ALERT: $IP2 - $IP2ROLE is not responding to passwordless SSH ACCESS, cannot continue without it , Please check !"
exit 1
fi
echo -e "- SSH Access to $IP2 : OK"
echo -e "- SSH Access to $IP2 : OK" >> $RESULT

# Check if $DB (in this case radius )is accessible or not, if NOT, then exit the script
RESULT_DB_CHK=`$CMD "SHOW DATABASES LIKE '$DB'"`
if [ "$RESULT_DB_CHK" != "$DB" ]; then
echo "- ALERT: $IP1 - DB $DB not accessible !!!"
echo "- ALERT: $IP1 - DB $DB not accessible !!!" >> $RESULT
sendemail -t $email -u "- ALERT: $IP1 - DB $DB not accessible" -o tls=yes -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text
exit 1
fi

echo "- $DB - Database accessed on $IP1 : OK" >> $RESULT

#############################################
######## START the BACKUP PROCESS ... #######
#############################################
# Checking if $SQL_DIR folder is previously present or not . . .
{
if [ ! -d "/$SQL_DIR" ]; then
echo -e "- ALERT: /$SQL_DIR folder not found, Creating it MYSQL EXPORT/DUMP backup should be placed there . . ."
mkdir /$SQL_DIR
else
echo -e "- INFO: $SQL_DIR folder is already present , so no need to create it, Proceeding further . . ."
fi
}

mysqldump -u$SQLUSER -p$SQLPASS --single-transaction=TRUE --ignore-table={radius.radacct} $DB > $FILE
# CHECK FILE SIZE AND COMPARE, IF ITS LESS , THEN ALERT
SIZE=`ls -lh $FILE | awk '{print $5}'`
SIZEB=`ls -l $FILE | awk '{print $5}'`
if [ $SIZEB -lt 1 ]
then
echo "- ALERT: DB export failed on $IP1 - Size = $SIZE OR $SIZEB Bytes"
echo "- ALERT: DB export failed on $IP1 - Size = $SIZE OR $SIZEB Bytes" >> $RESULT
sendemail -t $email -u "ALERT: DB export failed on $IP1 - Size = $SIZE OR $SIZEB Bytes" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text
exit 1
fi
#ssh -p $IP2_SSH_PORT root@$IP2 mkdir /$SQL_DIR
#scp -P $IP2_SSH_PORT $FILE_FINAL root@$IP2:/$SQL_DIR
#ssh -p $IP2_SSH_PORT root@$IP2 ls -lh /$SQL_DIR
# Import file in secondary radius
#ssh -p $IP2_SSH_PORT root@$IP2 "mysql -u$SQLUSER -p$SQLPASS $DB < $FILE
#mysql -h $IP2 -u$SQLUSER -p$SQLPASS $DB < $FILE
ssh -p $IP2_SSH_PORT root@$IP2 mysql -u$SQLUSER -p$SQLPASS $DB  output
#scp -P $IP2_SSH_PORT $CLIENTS_FILE root@$IP2:/usr/local/etc/raddb/
ssh -p $IP2_SSH_PORT root@$IP2 'service freeradius restart'
SCRIPTET=`date +"%d-%b-%Y___%T"`

echo "- FILE NAME : $FILE
- FILE SIZE : $SIZE

- DONE : Backup from $IP1 to $IP2 have been Exported OK

- Script End Time: $SCRIPTET

Regard's
Syed Jahanzaib"

echo "- FILE NAME : $FILE
- FILE SIZE : $SIZE

- DONE : Backup from $IP1 to $IP2 have been Exported OK

- Script End Time: $SCRIPTET

Regard's
Syed Jahanzaib" >> $RESULT

sendemail -t $email -u "$TODAY $HOSTNAME DB Exported from $IP1 to $IP2 Report OK" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$RESULT -o message-content-type=text

#cat $RESULT
rm $IP2_SSH_CHK
rm $RESULT
rm $PING_RESULT
rm $FILE

Email Report Sample:

replica export done.PNG


Cron schedule to run the script Daily at 7am

# To run the script daily at 7 AM in morning
00 07 * * * /temp/update_radius_from_10.0.0.1__TO__10.0.0.2.sh

# To run the script every 6th hours 30 mnts
30 */6 * * * /temp/update_radius_from_10.0.0.1__TO__10.0.0.2.sh

Regard's
Syed Jahanzaib

July 2, 2019

DENIED Notes users are still able to access mails through IBM Notes Traveler

Filed under: IBM Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 4:30 PM

This post is about a case study regarding “Denied access Notes users are still able to access mails through IBM Notes Traveler“.

