Re: [RADIATOR] Question about TACACS group assignment based on AD groups

[Hugh Irvine]

Hello Daniel -

You can use Identifiers in your Client clauses to indicate what sort of device 
they are, then use those identifiers in your Handlers.

Something like this:

……


Identifier Firewall
…..



Identifier Firewall
…..



Identifier Switch
…..



Identifier Switch
…..


…..


AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForFirewall
AuthBy CheckFullAccessForFirewall



AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForSwitch
AuthBy CheckFullAccessForSwitch



hope that helps

regards

Hugh



> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote:
> 
> Hi all,
> 
> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, 
> including command level authorization. Based on some posts on this list I got 
> both the active directory and the TACACS server module up and running, but 
> struggle with the configuration of both.
> 
> If I understand correctly, the TACACS module simply converts the TACACS 
> authentication requests to radius requests and passes them to Radiator for 
> ordinary execution. Authorization requests are handled within the TACACS 
> module.
> 
> My configuration currently looks as follows:
> 
> --- begin ---
> 
> # Define DC to connect to 
> Hostdc-b.ad.x.com
> 
> # Identifier to use this AuthBy Clause later
> Identifier AuthByAD
> 
> # Administrative user used to perform LDAP queries
> AuthDN  
> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
> AuthPassword
> 
> # Where to search for users
> BaseDN  OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
> ServerChecksPassword
> 
> # Add Check for group membership
> AuthAttrDef memberOf, ADGroup, check
> 
> # Reply should include the group names for further processing
> AuthAttrDef memberOf, ADGroups, reply
> 
> # There will be no default User
> NoDefault
> 
> # LDAP attribute to check the UserName on
> UsernameAttrsAMAccountName
> 
> 
> 
>Port 49
>AddToRequest NAS-Identifier=TACACS
>GroupMemberAttr tacacsgroup
> 
>AuthorizeGroup network_ro deny service=shell cmd=show 
> cmd-arh=tech-support
>AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>AuthorizeGroup network_ro deny .*
> 
># This is for authorized users for full access. Place in lvl 15 
> immediately, no restrictions apply
>AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>AuthorizeGroup full_access permit .*
> 
># Default deny to prevent accidents when something is misconfigured
>AuthorizeGroup DEFAULT deny .*
> 
> 
> 
> # Include client definition
> include %D/radius-clients.cfg
> # Include Active Directory AuthBy Handler
> include %D/authby-ad.cfg
> # Include configuration for the built-in TACACS server
> include %D/tacacs.cfg
> 
> # TACACS Handler
> 
>AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
>AuthBy AuthByAD
> 
># Try read-only access
># AddToRequest 
> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
># AuthBy AuthByAD
> 
> --- end ---
> 
> My problem now is how to tie both clues together in the handler. Ideally I 
> would also like to distinguish based on the TACACS client which is asking. If 
> it is a firewall (IPs known), then use command sets full_access_fw and 
> firewall_ro based on AD groups.
> 
> Basically I need something like this:
> 
> - Firewall is TACACS client, and the user is member of group 
> netadmin-security, return request with tacacsgroup=full_access_fw
> - Switch is TACACS client, and the user is member of group netadmin, 
> return request with tacacsgroup=full_access
> - Firewall is TACACS client, and the user is member of group 
> netadmin-security-ro, return request with tacacsgroup=firewall_ro
> - Switch is TACACS client, and the user is member of group netadmin-ro, 
> return request with tacacsgroup=network_ro
> 
> How would I do this mapping?
> 
> Many thanks and best regards
> Daniel
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM

Re: [RADIATOR] Migrate Cisco CAR MCD database to Radiator

[Hugh Irvine]

Hello Rohan -

Yes I am fairly sure we know how to do this.

I’ll let someone from the office confirm - I think its a pay-for service.

regards

Hugh

> On 24 Aug 2016, at 07:07, rohan.henry cwjamaica.com 
>  wrote:
> 
> Hello,
> 
> Has anyone ever migrated from Cisco CAR radius to Radiator
> 
> I need to dump userlist tables from Cisco CAR database for migration to 
> Radiator but cannot find any documentation even from Cisco website.
> 
> Thanks.
> 
> Rohan
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Duplicate packets

[Hugh Irvine]

Hello Mahmoud -

Alan is correct, you at least need to acknowledge the requests, else you will 
get retries.

