Hello Al -
As I can't find your name or email address in our database, I wonder whether you could tell me the name of the company that has purchased this copy of Radiator? Please reply to me directly.
I understand what you are trying to do, but your configuration file is not correct.
The Auth-Type = CheckLDAP check item in your SQL database will cause Radiator to send the authentication to LDAP. Therefore you only need the AuthBy SQL clause in the Realm (you can think of it like a subroutine call).
<Realm DEFAULT>
# the AuthBy LDAP2 clause will be called from the AuthBy SQL clause
<AuthBy SQL>
.....
</AuthBy>
.....
</Realm>regards
Hugh
On Wednesday, Sep 3, 2003, at 22:59 Australia/Melbourne, Charles Alexander McCain wrote:
Hugh,
We store our static ip customers in the users file, dynamic customers auth
by ldap. The static customers also auth by ldap, but get their appropriate
attributes from the users file. Currently, we are using the users file to
store static information, but i am trying to put it all in mysql (hoping
for easier automation). Our current setup works perfectly this way, but it
doesn't seem to work with the mysql database. It appears as if the
configuration from the old to the new is somewhat similiar.
So basically, I want a customer to dial in, if he is dynamic, authenticate
him by ldap, if he is static, get his attributes from the database and
auth him with ldap.
Am I making any sense?
Thanks, Al
On Wed, 3 Sep 2003, Hugh Irvine wrote:
Hello AL -
Thanks for the information.
I must confess I am a bit confused about exactly how you want your setup to operate. I can see the Auth-Type = LDAP below, and I can see multiple AuthBy clauses in your Realm clause. Can you explain to me in detail your requirements?
regards
Hugh
On Tuesday, Sep 2, 2003, at 23:02 Australia/Melbourne, Charles Alexander McCain wrote:
Hugh,
The users file entry looks something like this. I know i'm using mysql
to
house the users file, but i just took this entry from the file. It
looks
like this in the database. If you need my actual database entry, please
let me know.
user Auth-Type = LDAP, NAS-IP-Address = 1.2.3.5 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 1.2.3.4, Framed-IP-Netmask = 255.255.255.255, Idle-Timeout = 0, Session-Timeout = 0
And, I was wondering why i'm only seeing service type, and framed protocol ?
Thanks, AL
On Sat, 30 Aug 2003, Hugh Irvine wrote:
Hello AL -
This is what your configuration file is set up to return to the NAS:
*** Sending to 64.91.105.5 port 1812 .... Code: Access-Accept Identifier: 107 Authentic: mp}<198><236><229><167>/<153><179>m<189><149>z<31>d Attributes: Service-Type = Framed-User Framed-Protocol = PPP
What other attributes do you want to send? And how do you want to manage those attributes?
regards
Hugh
On Saturday, Aug 30, 2003, at 06:06 Australia/Melbourne, Charles Alexander McCain wrote:
Hello,
I'm having an issue with my redbacks. They cannot allocate ip addresses. In my trace 4, i notice that the user is not getting the attributes they need. How can this be fixed?
Here is my config and trace4
Thanks, AL
--------- Fri Aug 29 14:08:30 2003: DEBUG: Packet dump: *** Received from 1.2.3.4 port 1812 .... Code: Access-Request Identifier: 107 Authentic: mp}<198><236><229><167>/<153><179>m<189><149>z<31>d Attributes: User-Name = "user" User-Password = "~~1<223><156><248><145><196><250><0>W<219><246><204><21>:" NAS-Identifier = "rb" NAS-IP-Address = 1.2.3.4 RB-NAS-Real-Port = 402850582 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 3892318919 Connect-Info = "ubrc"
Fri Aug 29 14:08:30 2003: DEBUG: Rewrote user name to user Fri Aug 29 14:08:30 2003: DEBUG: Rewrote user name to user Fri Aug 29 14:08:30 2003: DEBUG: Rewrote user name to user Fri Aug 29 14:08:30 2003: DEBUG: Rewrote user name to user Fri Aug 29 14:08:30 2003: ERR: Error while rewriting username user: syntax error at (eval 1787) line 2, at EOF
Fri Aug 29 14:08:30 2003: DEBUG: Rewrote user name to user Fri Aug 29 14:08:30 2003: ERR: Error in PreHandlerHook(): Can't use string ("") as a subroutine ref while "strict refs" in use at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Client.pm line 338.