We are using IBM lotus Domino server as per following

  • – Lotus Domino – Primary Mail Server [For Lotus Notes/Webmail]
  • – Lotus Domino – Traveler Role [For Mobile Devices like Android/iPhone]

 

Case Study:

Today, It was brought to our knowledge that one of company’s employee resigned on 28th June 2019) have sent emails to HR Dept on ndex day. while his account was under DENY group, but still he was able to sent emails. We tried settings from IBm document referenced “Denied access Notes users are still able to access mails through IBM Notes Traveler” from https://www-01.ibm.com/support/docview.wss?uid=swg21634205 but still no luck. Traveler users who were under NO ACCESS GROUP under Primary LOTUS server were still able to sync emails.

Our Blocking Practice:
As per our practice , when any user resigned from the company, we add him under DENY GROUP under Lotus Domino Server for few days, which blocks the Notes/Webmail Access access for that particular user. Later if user withdraw resignation we just remove his name from this list, Else we remove his profiles and save his email in Archive for ever.

Findings:
If the user have IBM Verse installed on there mobile device, he can still access the email because his access is blocked primarily on Lotus Email Server, but since mobile devices does not communicate with the Primary server directly instead they access it via separate TRAVELER server (by proxying through LOTUS TRAVELER server), and communication between Primary Server & Lotus traveler server is being done through server to server basis thus they could access the emails.

Solution:

no access group.jpg
Adding the NO ACCESS list in the traveler server document under security DID THE TRICK !

[13FC:000A-1574] 07/01/2019 12:45:02 PM XXXXX Web Server: Access Denied Exception [/traveler?action=sync&orig=sp&deviceId=Android_a41df4vf3fe46a8e3a] CN=MY USER/O=MYCOMP

This list will be updated via Primary Lotus server after every 10 minutes (using replication connection) & it will act as additional level of permissions filtering. Now if any user will be added under DENY GROUP under Lotus Mail Server, this list will be propagated to Lotus Traveler server as well which will deny the user request if his name is under DENY GROUP.

Thanks to FB group “IBM Lotus Domino Administrators” for pointing in the right direction.


Some addition Tip:

to flush DB cache

sh nlcache reset

https://www.novell.com/coolsolutions/tip/17050.html

Regard’s
Syed Jahanzaib

 

May 12, 2019

Facilitate CDN traffic with Mikrotik

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 12:49 PM

ncdn_-_cdn.png

Control / Facilitate CDN traffic with

~ Mikrotik Router ~

First some DRY theory !

CDNs replicate content in multiple places. There’s a better chance of content being closer to the user, with fewer hops, and content will run over a more friendly network. The general idea of a CDN is to deliver content as fast as possible to the user without compromising the user’s experience. Usually, a CDN have global location servers, called Point of Presence. These PoPs store data as cache. When a user requests for a website, the nearest PoP will handle the request using stored cache.

The BIG players such as Google in order to enhance user experience have tried to get as close to the user as possible by direct peering with the regional service providers and provide contents using CDN (Content delivery network) providers. Google is having its own CDN network branded as a service called Google Global Cache (GGC)

Nowadays all the major ISPs have CDN facility , which tremendously helps them to reduce burden on there internet feed. Without CDN, cost of real internet bandwidth will be a heavy burden for any OP. With CDN user will get better video streaming experience.

I know few ISP’s here in Karachi (& one particularly originated from Gulshan Area) which totally relies on CDN (more than 50-60% of there internet data is routing via CDN) , I have used one of them, there real internet speed is pathetic but if you browse YT/FB they works excellent.