Check the RADIUS RFC’s for a description of how the RADIUS protocol is designed.

You will find the RFC’s in the “doc” directory of the Radiator distribution, as 
well as online.

BTW - your configuration file is no longer available on Pastebin.

regards

Hugh


> On 18 Jul 2016, at 20:34, Mahmoud Abdelsalam  wrote:
> 
> Hi Alan,
> 
> Thanks for your reply, it works without duplicates for almost 97% of the 
> accounts, could you please point me to documentation of this.
> 
> Regards,
> 
> Mahmoud Abdelsalam.
> 
> 
> 
> On 07/18/16 12:25, a.l.m.bu...@lboro.ac.uk wrote:
>> Hi,
>> 
>>> I am not handling start packets so they are ignored, as you may noticed
>> at least acknowledge them. if you dont handle them and ignore them then any 
>> decent NAS will resend
>> them and/or mark your server as down/dead  :(
>> 
>> alan
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Duplicate packets

[Hugh Irvine]

Hello Mahmoud -

The origin of all RADIUS requests is your network equipment.

The only way duplicates happen is if the RADIUS server does not respond within 
the RADIUS timeout period or if the response does not arrive at the 
originiating device.

In this particular case however, the Radiator debug log shows that the Radiator 
configuration file does not properly handle these accounting requests, so they 
are ignored.

I would need to see a copy of your Radiator configuration file to be able to 
say any more.

regards

Hugh


> On 18 Jul 2016, at 16:12, Mahmoud Abdelsalam  wrote:
> 
> Hello,
> 
> I have a weird situation here where our network team suspects Radiator 
> as the cause, I am getting duplicate packets(Start,Stop) on Radiator, 
> here is a sample:
> 
> http://pastebin.com/M3D5P9wK
> 
> We use both Cisco ISG and Mikrotik for PPPoE.
> 
> I know Radiator is working fine and it has been for more than two years 
> but I need an advice, could radiator at any case be the cause of such a 
> duplicating?
> 
> Please advice.
> 
> Best Regards,
> 
> Mahmoud Abdelsalam.
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Redback BRAS _ Radiator _ GPON network

[Hugh Irvine]

Hello Thomas -

If the Redback Smartedge BRAS can be configured to send RADIUS interim 
accounting updates, then yes you can configure Radiator to handle them.

Note that this is totally dependent on the Redback device, so you will need to 
check their documentation.

regards

Hugh


> On 11 Jun 2016, at 01:52, Thomas Kurian  wrote:
> 
> Dear Support,
> 
> We have a client who is basically an ISP with GPON network connected to 
> Ministry of Communication, Redback Smartedge BRAS and Radiator Radius server. 
> Currently their radiator is handling their customers authentication. Kindly 
> advise whether it is possible to send interim accounting updates from Redback 
> BRAS NAS to a new radiator radius server in order to identify the top 
> bandwidth abuser customer company sharing the GPON leased line on an hourly 
> basis.
> 
> For example : Lets say the ISP has leased a 10Mbps connection from the 
> ministry of communication for a set of 10 various customer companies.
> 
> Lets assume the average bandwidth consumption per company is 1Mbps. Lets say 
> from 1-2pm , 2nd company  fully uses the 10Mbps bandwidth and therefore 
> during this hour the rest of the 9 companies cannot use this connection, 
> hence we need to identify these leased line abuser companies on a hourly 
> basis and put them under a separate tariff plan in order to provide them a 
> dedicated line to fulfill their bandwidth needs as per their consumption 
> rates. Currently since the ISP GPON network terminates at the ministry of 
> communication from where it is distributed to the customer companies, the ISP 
> does not have visibility on the top bandwidth abuser company as a lump-sum.
> 
> Please advise whether having a new radiator installation instance which 
> receives interim accounting updates from Redback BRAS NAS server with a 
> customized GUI  to review top abuser companies on a hourly basis or should we 
> consider to go for some additional product integration such as Solarwinds NPM 
> to achieve the above mentioned objective.
> 
> -- 
> Best Regards,
> 
> Thomas Kurian
> IT Security Consultant
> Kuwaiti Canadian Consulting Group (www.kccg.com)
> T: +965 22435566
> F: +965 22415149
> E:tho...@kccg.com
> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Hopefully a simple question regarding accounting

