Salut Frédéric - On Fri, 30 Jul 1999, Frédéric GARGULA wrote: > Hugh Irvine wrote: > > > > Salut Frédéric - comment va la belle France? > > Paris is very nice without parisians ! > n'est-ce pas? > > > > On Fri, 30 Jul 1999, Frédéric GARGULA wrote: > > > My old Radius proxy is dead, so I'm building a new one using Radiator. > > > > > > > Excellent idea! > > I will be very very happy when our customers will be able to connect... > > > > > > The old one was running Radius DTC 2.03. > > > I didn't find the configuration file, but I found the users file. > > > In that file, there is the config for handling runneling from one of the > > > clients. > > > > > > > I presume that all of your equipment is DTC? > > I must explain a little thing : We are an ISP, and we have many POPs. > But to extend the number of our POPs, we buy access from SIRIS, a french > Telecom Operator. > Ahhh - d'accord, j'ai compris.... > Our customers can connect using a national dialup number, which is owned > by SIRIS > > Our trouble is that SIRIS uses a L2F tunnel. To correctly answer to the > incoming requests from SIRIS's servers, we have to add this attributes : > > Tunnel-Type = Tunnel-L2F, > Tunnel-Medium-Type = Tunnel-IP, > Tunnel-Client-Endpoint = "[EMAIL PROTECTED]", > Tunnel-Server-Endpoint = "@toto_example", > Tunnel-Password = "yyyyyy" > > to the incoming request. > > Those request may arrivve from two Radius Servers. So I have two > <Client> clauses in my radius.cfg file. > Yes that is correct. > In the old configuration, those attributes was injected in the incoming > in the users file. We had a line in the users file that filter incoming > requests from a particular client : > > DEFAULT Password = "PROXY", Suffix="@netclic.fr", DTC-AP-Name="tnt" > ^^^^^^^^^^^^^^^^ > > (in this example, we had a #ap:tnt entry in the clients files, > describing the ip address and secret for tnt client. > > > > > > All of this looks quite straightforward, provided we have the correct radius > > dictionary that defines the above attributes. Have you found that? > > > > > > > > My question is : How do I convert that config to suit Radiator ? > > > I think I can use a > > > <Realm toto.org> > > > <AuthBy RADIUS> > > > Host radius.toto.org > > > AuthPort 1812 > > > AcctPort 1813 > > > Secret topsecret > > > </AuthBy> > > > </Realm> > > > > > You will not be able to do this with a <Realm toto.org>, as it is > > the same in both cases, so I think Handlers would be better in this case. > > How can I differentiate incoming request by the client ? those request > are with same Realm... > You will need to configure a Handler for each client or you could use the incoming attribute DTC-AP-Name="tnt" <Handler NAS-IP-Addres=ipaddress> or <Handler DTC-AP-Name="tnt"> > > I will also need to know how your other users are defined, and how they enter > > their usernames to verify that my suggestions will work. > > with have many realm : some with tunnel connection and non-tunnel > connection. > We can suppose that for each realm, there are two cases : with tunnel > (incoming from SIRIS) and without tunnel (incoming from our POPs) > Understood. > > > > > My assumption here is that the tunnel creation is part of the user > > authentication - there is another possibility too, which is that the tunnel > > creation occurs as a separate transaction before the user is authenticated. > > However based on the two fragments that you have provided it looks to me like > > its part of the user authentication. > > > We don't create the tunnel. the tunnel is created, and we must reply in > it. It's SIRS that create the tunnel. > I think we just have to add the tunnel attributes the the incoming > request, before forwarding it to the correct Radius Server. > I agree. > > > # Standard configuration parameters > > > > Foreground > > LogStdout > > LogDir ..... > > DbDir ..... > > AuthPort 1812 > > AcctPort 1813 > > > > <Client .....> > > ..... > > </Client> > > > > # Define a Handler for "ClientWithTunnel" > > <Handler DTC-AP-Name="ClientWithTunnel"> > > I can't use DTC-AP-Name because using the DTC Radius server, it > correspond to a specific Radius client IP address... > > > <AuthBy FILE> > > Filename .... > > AddToReply User-Service = 2, > > DTC-Auth-Allow = "", > > DTC-Auth-Port = 1812, > > DTC-Auth-Server = xxx.xxx.xxx.xxx, > > DTC-Auth-Secret = "topsecret", > > DTC-Acct-Port = 1813, > > DTC-Acct-Server = xxx.xxx.xxx.xxx, > > Tunnel-Type = Tunnel-L2F, > > Tunnel-Medium-Type = Tunnel-IP, > > Tunnel-Client-Endpoint = "[EMAIL PROTECTED]", > > Tunnel-Server-Endpoint = "@toto_example", > > Tunnel-Password = "yyyyyy" > > </AuthBy> > > </Handler> > > > > I can't send the tunnel parameters at each time, but only if the client > ip address is from SIRIS, or if the NAS-Identifier field begins with > "SH" > > > #Define a Handler for "ClientWithoutTunnel" > > <Handler DTC-AP-Name="ClientWithoutTunnel"> > > <AuthBy FILE> > > Filename ...... > > AddToReply Service-Type = Framed-User, > > DTC-Auth-Allow = "", > > DTC-Auth-Port = 1812, > > DTC-Auth-Server = xxx.xxx.xxx.xxx, > > DTC-Auth-Secret = "topsecret", > > DTC-Acct-Port = 1813 > > </AuthBy> > > </Handler> > > > I must try this, but DTC-AP-Name="ClientWithoutTunnel" couldn't be > defined in Radiator because it was a parameter of the DTC Radius Server > (The one that is dead). > > > > > > but I have to make the difference between clients that use the tunnel > > > and client that don't use it > > > > > > (in the old users file, I have also this : > > > > > > DEFAULT Password = "PROXY", Suffix="@toto.org", > > > DTC-AP-Name="ClientWithoutTunnel" > > > Service-Type = Framed-User, > > > DTC-Auth-Allow = "", > > > DTC-Auth-Port = 1812, > > > DTC-Auth-Server = xxx.xxx.xxx.xxx, > > > DTC-Auth-Secret = "topsecret", > > > DTC-Acct-Port = 1813, > > > ) > > > > > > How can I handle the tunnel, depending of the client ? > > > > > > > There must be another part of the original configuration (perhaps in the > > equipment itself) that generates the DTC-AP-Name check item. > > The equipment can't play a role here : > > In the case of the tunnel, the equipment is a Shiva. > > > Thanks a lot for Help... > > -- > Frederic GARGULA > Ingenieur Reseaux & Systemes > EASYNET France > Tel.: +33 1 44 54 70 55 Well, I understand a bit more of your problem, but still not everything. It would be most helpful if you could send me a more detailed description of your environment. cheers Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.