Scenario:

Our upstream ISP have CDN server installed in there data center & traffic going to CDN have no limit. But we want to control the traffic as following

1 Mb package Users break up for bandwidth controlling …

  • 1mb internet bandwidth
  • 1mb CDN bandwidth

So if a user is surfing the internet he will get full 1mb internet speed, & if he uses the traffic going to YOUTUBE CDN ,  He will get another 1 mb (additional).
Virtually he will get 2mb in total.

Using Mikrotik, we can achieve this task by using Firewall Mangle & Queues Tree. Same can be done with Mangle & PCQ base simple queues too. It’s a debatable topic on what to use, & depends on the selection, mangle marking method would also be changed.

Every network is different so one configuration cannot fit all. Number of users & traffic volume plays vital role in selection of marking / queue type to use.

Choose the marking/queue type wisely to save your Mikrotik CPU from becoming Mr. SPIKY 🙂 YKWIM 😀

Disclaimer: This is just an example for sharing purposes ONLY & yes there are many other methods and tuning techniques you can adopt to make this process much more efficient.


Script !

#===================================================
# CDN PACKET MARKING SCRIPT using Mangle/Queue.Tree
# By Syed.Jahanzaib
# Email: aacableAThotmailDOTcom
# https://aacableDOTwordpressDOTcom
# March 2019
#===================================================
# Address list name which is created dynamically by radius or you can go with manual method too
# This is important ... it can be done by varieties of ways, select one that matches your network design
#1Mb
#2Mb

#Create Address List which will contain CDN server's IP addresses
/ip firewall address-list
add address=1.2.3.4/24 list=cdn_list
add address=5.6.7.8/32 list=cdn_list

# Copy paste following rules & make sure to move these MANGLE rules to TOP position,
# so that they can be applied before any other rule, (for cdn)

/ip firewall mangle
add action=mark-packet chain=postrouting dst-address-list=cdn_list new-packet-mark=cdn_1mb_up passthrough=no src-address-list=1Mb
add action=mark-packet chain=postrouting dst-address-list=1Mb new-packet-mark=cdn_1mb_down passthrough=no src-address-list=cdn_list

add action=mark-packet chain=postrouting dst-address-list=cdn_list new-packet-mark=cdn_2mb_up passthrough=no src-address-list=2Mb
add action=mark-packet chain=postrouting dst-address-list=2Mb new-packet-mark=cdn_2mb_down passthrough=no src-address-list=cdn_list

# Define Queue Type & limitation that we want to provide to each package
/queue type
add kind=pcq name=1mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64 pcq-total-limit=1024KiB
add kind=pcq name=1mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64 pcq-total-limit=1024KiB

add kind=pcq name=2mb-cdn-download pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64 pcq-total-limit=2048KiB
add kind=pcq name=2mb-cdn-upload pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=2048k pcq-src-address6-mask=64 pcq-total-limit=2048KiB

# Add Queue/Speed Limitation using above Queue Types to firewall mangled/marked packets

/queue tree
add name="CDN - 1mb - upload" packet-mark=cdn_1mb_up parent=global priority=1 queue=1mb-cdn-upload
add name="CDN - 1mb - download" packet-mark=cdn_1mb_down parent=global priority=1 queue=1mb-cdn-download

add name="CDN - 2mb - upload" packet-mark=cdn_2mb_up parent=global priority=1 queue=2mb-cdn-upload
add name="CDN - 2mb - download" packet-mark=cdn_2mb_down parent=global priority=1 queue=2mb-cdn-download

# Script Ends Here.

1mb users CDN usage Graph.

cdn

As shown in above example image, 1mb users are using 227 mb of CDN (YT) bandwidth,  (it was off time with lesser number of users, in peak traffic reaches in Gb’s) & real internet bandwidth is free OR available for other tasks/users,  thus providing relief to the real internet bandwidth pipe.


Regard’s
Syed Jahanzaib

durood

April 22, 2019

MySql Database Recovery from Raw Files

Filed under: Linux Related, Radius Manager — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 2:31 PM

mysql recovery.PNG


Disclaimer: This worked under particular case. It may or may not work for everyone.