[Hugh Irvine]

Hello Martin -

Instead of IgnoreAccounting, you should use NoForwardAccounting, otherwise the 
original request will not be acknowledged.

See the following section in the Radiator 4.16 reference manual (“doc/ref.pdf”).


• 5.31.17  NoForwardAccounting

Stops AuthBy RADIUS forwarding Accounting-Requests. They are ACCEPTED, but no 
further action is taken with them. This is different in meaning to 
IgnoreAccounting, which IGNOREs them.

# Just ACCEPT Accounting-Requests, don’t forward them 

NoForwardAccounting


regards

Hugh


> On 16 May 2016, at 20:19, Martin Burton  wrote:
> 
> Hi Folks,
> 
> The Eduroam Fedaration are on the verge of implementing a
> "no-accounting" border between Organisational and National Proxies and
> participants are being asked to stop sending accounting packets upstream.
> 
> Currently, I have the following config that forwards to the NRPS:
> 
> 
> 
>Identifier NRPS
>FailureBackoffTime 10
>RetryTimeout 5
>Retries 1
>UseExtendedIds
>AllowInRequest  User-Name, Reply-Message, State, Class, \
>Message-Authenticator, Proxy-State, \
>EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \
>Calling-Station-Id, Acct-Status-Type,
> Acct-Session-ID
> 
>AllowInReplyUser-Name, Reply-Message, State, Class, \
>Message-Authenticator, Proxy-State, \
>EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \
>Calling-Station-Id, Acct-Status-Type,
> Acct-Session-ID, Operator-Name
> 
> 
> 
>AddToRequest Operator-Name="1sanger.ac.uk"
> #
> # Include the radius server specific NRPS host configuration
> #
>include %D/%h.nrps
> 
>AutoMPPEKeys
> 
> 
> 
>Identifier OUT-NRPS
>AcctLogFileName %L/default.acct.log
>AuthByPolicy ContinueWhileIgnore
>AuthLog EduroamLog
>AuthBy AuthLOG
>AuthBy NRPS
> 
> 
> 
> where %D/%h.nrps  simply contains the  declarations for the upstreams.
> 
> 
> If I want to ensure that no accounting packets are sent upstream is it
> as simple as adding "IgnoreAccounting" the AuthBy:
> 
> 
>   Identifier NRPS
> 
>   IgnoreAccounting
>   
>   FailureBackoffTime 10
>   RetryTimeout 5
>   Retries 1
> 
> .
> .
> .
> 
> 
> Just seems too simple!
> 
> 
> Thanks,
> 
> Martin.
> 
> -- 
> Martin Burton
> Principal Systems Administrator\\\|||///
> Infrastructure Team   \\  ^ ^  //
> Wellcome Trust Sanger Institute(  6 6  )
> -oOOo-(_)-oOOo---
> t: +44 (0)1223 496945 http://www.sanger.ac.uk
> Extreme Networks Specialist:  a178003uG1BAAU
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Example of AuthSelect MySQL stored procedure/function

[Hugh Irvine]

Hello Mike -

I don’t have a complete example, however the MySQL documentation is here:

http://dev.mysql.com/doc/refman/5.7/en/call.html

So your AuthSelect would look like this:

AuthSelect CALL ……

Perhaps someone else on the list has an example?