Fri Aug 29 14:08:30 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Fri Aug 29 14:08:30 2003: DEBUG: Rewrote user name to user Fri Aug 29 14:08:30 2003: DEBUG: SQLS Deleting session for user, 1.2.3.4, 3892318919 Fri Aug 29 14:08:30 2003: DEBUG: do query is: delete from RADONLINE where USERNAME = 'user' and NASIDENTIFIER='1.2.3.4' and NASPORT='3892318919'
Fri Aug 29 14:08:30 2003: DEBUG: Handling with Radius::AuthLDAP2 Fri Aug 29 14:08:30 2003: DEBUG: Attempting to bind with uid=searchuser,dc=domain,dc=net, password Fri Aug 29 14:08:30 2003: DEBUG: LDAP got result for uid=user,ou=People,dc=domain,dc=net Fri Aug 29 14:08:30 2003: DEBUG: LDAP got userPassword: {crypt}cgoHd/FmCIXh. Fri Aug 29 14:08:30 2003: DEBUG: LDAP got gidNumber: 3010 Fri Aug 29 14:08:30 2003: DEBUG: Radius::AuthLDAP2 looks for match with user Fri Aug 29 14:08:30 2003: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='user'
Fri Aug 29 14:08:30 2003: DEBUG: Radius::AuthLDAP2 ACCEPT: Fri Aug 29 14:08:30 2003: DEBUG: Access accepted for user Fri Aug 29 14:08:30 2003: DEBUG: Packet dump: *** Sending to 64.91.105.5 port 1812 .... Code: Access-Accept Identifier: 107 Authentic: mp}<198><236><229><167>/<153><179>m<189><149>z<31>d Attributes: Service-Type = Framed-User Framed-Protocol = PPP
------------------------------------------------------------------- --
--
----
#Foreground #LogStdout LogDir /var/adm/radacct DbDir /etc/raddb PreHandlerHook file:"%D/prehook"
SnmpgetProg /usr/local/bin/snmpget Trace 4 RewriteUsername s/^([EMAIL PROTECTED])[EMAIL PROTECTED]/$1/ RewriteUsername s/^([EMAIL PROTECTED])[EMAIL PROTECTED]/$1/ RewriteUsername s/\s+//g RewriteUsername tr/A-Z/a-z/ <Client DEFAULT>
Secret ****** DupInterval 0
</Client>
<SessionDatabase SQL>
DBSource dbi:mysql:radius:host DBUsername radtest DBAuth ****** Identifier SQLS
AddQuery insert into RADONLINE (USERNAME,\ NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\ FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,DNIS) \ values ('%n', '%N',\ '%{NAS-Port}', '%{Acct-Session-Id}', '%o',\ '%{Framed-IP-Address}', '%{NAS-Port-Type}',\ '%{Service-Type}','%{Called-Station-Id}')
DeleteQuery delete from RADONLINE where \ USERNAME = '%n' and NASIDENTIFIER='%N' \ and NASPORT='%{NAS-Port}'
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE \ where ACCTSESSIONID = '%{Acct-Session-Id}'
</SessionDatabase>
<ClientListSQL>
DBSource dbi:mysql:radius DBUsername radtest DBAuth ******
select NASIDENTIFIER,SECRET,IGNOREACCTSIGNATURE,DUPINTERVAL,
\
DEFAULTREALM,NASTYPE,SNMPCOMMUNITY,LIVINGSTONOFFS, \
LIVINGSTONHOLE,FRAMEDGROUPBASEADDRESS, \
FRAMEDGROUPMAXPORTSPERCLASSC,REWRITEUSERNAME, \
NOIGNOREDUPLICATES from RADCLIENTLIST
</ClientListSQL> <AuthBy UNIX>
DefaultSimultaneousUse 1 Identifier System Filename /etc/shadow
</AuthBy>
<AuthBy LDAP2> DefaultSimultaneousUse 1 Identifier LDAP Host 127.0.0.1 Port 389 AuthDN uid=searchuser,dc=domain,dc=net AuthPassword ***** BaseDN %0=%1,ou=people,dc=domain,dc=net Scope base UsernameAttr uid PasswordAttr userPassword HoldServerConnection SearchFilter (&(gecos=active)(uid=%1)) AuthAttrDef gidNumber, gid-attr, request DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP </AuthBy> <AuthBy SQL> NoDefault DefaultSimultaneousUse 1 Identifier CheckSQL
DBSource dbi:mysql:radius:domain DBUsername radtest DBAuth *******
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef
ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef
ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef
ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef
ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS \ where USERNAME=%0
AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
</AuthBy> <Realm DEFAULT> RewriteUsername s/^([EMAIL PROTECTED]).*/$1/
PostAuthHook file:"%D/postHook" AcctLogFileName %L/%N/detail
#AuthByPolicy ContinueWhileReject AuthByPolicy ContinueUntilAccept AuthBy LDAP AuthBy CheckSQL AuthBy System
</Realm>
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
