Hello Jay -
On Tue, 16 Nov 1999, Jay West wrote:
> You wrote....
> > I suspect the routers in question are Cisco's? If so, then you will need a
> > Service-Type = Framed-User as a Reply attribute. Your current definition
> for
> > DEFAULT has it only as a check item. Try this:
> >
> > DEFAULT Service-Type = Framed-User
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-Routing = None,
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobson-TCP-IP
> >
> > Note: Cisco's *always* expect to see the Service-Type in the Access-Accept
> > match the Service-Type in the Access-Request.
>
> Ok, I can give that a shot. But this brings to mind two followup questions:
>
> 1) It seems quirky to have Service-Type as both a check and reply item. Is
> there a "null" check item that would work instead of listing it twice? I
> know this is picky to the point of insanity, but thought I'd ask.
>
Well, you'll have to talk to Cisco about that, its got nothing to do with
Radiator - different vendors do different things.
> 2) My radius.cfg says to check SQL first, then FILE with
> ContinueWhileAccept. Just out of curiosity, what would happen if I had a
> Framed-IP-Address in both the SQL replyattr AND the defuser file? For
> example, a large percentage of my users should use a framed ip of
> 255.255.255.254 and netmask of 255.255.255.255. I'd like to put that in my
> defuser. But for people with a static IP and netmask, I'd like the reply
> attr's in SQL to take precedence over the ones in DEFUSER. When radiator
> checks SQL and then FILE for reply attr's and like attributes are found, are
> they overwritten with the last one, the first one, or are both sent???
>
There is an alternative to using chained AuthBy's in this case. You could just
use an AddToReplyIfNotExist in your AuthBy SQL:
<Realm DEFAULT>
<AuthBy SQL>
DBSource dbi:mysql:radius
DBUsername xxxx
DBAuth xxxx
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AddToReplyIfNotExist Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
</AuthBy>
</Realm>
Note that AddToReplyIfNotExist is a patch to Radiator 2.14.1. Please see:
http://www.open.com.au/radiator/downloads/patches-2.14.1/patches.README
Also note that if you specify multiple identical attributes, they will all be
sent and the behaviour of the NAS is undefined. Some take the first one they
see, others take the last one, and others complain. YMMV.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
