Hugh,
Thanks for the quick response.
Let me apologize ahead of time for any rambling I do on this. It has been
many years since I have had to deal with this config and I have had many
different positions as well. (Some of them management which may explain my
decreased technical skills).
I will try and annotate the config file as best I can.
<snip>
Below is the pertinent Client portion of the config:
> # Client config for natasha
> <Client natasha.compuware.com>
> Secret blah6
> DefaultRealm vpn.compuware.com
> </Client>
<snip>
> <Realm vpn.compuware.com>
> # <AuthBy FILE>
> # Filename %D/VPN_User
> # Nocache
> # DynamicCheck Group
> # </AuthBy>
> AuthByPolicy ContinueWhileAccept
We do the AuthByPolicy to make sure that both AuthBy SQL statements return
accepts before allowing access.
> <AuthBy SQL>
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select password, 'Service-Type = Login-User,
> Auth-Type = System' \
> from serauser where serauser='%u'
I am quite clear on this but I believe we needed to return not only the
password but the two attached attributes in order for the authentication
process through the (Isolation System InfoCrypt server => Shiva VPN LanRover
gateway => Intel LanRover Gateway) to work correctly. The VPN product has,
as noted above, gone through several owners since our initial configuration.
The password is stored encrypted in the SQL server.
> EncryptedPassword
> </AuthBy>
> <AuthBy SQL>
> # DynamicCheck Group
> DBSource dbi:mysql:serauser
> DBUsername radius
> DBAuth blah
> AuthSelect select seragroup from seragroup where
> serauser='%u' and seragroup = '%{Shiva-VPN-Group}'
This AuthSelect checks another table in the SQL server to verify that the
user is in a group that matches the "Shiva-VPN-Group" attribute that is
passed along with the authentication request. I remember working at length
with Mike on this. It is mentioned in the History notes for Rev 2.12.
> AuthColumnDef 0, Shiva-VPN-Group, check
> </AuthBy>
> AcctLogFileName %L/Natasha.%Y%m%d
> </Realm>
</snip>
</snip>
Hope this helps clear some things up about my problem.
Many thanks to Damir for his suggestion on how to prevent the looping from
happening. I have looked under the hood of Radiator which is why I was
sooooo happy to convince my company to purchase it instead of many other
more expensive commercial versions our there.
Regards,
Tim Young
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