Scenario:

OS: Ubuntu 12.4 Servedit Edition / x86

MYSQL: Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (i686) using readline 6.2

The OP was running radius for AAA. The disk got faulty for some unknown reasons and were unable to boot from it. There was no database backup [Real example of bad practices] So restoration from mysqldump to new system was not an option there !

Requirements:

We need to restore the Database using mysql raw files. Luckily the faulty disk was able to got attached to other system & we were able to copy the core /var/lib/mysql/ folders (along with all sub folders in it)


Quick & Dirty Restoration Step !

Requires some good level of Linux / DB knowledge]

  • Setup a test SANDBOX, Install same level of OS along with MYSQL on new system/disk. Create databases / tables as required. Verify all is working by logging to mysql
  • Stop the MYSQL service.
  • Copy the folder /var/lib/mysql [copied from faulty disk] to this new box under /var/lib/mysql/  
  • Set the permission on newly copied files/folders
    chown mysql -R /var/lib/mysql/

After this point Try to start the MYSQL service , IF it starts successfully & you can see your DATA , then skip below steps , ELSE continue through below steps …

  • Edit the /etc/mysql/my.cnf & add following line under [mysqld] section
    innodb_force_recovery = 6
  • Start MYSQL service & the service will start in Safe Mode with limited working support. Verify if you can able to login to MYSQL service by
    mysql -uroot -pPASS
  • If above step works, Export the Database backup using mysqldump cmd e.g:
    mysqldump -uroot -pSQLPASS   radius  >  radius_db_dump_.sql
  • Once done, Open the file in nano or any other text editor, & verify if it contains the required data.

Now copy the radius_db_dump_.sql to safe location & you know what to do next 🙂

  • Import this mysqldump file to your working radius system !

TIPS:

best-practice2

Make sure you have multistage backup strategies in place for any mission critical server.

Example for mysql Database, You can do following

  • If your server is VM, then VEEAM B&R will be your best friend & guardian, go for it
  • 1st Stage Backup: [Highly recommended for live replication]
    ideally, you should have at least 2 Replica servers & configure either Master-Master or Master-Slave Replication
  • 2nd Stage backup:
    Create bash scripts to export DB backup in local folder on a daily basis, (or hourly basis if required]
  • 3rd Stage backup:
    Attach external USB disk to the server, and in your backup script, add this usb as additional backup repository
  • 4th Stage backup:
    Configure DROPBOX and add it as additional backup repository
  • 5th Stage backup:
    The admin should manually copy the backup folders to his desktop so that if all other backups gets failed , this should come in handy.

Regard’s
Syed Jahanzaib

 

 

 

April 11, 2019

Vcenter 6.5: Cannot complete operation due to concurrent modification by another operation

Filed under: VMware Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:39 AM

Case#1

We have few ESXI machines managed by Vcenter (all have same 6.5 version). Today when we tried to upgrade compatibility on one vm guest using Vcenter, it gave following error.

Cannot complete operation due to concurrent modification by another operation

After some troubleshooting, it came to my knowledge that there was a pending snapshot made by Veeam B&R software, that was causing the issue. After removal of this snapshot, the compatibility upgraded worked fine, & later we moved this VM from one esxi to another dueto resource strains.

 

Vcenter error and snapshot removal solved it

Case#2

In one another encounter, whenever we tried to edit the guest VM setting, it gave error “Invalid configuration for device ‘1’.” , for this particular case we simply remove the affected guest VM from the inventory & re-added it and the problem got solve.

April 5, 2019

Mikrotik with Freeradius/mySQL # Part-22 – Create Dynamic Address List using Mikrotik-Address-List Attribute

Filed under: freeradius, Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 12:28 PM

fre



Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Regard’s
Syed Jahanzaib~


Scenario:

  • We have FREERADIUS installed as a AAA system in Ubuntu 16.04 server
  • Mikrotik version 6.44 is acting as PPPoE NAS connected with radius for AAA

Requirement:

When any user connects with our NAS, he should be added to mikrotik dynamic address list under IP > firewall > address list, so that we can manipulate this address list for different tasks, example mark connections/packets/routing and use them in Queues / Routes section or perform different sort of filtering as required.

