Hello Tony -
On Fri, 10 Dec 1999, Tony Frank (EPA) wrote:
> I am having trouble when using my Tigris NAS and the Radiator RADIUS server.
>
> The problem is (I believe) with the Tigris, but I'm wondering if there are
> any suggestions based on my RADIUS config to see if I could be doing
> something wrong here.
> (Anyone with experience using the Tigris and Radiator can jump in here)
>
> My radius.cfg:
>
> # radius.cfg
> #
>
> AuthPort 1812
> AcctPort 1813
>
> Foreground
> LogStdout
> LogDir D:\radiator
> DbDir D:\radiator
>
> #LogFile %L/%Y%m%d.log
> #Trace 5
>
> #DictionaryFile C:\radiator\dictionary.acc
>
> <Log SQL>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbi:mysql:database=wap_stats;host=127.0.0.1
> DBUsername wap_radius
> DBAuth <password>
> Table nrd_radius_log
> Trace 1
> </Log>
>
> <Client x.y.z.15>
> Secret <secret>
> NasType Tigris
> SNMPCommunity public
> FramedGroupBaseAddress x.y.z.100
> DupInterval 2
> </Client>
>
> <Realm DEFAULT>
> AuthByPolicy ContinueAlways
>
> <AuthBy SQL_MSISDN>
> # Authby Accounting version - needs special mods for use with WAP
> Gateway 'Fetch MSISDN' function
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbi:mysql:database=wap_stats;host=127.0.0.1
> DBUsername wap_radius
> DBAuth <password>
>
> # empty authselect should mean no authentication done by this auth
> entry
> # and we get an ignore
> AuthSelect
>
> # This is the hostname and port of the MSISDN
> # database to where we send details of
> # accountig starts and stops
> MSISDNDatabase localhost:7777
>
> # CountryCode will be prepended to Calling-Station-Id
> # to generate MSISDN
> CountryCode 61
>
> # If this is set, any leading 0 or 9 will be stripped
> # from the Calling-Station-Id before the CountryCode
> # is prepended to form the MSISDN
> StripLeading09
>
> FramedGroup 0;
>
> # Log all the different fields that the Tigris is sending in the
> Accounting packet
> AccountingTable nrd_radius_accounting
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTINPUTPACKETS,Acct-Input-Packets,integer
> AcctColumnDef ACCTOUTPUTPACKETS,Acct-Output-Packets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef ACCREASONCODE,Acc-Reason-Code
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIPADDRESS,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef NASPORTTYPE,NAS-Port-Type
> AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef CALLEDSTATIONID,Called-Station-Id
> AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> AcctColumnDef SERVICETYPE,Service-Type
> AcctColumnDef CONNECTINFO,Connect-Info
> AcctColumnDef ACCCONNECTRXSPEED,Acc-Connect-Rx-Speed
> AcctColumnDef ACCCONNECTTXSPEED,Acc-Connect-Tx-Speed
> AcctColumnDef ACCINPUTERRORS,Acc-Input-Errors,integer
> AcctColumnDef ACCOUTPUTERRORS,Acc-Output-Errors,integer
> AcctColumnDef ACCMODEMMODULATIONTYPE,Acc-Modem_Modulation_Type
> AcctColumnDef ACCMODEMERRORPROTOCOL,Acc-Modem_Error_Protocol
> AcctColumnDef ACCDIALPORTINDEX,Acc-Dial-Port-Index,integer
> AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
> AcctColumnDef ACCSERVICEPROFILE,Acc-Service-Profile
>
> </AuthBy>
>
> <AuthBy SQL_MSISDN>
> # Authby for authentication
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbi:mysql:database=users;host=127.0.0.1
> DBUsername wap_radius
> DBAuth <password>
>
> AuthSelect select user_id from users where msisdn=+%{MSISDN} and
> acct_status="ACTIVE"
>
> # This is the hostname and port of the MSISDN
> # database to where we send details of
> # accountig starts and stops
> MSISDNDatabase localhost:7777
>
> # CountryCode will be prepended to Calling-Station-Id
> # to generate MSISDN
> CountryCode 61
>
> # If this is set, any leading 0 or 9 will be stripped
> # from the Calling-Station-Id before the CountryCode
> # is prepended to form the MSISDN
> StripLeading09
>
> FramedGroup 0;
>
> NoDefaultIfFound
>
> # no accounting options, so accounting will be "short-circuited"
>
> </AuthBy>
>
> <AuthBy FILE>
> Filename defuser
> </AuthBy>
>
> MaxSessions 1
> </Realm>
>
> And the 'defuser' file contains the following:
>
> DEFAULT
> Framed-Protocol = PPP,
> Framed-IP-Netmask = 255.255.255.0,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Service-Type = Framed-User
>
> The issue is that what I am trying to achieve is RADIUS authentication, with
> no username and password required.
>
> In my situation, we have only GSM mobile incoming calls, and we are very
> happy to use the existing user authentication performed by the mobile
> network (ie, your number is unique to you, and if you lose it you are going
> to have your SIM etc cancelled anyway)
>
> As such, we want to setup the PPP sessions etc with as little requirements
> as possible. Essentially, if the person's number (Calling-Station-ID)
> appears in the user database and is active, we want to let them setup a
> session and give them an IP address without the user needing to go through
> any additional authentication stages.
>
> From my brief research, it seems that this is not an overly common way to do
> things, and as such it is very difficult to find any information on other
> people's attempts etc.
>
> In order to do this, we are presently trying to use the Tigris VPSM
> functionality, which generates an Access-Request similar to the following
> when it detects an incoming call:
>
> Attributes:
> User-Name = "<called number>"
> User-Password = "<calling number encrypted with secret>"
> NAS-Port = 71
> NAS-Port-Type = ISDN
> Acc-Request-Type = Ring-Indication
> Called-Station-Id = "xxxxxxxxx"
> Calling-Station-Id = "0414576342"
> NAS-IP-Address = 10.28.30.15
>
> I have the RADIUS part where the calling station ID is used to query the
> user database up and working fine.
>
> The 'problem' is that it appears that the Tigris needs some other attributes
> sent to it, apart from the defaults I mentioned above.
>
I agree, so what I suggest is that you turn on trace 4 debug in Radiator to
verify what attributes are being sent to the Tigris. I would also ascertain
from Tigris what reply attributes their VPSM feature requires. Finally I would
turn on debugging on the Tigris to see what it does when it gets the
Access-Accept - I would expect it to complain about something.
When you have a trace 4 debug log could you send me copy so I can have a look?
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
