Hi all, I was wondering if anyone could help me out with the following:
1) I have "HoldServerConnection" in my <AuthBy LDAP2> clauses but radiator still seems to re-connect each time to LDAP. The LDAP server I am using is iplanets (formerly Netscape) and handles multiple searches in a single connection with no problem. 2) We have a bunch of dialup ports with another provider to give us unmetered connections for customers of that telco. Most of these users need to be authenticated using only their Calling-Station-ID (i.e. they DO NOT have a username and password). We also have a few people who have a username and password as a way of bypassing the Calling-Station-ID check. My problem is Radiator expects passwordattr to be defined and insists on checking the username and password with those in ldap and if they don't match it rejects them. Obviously in an environment were we are using the calling-station-id to authenticate the user this is always going to fail as they don't supply a username and password!! We have got around this problem in a very dirty way by using a PostSearchHook to fool radiator into thinking this is an EAP request (my config file is below). Is there a better way to do this or can the mandatory checking of username and password be removed from radiator? (you also get an LDAP error every time the user has no password and it can't find the passwordattr in LDAP) Also, from the config file below, it shows that we check to see if the username and password (the override Calling-Station-ID users) is valid BEFORE we check Calling-Station-ID. As our customers are split approx 98% calling-station-id authenticated versus 2% user/pass authenticated this is very inefficient resulting in 2 LDAP queries for 98% of users, if we could have it the other way around it would be only 1 search for the 98% and 2 searches for the 2%. Sorry for the LONG email, but any help is appreciated. Best Regards, Merry Christmas and a Happy New Year, Ben. BTW the default directories on Solaris are /usr/local.... (i.e. /usr/local/bin/perl) - everything in radiator defaults to /usr/bin - maybe something for the Makefile.pl to check? ----------radius.cfg--------------- #Foreground #LogStdout LogDir /var/radius/log DbDir /var/radius/db Trace 4 <Client <removed>> Secret <removed> Identifier BT-FRIACO-Radius </Client> <Client <removed>> Secret <removed> Identifier BT-FRIACO-Radius </CLient> <Client <removed>> Secret <removed> Identifier CVX1 </CLient> <Client localhost> Secret <removed> DupInterval 0 Identifier BT-FRIACO-Radius </Client> <Client DEFAULT> Secret <removed> Identifier BT-FRIACO-Radius DupInterval 0 </Client> <SessionDatabase DBM> </SessionDatabase> <Handler Client-Identifier = BT-FRIACO-Radius> <AuthBy GROUP> AuthByPolicy ContinueUntilAccept <AuthBy LDAP2> # Debug 255 NoDefault HoldServerConnection Host 10.7.9.13 AuthDN cn=directory manager AuthPassword <removed> BaseDN ou=customers, ou=people, dc=bsve.net, o=internet AuthAttrDef FRIACO-todr, Time, check UsernameAttr friacousername PasswordAttr friacopassword SearchFilter (&(%0=%1)(objectClass=FRIACOuser)(!(suspended=yes))) AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Address = 255.255.255.254, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-Compression = Van-Jacobsen-TCP-IP, \ Framed-MTU = 1500, \ Session-Timeout = "until Time" </AuthBy> <AuthBy LDAP2> # Debug 255 NoDefault HoldServerConnection Host 10.7.9.13 AuthDN cn=directory manager AuthPassword <removed> BaseDN ou=customers, ou=people, dc=bsve.net, o=internet #UsernameAttr uid PasswordAttr friacopassword AuthAttrDef FRIACO-todr, Time, check SearchFilter (&(objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes))) PostSearchHook sub { $_[2]->addAttrByNum($Radius::Radius::EAP_MESSAGE,1); } AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Address = 255.255.255.254, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Routing = None, \ Framed-Compression = Van-Jacobsen-TCP-IP, \ Framed-MTU = 1500, \ Session-Timeout = "until Time" </AuthBy> </AuthBy> PostAuthHook sub { (${$_[1]}->get_attr('Session-Timeout') > 7200) && ${$_[1]}->change_attr('Session-Timeout',7200); } AcctLogFileName ./acct-detail </Handler> -END------radius.cfg-----------END- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.