BTW - there are a couple of Oracle examples in the “goodies” directory that 
might give you some ideas.

regards

Hugh


> On 12 May 2016, at 20:40, Mike Puchol  wrote:
> 
> Greetings,
> 
> I've found a few posts on the mailing lists regarding use of stored 
> procedures or functions on MySQL against an AuthSelect, but none show the 
> actual MySQL declaration, and how it can return multiple AuthColumnDef 
> parameters - for example, I would like to do an select on username and MAC 
> address, and return Idle-Timeout and Session-Timeout parameters, plus some 
> NAS-specific attributes.
> 
> Does anyone have a full example of both AuthSelect clause + MySQL procedure 
> code they can share?
> 
> Thanks,
> 
> Mike
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Dynamic Address Allocation

[Hugh Irvine]

Hello Thomas -

You will find a complete example in “goodies/addressallocator.cfg” and the 
RADPOOL database structure in “goodies/sybase.sql”.

regards

Hugh


> On 8 May 2016, at 23:57, Thomas Kurian  wrote:
> 
> 
> Hi Support,
> 
> For dynamic address allocation , if you can
> please help me by advising steps to implement addressallocator.cfg as we
> have decided to use sql as address backend. Please advise the sql
> database structure radpool and radonline tables. We want to assign ip
> address to client machines based on their username, password and
> hostname. Our requirement is to map Username/Hostname to assigned its
> respective client ip address.
> 
> Following is our radius.cfg for your kind review :-
> 
> #Foreground
> #LogStdout
> 
> AcctPort 1813
> AuthPort 1812
> 
> BindAddress 0.0.0.0
> 
> LogDir/var/log/radius
> DbDir/etc/radiator
> DictionaryFile /etc/radiator/dictionary
> 
> # User a lower trace level in production systems:
> Trace 4
> 
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> 
>Secretarchies
>DupInterval 0
> 
> 
> 
> 
>Secret  archies
>Identifier FW1
>DupInterval 0
> 
> 
> 
> 
>Identifier myauthlogger
>Filename %L/authlog
>LogSuccess 1
>LogFailure 1
> 
> 
> 
>
>Filename %D/users
>
># Log accounting to a detail file
>AcctLogFileName %L/detail
> 
> PostAuthHook file:"/etc/radiator/wgetmagic.pl"
> 
> 
> 
> # This is where we authenticate a PEAP inner request, which will be an
> # EAP request. The username of the inner request will anonymous by
> # default, although the identity of the EAP request will be the real
> # username we are trying to authenticate.
>  Request-Type=Access-Request,Client-Identifier=NETGENIE,TunnelledByPEAP=1>
>Identifier EAP-MSCHAP-V2
>
>Filename %D/users
> 
># This tells the PEAP client what types of inner EAP requests
># we will honour
>EAPType MSCHAP-V2
>
> 
># Log authentication success and failure to the a file
>AuthLog myauthlogger
> 
>PostAuthHook
> file:"/root/Desktop/Radiator-installer20-3-2016/Radiator-Locked-4.16/goodies/eap_anon_hook.pl"
> 
> 
> 
>Identifier EAP-PEAP
>
>Filename %D/users
> 
>EAPType PEAP
> 
>EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> 
>EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>EAPTLS_CertificateType PEM
> 
>EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>EAPTLS_PrivateKeyPassword whatever
> 
>EAPTLS_MaxFragmentSize 1000
> 
>AutoMPPEKeys
> 
>EAPTLS_PEAPVersion 0
> 
>
> 
># Log authentication success and failure to the a file
>AuthLog myauthlogger
> 
> PreProcessingHook
> file:"/root/Desktop/Radiator-installer20-3-2016/Radiator-Locked-4.16/goodies/eap_anon_hook.pl"
>AcctLogFileName %D/detail
> 
> 
> 
> 
> -- 
> Best Regards,
> 
> Thomas Kurian
> 
> 
> 
> 
> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP PEAP Challenges

[Hugh Irvine]

Hello Roberto -

Welcome to the wonderful world of EAP.

Note that EAP is essentially a stateful encrypted TCP tunnel, over RADIUS, over 
UDP, hence the large number of packets back and forth for a single 
authentication.