In this particular task we are dynamically adding user in particular address list using radius attributes, then using this address list packet marking is being made, and then in Queues we are using these marked packets for different sort of bandwidth policies, example for normal internet we will limit 1mb per user , and for CDN traffic we will add addition 2mb for YT & FB. [and vice versa for different packages accordingly]

 


Solution:

We will use Mikrotik-Address-List attribute in radgroupreply section. as shown here.

1# Adding User entry in RADCHECK table so user can authenticate …

mysql> select * from radcheck;
+----+----------+--------------------+----+-------------------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-------------------+
| 1 | zaib | Cleartext-Password | := | zaib |
+----+----------+--------------------+----+-------------------+
1 rows in set (0.01 sec)

2# Adding Radius Group Reply for 1mb Group, Example 1mb group user will get 1mb dynamic queue plus they will be added dynamically in address list name 1mb

mysql> select * from radgroupreply;
+----+-----------+-----------------------+----+--------------+
| id | groupname | attribute | op | value |
+----+-----------+-----------------------+----+--------------+
| 21 | 1mb | Mikrotik-Rate-Limit | == | 1024k/1024k |
| 22 | 1mb | Mikrotik-Address-List | := | 1mb |
+----+-----------+-----------------------+----+--------------+
2 rows in set (0.00 sec)

2# Adding username ZAIB in the Radius user group & assign him 1mb Group.

 

mysql> select * from radusergroup;
+----+----------+-----------+----------+
| id | username | groupname | priority |
+----+----------+-----------+----------+
| 5 | zaib | 1mb | 1 |
+----+----------+-----------+----------+
1 row in set (0.00 sec)

RADTEST:

Now we will test user via RADTEST cmd …


radtest zaib zaib localhost 1812 testing123

Result:

Sending Access-Request of id 130 to 127.0.0.1 port 1812
User-Name = "zaib"
User-Password = "zaib"
NAS-IP-Address = 101.11.11.254
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=130, length=50

Mikrotik-Rate-Limit = "1024k/1024k"
Mikrotik-Address-List = "1mb"

Freeradius Debug Result:

Sending Access-Accept of id 156 to 127.0.0.1 port 34563
Mikrotik-Rate-Limit == "1024k/1024k"
Mikrotik-Address-List := "1mb"
Finished request 32.

Now try to connect user from your user device, & upon connection you will see new address list entry for this user IP ..

& its 1mb queues have been created as well


# Mikrotik Mangling & Queueing Section !

Now we will move towards Mikrotik related configuration for mangling & queue. in above steps we added DYNAMIC queue for test purposes, & as we will be using simple queues therefore we need to remove the dynamic queue, Do so , then we will move further …

  • Marking upload & download separately for 1mb user address list …

/ip firewall mangle
add action=mark-packet chain=forward comment="1mb users UPLOAD" new-packet-mark=1mb_users_up src-address-list=1mb passthrough=no
add action=mark-packet chain=forward comment="1mb users DOWNLOAD" dst-address-list=1mb new-packet-mark=1mb_users_down passthrough=no
  • Creating PCQ base 1mb download/upload limit variable …
/queue type
add kind=pcq name=download-1mb pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64
add kind=pcq name=upload-1mb pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=1024k pcq-src-address6-mask=64
  • Creating PCQ base simple Queues to actual limit each user with 1mb download/upload …
/queue simple
add name="1mb user DOWN - PCQ" packet-marks=1mb_users_down queue=upload-1mb/download-1mb target=""
add name="1mb user UP - PCQ" packet-marks=1mb_users_up queue=128k-per-user/128k-per-user target=""

 

PC#1

1st- user - 1mb user test

PC#2

2nd pc 128K 1mb


TIPS:

How to remove all dynamic queues [can be used in script login section]

dynamic queue removal.PNG

/queue simple remove [find where dynamic]

Conclusion:

As we can see that address list have been created successfully, now we can manipulate it for our different tasks using marked packets for customized PCQ base queues for policy base queueing.

I will write more on it later if manage to get some spare time.


 

Regard’s
Syed Jahanzaib

 

March 29, 2019

« Newer PostsOlder Posts »

%d bloggers like this: