Re: (RADIATOR) ipass Config Question

[Hugh Irvine]

Hello Tunde -

Your Handler is not being used because the username string does not look like "user@myipass" which is what you have specified. I will need to see a trace 4 debug to see what form the iPass requests look like.

And if you are not reliably receiving the Framed-IP-Address attribute in the accounting requests, using the Class attribute as a backup is a good idea.

regards

Hugh



On Tuesday, September 3, 2002, at 04:09 AM, Ayotunde Itayemi wrote:

�
Hi All, Hi hugh,
�
My config is as below. In the past when "we" discussed about the state column of the ��� RADONLINE
database not being reset appropriately resulting in IP-address pool being exhausted, you told me to
add the following lines to my config:
DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t��where YIADDR='%0' or YIADDR='%{Class}'
to the AdressAllocator SQL clause and the following line to AuthBy DYNAADDRESS clause
AddToReply Class = %{Reply:Framed-IP-Address}
Okay, I removed them later when things seemed to have "stabilised" but I am thinking of reintroducing them again
- please let me have your views based on the config file below.
MAIN PROBLEMS.
I installed ipass NetServer 3.9 as stated in the instructions and also configured radiator (below) based on ipass
instruction for configuring radiator.
The problem is that somehow, radiator is still using the handler for my client rather than the�special handler for ipass
�- <Handler Realm=myipass> which should cause it to proxy the request to the local ipass NetServer running on same
system.
Please note that the IP address I have radiator running on is e.d.f.211 .
�
I have also disabled the apache client I had running before because I guess there would be a conflict between apache
authentication and ipass NetServer since they both use localhost (127.0.0.1) in the client definitions for them?
�
Regards,
Tunde I.
�
�
# --- RADAR -------------------------
<Monitor>
�Username radar
�Password <mypassword>
</Monitor>
# Programs for Simultaneous-Use
SnmpgetProg��/usr/bin/snmpget
# SNMP access to radiator
<SNMPAgent>
�ROCommunity mysnmpRADsecret
�Port��162
�Managers�127.0.0.1, 192.168.10.8
</SNMPAgent>
# Online users
<SessionDatabase SQL>
�Identifier SDB1
�DBSource�dbi:Oracle:radius00
�DBUsername �radius
�DBAuth ��radius
#������� DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \
#��������������� where YIADDR='%0' or YIADDR='%{Class}'
</SessionDatabase>
# =======================================================
<AddressAllocator SQL>
������� Identifier mySQLallocator
������� DBSource������� dbi:Oracle:radius00
������� DBUsername����� radiusgold
������� DBAuth��������� radiusgold
#�DeleteQuery update RADPOOL set STATE=0,TIME_STAMP=%t \
#��where YIADDR='%0' or YIADDR='%{Class}'
�
������� DefaultLeasePeriod�� 172800
#������� LeaseReclaimInterval 86400
�
# POOL ALLOCATION RULES
������� <AddressPool viruse1>
��������������� Subnetmask����� 255.255.255.255
��������������� Range�� a.b.e.31 a.b.e.60
��Range�� a.b.e.62 a.b.e.91
������� </AddressPool>
������� <AddressPool viruse2>
��������������� Subnetmask����� 255.255.255.255
��������������� Range�� a.b.c.52 a.b.c.100
��Range�a.b.c.110 a.b.c.139
��Range�a.b.c.150 a.b.c.200
��Range�� a.b.c.225 a.b.c.250�
������ </AddressPool>
</AddressAllocator>
�
# =================== CLIENTs�� =================================
<Client a.b.c.3>
������� Secret <mypassword>
������� DupInterval 0
������� SNMPCommunity public
������� Identifier viruse2
�IdenticalClients a.b.c.4 a.b.c.5 a.b.c.6 \
��172.31.1.6 172.31.1.4 172.31.1.8 192.168.10.5
�RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
</Client>
<Client a.b.c.30>
# pattonRAS
������� Secret <mypassword>
������� DupInterval 0
�NasType Patton
�SNMPCommunity patt123mon
������� Identifier viruse1
�IdenticalClients a.b.c.61 a.b.c.92
�RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
</Client>
<Client localhost>
# ipass client for VNAS (incoming roamers)
�Secret <mypassword>
�Identifier ipassclient
�IdenticalClients d.e.f.212
�RewriteUsername s/^IPASS\/([^@]+)\@([^@]+)$/IPASS\/$1#$2\@myipass/
</Client>
#<Client 127.0.0.1>
# web server on this box
#�Secret apache!:123
#�DupInterval 0
#�Identifier apache
#</Client>
# =================== AUTH BYs =================================
<AuthBy SQL>
������� Identifier SQLStaffauth
������� NoDefault
������� DBSource������� dbi:Oracle:radius00
������� DBUsername����� radius
������� DBAuth��������� radius
������� AuthSelect select PASSWORD, CHECKATTR from STAFF \
��������������� where USERNAME = '%n' and STATUS = 'Enabled'
</Auth>
<AuthBy SQL>
�Identifier SQLClientauth
�NoDefault
�DBSource�dbi:Oracle:radius00
�DBUsername�radius
�DBAuth��radius
�AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
��from SUBSCRIBERS where USERNAME = '%n'�\
��and STATUS = 'Enabled'
�AutoMPPEKeys
</Auth>
<AuthBy DYNADDRESS>
�Identifier myIPADDRESSauth
�Allocator mySQLallocator
#�AddToReply Class = %{Reply:Framed-IP-Address}
#�PoolHint %{Reply:PoolHint}
�PoolHint %{Client:Identifier}
�MapAttribute�� yiaddr, Framed-IP-Address
�MapAttribute�� subnetmask, Framed-IP-Netmask
�StripFromReply PoolHint
# policy = 4 (40bit), 2 (128bit), 6 (any)
�AddToReply MS-MPPE-Encryption-Policy = 1, MS-MPPE-Encryption-Types = 6
�AddToReply MS-MPPE-Send-Key, MS-MPPE-Recv-Key
</AuthBy>
<AuthBy DYNADDRESS>
������� Identifier pattonIPADDRESSauth
������� Allocator mySQLallocator
�PoolHint %{Client:Identifier}
#������� PoolHint %{Reply:PoolHint}
������� MapAttribute�� yiaddr, Framed-IP-Address
������� MapAttribute�� subnetmask, Framed-IP-Netmask
������� StripFromReply PoolHint
</AuthBy>
###### proxy radius for IPASS
<AuthBy RADIUS>
������� Identifier����� ipassNetserver
������� Host����������� d.e.f.211
������� Secret��������� <mypassword>
������� AuthPort������� 11812
������� AcctPort������� 11813
</AuthBy>
#=================== HANDLERs�� ================================
<Handler Realm=myipass>
�AcctLogFileName� %L/ipass/detail
�RewriteUsername� s/^IPASS\/([^#]+)\#([^@]+)\@myipass$/IPASS\/$1\@$2/
�AuthBy ipassNetserver
</Handler>
<Handler Client-Identifier=viruse2>
������� AuthByPolicy ContinueWhileAccept
#������ remove @domain-name
������� RewriteUsername s/^([^@]+).*/$1/
�RewriteUsername tr/A-Z/a-z/
#������� UsernameCharset a-zA-Z0-9\._@-
������� MaxSessions 1
������� AcctLogFileName�������� %L/account.log
������� PasswordLogFileName���� %L/password.log
������� SessionDatabase SDB1
������� AuthBy SQLClientauth
�AuthBy myIPADDRESSauth
</Handler>
<Handler Client-Identifier=ipassclient>
������� AuthByPolicy ContinueWhileAccept
������� RewriteUsername s/^([^@]+).*/$1/
������� RewriteUsername tr/A-Z/a-z/
������� UsernameCharset a-zA-Z0-9\._@-#
������� MaxSessions 1
������� AcctLogFileName�������� %L/account.log
������� PasswordLogFileName���� %L/password.log
������� SessionDatabase SDB1
������� AuthBy SQLClientauth
�StripFromReply Framed-IP-Address
</Handler>
<Handler Client-Identifier=apache>
������� AuthByPolicy ContinueWhileAccept
������� RewriteUsername s/^([^@]+).*/$1/
�RewriteUsername tr/A-Z/a-z/
������� UsernameCharset a-zA-Z0-9\._@-
������� MaxSessions 1
������� AuthBy SQLStaffauth
</Handler>
�
# DEFAULT HANDLER => handles any requests not in above
<Handler>
# default handler� => handles any requests not in above
�AuthBy ipassNetserver
</Handler>

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.