I wonder what substance they were abusing?

regards

Hugh


> On 12 Apr 2016, at 23:58, a.l.m.bu...@lboro.ac.uk wrote:
> 
> Hi,
>>   Are all the challenges independent of each other? I can't find anything in
>>   the debug log that ties the incoming packets together.
> 
> all seperate UDP packets - but with a known state - the RADIUS
> server recognises the conversation (up to 256 from each NAS usually)
> 
> with latest patchset for 4.16 you can see more details to help track
> a conversation in debug
> 
> alan
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Performance logging

[Hugh Irvine]

Hello Alex -

It depends on what you are looking at.

EAP involves multiple RADIUS messages to and from the end user device and 
Radiator.

If you are looking at the overall response time from the initial RADIUS 
Access-Request, through all of the EAP back and forth, to the ultimate 
Access-Accept, there really is nothing you can do.

If on the other hand you are looking only at the inner EAP request and the 
associated authentication process, as Tuure says, any delays are likely to be 
backend lookups.

regards

Hugh



> On 30 Mar 2016, at 20:57, Tuure Vartiainen  wrote:
> 
> Hi,
> 
>> On 29 Mar 2016, at 11:53, Hartmaier Alexander 
>>  wrote:
>> 
>> I've copied the calculation code to my LogFormatHook code:
>> 
>> $message->{response_time} = Radius::Util::timeInterval( \
>>$p->{RecvTime}, \
>>$p->{RecvTimeMicros}, Radius::Util::getTimeHires()); \
>> 
>> I'd still prefer if that float was available with a placeholder variable.
>> 
>> It shows what I was expecting, EAP authentication is slow.
>> Any pointers where I can start optimizing the EAP auth performance?
>> 
> 
> hard to say without seeing your configuration and Trace 4 (DEBUG) log 
> of a single request including microseconds (LogMicroseconds).
> 
> I assume that those timings are for the last Access-Request of 
> EAP authentication which produces either Access-Accept or Access-Reject.
> 
> Usually most of the time goes to a user lookup from a backend.
> 
> 
> BR
> -- 
> Tuure Vartiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Performance logging

[Hugh Irvine]

Hi Alex -

I may have misunderstood your original question - %s is only the offset in the 
current second.

For what you want to do you should probably be using “LogMicroseconds” global 
parameter (requires “Time-Hires” from CPAN).

Otherwise you can add your own custom time attributes in the current request 
packet and post-process the logs to derive the deltas.

The AuthBy INTERNAL clause is very handy for this sort of thing if you add them 
into your processing sequence at the relevant places.

regards

Hugh


> On 23 Mar 2016, at 21:03, Hartmaier Alexander 
>  wrote:
> 
> Hi Hugh,
> is that a microsecond counter starting when the request is received?
> Imho the wording is confusing, will it wrap around when the request takes 
> more than one second?
> How would I log the microseconds as integer for requests that take longer 
> than one second?
> 
> Thanks, Alex
> 
> On 2016-03-23 10:33, Hugh Irvine wrote:
>> Hello Alex -
>> 
>> %s is the number of microseconds in the current second.
>> 
>> From section 5.2 of the Radiator 4.16 reference manual (“doc/ref.pdf”):
>> 
>>  %s  Microseconds in the current second
>> 
>> Note that the RADIUS protocol only defines times in seconds.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>>> On 23 Mar 2016, at 19:44, Hartmaier Alexander 
>>>  wrote:
>>> 
>>> Hi,
>>> I'd like to add the time it took to craft a response for each request to
>>> the logs.
>>> In the reference manual I only found %E which is 'The elapsed time in
>>> seconds since the packet was received. Can be used to log
>>> processing time for proxied packets etc.'.
>>> For this logging I'd need at least milli- or better microseconds.
>>> Did I overlook a placeholder for those or do they currently not exist?
>>> 
>>> How do you guys monitor response time to prevent clients marking a
>>> server as unresponsive because it takes it too long to send a response,
>>> most of the time because of a backend like LDAP, SQL database or proxied
>>> radius server being slow?
>>> 
>>> Thanks, Alex
>>> 
>>> 
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may be 
>>> privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc.
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Performance logging

[Hugh Irvine]

Hello Alex -

%s is the number of microseconds in the current second.

From section 5.2 of the Radiator 4.16 reference manual (“doc/ref.pdf”):

%s  Microseconds in the current second

Note that the RADIUS protocol only defines times in seconds.

regards

Hugh


> On 23 Mar 2016, at 19:44, Hartmaier Alexander 
>  wrote:
> 
> Hi,
> I'd like to add the time it took to craft a response for each request to
> the logs.
> In the reference manual I only found %E which is 'The elapsed time in
> seconds since the packet was received. Can be used to log
> processing time for proxied packets etc.'.
> For this logging I'd need at least milli- or better microseconds.
> Did I overlook a placeholder for those or do they currently not exist?
> 
> How do you guys monitor response time to prevent clients marking a
> server as unresponsive because it takes it too long to send a response,
> most of the time because of a backend like LDAP, SQL database or proxied
> radius server being slow?
> 
> Thanks, Alex
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be 
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Macros in dictionary

[Hugh Irvine]

Hello Manish -

Radiator does not support “MACRO” definitions in the dictionary.

However these definitions would look something like this in the Radiator 
dictionary:


# VSAs for OMS

VENDOR  OMS  1751

VENDORATTR  1751  OMS-User-Role-Profile  1   string
VENDORATTR  1751  OMS-User-Domain2   integer

VALUEOMS-User-Domain   Global  14
VALUEOMS-User-Domain   Restricted15


Please test and let us know the results so we can add these definitions to the 
standard Radiator dictionary.

Note however that there is already the following in the Radiator dictionary, 
and you should replace it with the above.


#
# VSA's for Lucent
#
VENDOR  Lucent-Old 1751
VENDORATTR  1751Lucent-Vendor-Specific  1   string

#


regards

Hugh


> On 8 Mar 2016, at 17:31, Arya, Manish Kumar  wrote:
> 
> Hi,
> 
> I have received dictionary for OMS NMS and is has a macro definition. 
> When I add it in dictionary file and reload radius I get error on macro line 
> number.
> 
> MACROOMS-Attr(t,s)26[vid=1751 type1=%t% len1=+2 data=%s%]
> 
> ATTRIBUTEOMS-User-Role-Profile  OMS-Attr(1, string)  R
> 
> ATTRIBUTEOMS-User-DomainOMS-Attr(2, integer) R
> VALUEOMS-User-Domain   Global14
> VALUEOMS-User-Domain   Restricted15
> 
> Error log:
> 
> Tue Mar  8 05:50:34 2016: DEBUG: Reading dictionary file 
> '/etc/radiator/db/dictionary'
> Tue Mar  8 05:50:38 2016: ERR: Bad format in dictionary 
> '/etc/radiator/db/dictionary' at line 5270: MACRO 
>  OMS-Attr(t,s)26[vid=1751 
> type1=%t% len1=+2 data=%s%]
> 
> How can I make it work with radiator ?
> 
> Regards,
> -Manish
> 
> _______
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Reply-Message

[Hugh Irvine]

ing to use a 
> Reply-Message to reply with a group name from one of the mysql tables. Im not 
> having any luck getting the Reply-Message to work the way I want. I know the 
> mysql statement returns the right value, as I have it tested in phpmyadmin. 
> 
> Below is the query, and a level 4 trace, and my config. 
> 
> Table Structure:
> 
> Username  Password Groupname Notes Commonname
> 
> 
> 
> 
> -- 
> Gabe Carmichael
> Systems Analyst - Networking/Email
> Lower Kuskokwim School District
> 907-543-4860
> LKSD Internal 4 digit dial - 4860
> Skype: gabes72riv
> g...@lksd.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Reading from multiple SQL tables

[Hugh Irvine]

Hi Gabe -

Please send me a copy of your configuration file (not copied to the mailing 
list) and I will take a look.

I’m guessing you probably want “ContinueUntilAccept”, but give me a bit more 
detail about what you are trying to accomplish.

regards

Hugh


> On 19 Feb 2016, at 06:54, Gabe Carmichael  wrote:
> 
> Good morning, 
> I have two tables that I am trying to read from as I have two different 
> clients talking to my radiator box. I can get it to read from the first 
> Authby SQL but not the second. I have my AuthbyPolicy as  
> ContinueUntilReject. Please let me know if I have something goofed as I have 
> not had to touch this in a long time. Thanks for you time.
> 
> -- 
> Gabe Carmichael
> Systems Analyst - Networking/Email
> Lower Kuskokwim School District
> 907-543-4860
> LKSD Internal 4 digit dial - 4860
> Skype: gabes72riv
> g...@lksd.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Replay atttributes

[Hugh Irvine]

Hello Gabe -

You need to know what RADIUS attribute to use for this purpose, then configure 
the  clause to return it with the group(s) as the value.

See sections 5.30.8 and 5.30.10 in the Radiator 4.16 reference manual 
(“doc/ref.pdf”).

See also the example configuration file in “goodies/sql.cfg”.

regards

Hugh


> On 13 Feb 2016, at 04:17, Gabe Carmichael  wrote:
> 
> Good morning,
> I have my instance running extremely well. I have added a group column to my 
> mysql table and have populated it with the all the groups that we want. We 
> are trying to pass the group attribute back to our Cisco 5508 wireless 
> controller. This would then be forwarded to our ISP's Paolo Alto firewall for 
> group based access rules via snmp traps from the wireless controller. How can 
> I reply to the wireless controller with group attributes? Thanks
> 
> -- 
> Gabe Carmichael
> Systems Analyst - Networking/Email
> Lower Kuskokwim School District
> 907-543-4860
> LKSD Internal 4 digit dial - 4860
> Skype: gabes72riv
> g...@lksd.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] custom logging configuration

[Hugh Irvine]

Hello All -

I have recently built some custom logging for a customer and I thought it might 
be interesting to post an overview here.

This will also be included in “goodies/hooks.txt” in future releases.

The requested feature was to forward for each session the username and 
associated IP address, together with a timestamp to a firewall and a security 
device using SYSLOG.

This example shows logging to SYSLOG, but any other  target(s) will 
work equally well.

Here is the configuration file that I used for testing:


# log.cfg

Foreground
LogStdout
LogDir  .
DbDir   .
# User a lower trace level in production systems:
Trace   4


Secret  mysecret



# define Log clauses here so they aren’t global loggers

Identifier SyslogToFirewall
# add syslog specific details here
Trace 3


Identifier SyslogToSecurityDevice
# add syslog specific details here
Trace 3




PreAuthHook file:"%D/sysloglogger.pl"

AuthResult REJECT
AcctResult ACCEPT

# Log accounting to a detail file
AcctLogFileName %L/detail




Filename %D/users




and here is the hook code:


# sysloglogger.pl
# Radiator hook to send SYSLOG messages
# to firewall and security device with
# Timestamp, User-Name and Framed-IP-Address
#
# Hugh Irvine, OSC, 20160206

sub
{
my $p = ${$_[0]};

my $acctstatus = $p->get_attr('Acct-Status-Type');
return unless $acctstatus eq 'Start';

my $user = $p->get_attr('User-Name');
my $ipaddress = $p->get_attr('Framed-IP-Address');
my $message = "user = $user, ip = $ipaddress";

my $syslogtofw = Radius::Configurable::find('Log', 'SyslogToFirewall');

if ($syslogtofw)
{
$syslogtofw->log($main::LOG_INFO, $message, $p);
}

my $syslogtosd = Radius::Configurable::find('Log', 
'SyslogToSecurityDevice');

if ($syslogtosd)
{
$syslogtosd->log($main::LOG_INFO, $message, $p);
}

return;
}


Hopefully someone finds this useful.

regards

Hugh

--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 100% load 1 cpu core

[Hugh Irvine]

Hello -

What are you using to test?

And you should note that a single instance of Radiator is single-threaded and 
will only use 1 CPU core.

At the very least you should run separate instances for authentication and 
accounting.

regards

Hugh


> On 2 Feb 2016, at 20:00, SinTeZ Wh1te  wrote:
> 
> Hello List!
> 
> After installing Radiator on the test server, I got a problem with the 100% 
> load 1 CPU core but the others are unused.
> 
> Screenshot
> http://i.imgur.com/eQjK5k8.png
> 
> radius.cfg
> 
> 
> # Listen for addresses using default ports
> BindAddress ::,0.0.0.0
> #BindV6Only
> 
> AuthPort1645,1820
> AcctPort1646,1821
> 
> # Uncomment these for foreground debugging
> #Foreground
> #LogStdout
> 
> Userradiator
> Group   radiator
> 
> DbDir   /etc/radiator
> DictionaryFile  /etc/radiator/dictionary
> LogDir  /var/log/radiator
> LogFile %L/radiator-log-%Y-%m
> PidFile /var/run/radiator/radiusd.pid
> 
> # Dont turn this up too high, since all log messages are logged
> # to the RADMESSAGES table in the database. 3 will give you everything
> # except debugging messages
> Trace 2
> 
> # You will probably want to change this to suit your site.
> # You should list all the clients you have, and their secrets
> # If you are using the Radmin Clients table, you wil probably
> # want to disable this.
> 
>   Identifier Client-DEFAULT
>   Secret 12345
>   DupInterval 0
> 
> 
> 
> 
> RejectHasReason
> 
> Host 192.168.144.3
> Secret 12345
> AuthPort 1820
> AcctPort 1821
> RejectHasReason
> 
> 
> 
> 
> 
> -- 
> With regards,
> Alexander Yakunin
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

[Hugh Irvine]

Indeed - the old adage is very true:

“Just because a packet can get somewhere does not mean that the reply 
can get back….”

regards

Hugh


> On 1 Feb 2016, at 20:39, Hugo Veiga  wrote:
> 
> Hi,
> 
> Heikki I bow to you. :)
> 
> So the problem was this:
> (Topology)
> Radiator Machine/ IP: 10.253.1.12/24 
> --Router--wireless switch/IP:10.240.1.1/24 
> - The radiator machine receives requests from wireless switch.
> - Wireless switch never receives the answer.
> :: So Radiator machine is a virtual machine and installed by a colleague of 
> mine (system admin) that inserted the mask 255.0.0.0 in the network mask. 
> Radiator machine with the supplied mask will try to contact 10.240.1.1 
> through arp discovery and will never find it because it's on a different 
> broadcast domain. The solution was obvious, insert the correct netmask and it 
> started to work perfectly.
> 
> Problem solved.
> Many thanks Heikki,
> Hugo Veiga
> 
> 
> 
> >
>  Code:   Access-Request
> 
> >
>  Identifier: 180
> 
> >
>  Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O
> 
> 
> Radiator notices this and retransmits its previous reply
> 
> >
>  Tue Jan 26 15:54:57 2016: INFO: Duplicate request id 180 received from
> 
> >
>  10.240.1.1(20004): retransmit reply
> 
> >
>  Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
> 
> >
>  *** Sending to 10.240.1.1 port 20004 
> 
> 
> There are multiple retransmits back and forth and the authentication
> does not proceed.
> 
> I would check the Wi-Fi controller logs and make sure it is receiving
> 
> the responses from Radiator.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Request for enhancement: Log Handler InfluxDB or at least UDP

[Hugh Irvine]

Hi Heikki, Hi Karl -

Two thoughts on this:

1. you can use the “|” pipe character in the “Filename …” parameter of the  clause to pipe the log messages to another program directly, together 
with LogFormat

2. one can easily imagine a new  clause with a hook as a parameter 
to do whatever one might wish, being mindful to limit overhead of course

regards

Hugh


> On 30 Jan 2016, at 04:31, Heikki Vatiainen  wrote:
> 
> On 26.1.2016 17.31, Karl Gaissmaier wrote:
> 
>> I'm in the process to feed an InfluxDB from RADIATOR logfiles. Much
>> nicer would it be if RADIATOR team would implement:
>> 
>>  with the very simple but effective line protocol over
>> HTTP or at least an generic
>>  with a proper logformat hook done by the users and shipped as
>> goodies.
> 
> How about starting with a logformat hook to generate the datapoints in 
> the line protocol format and then using, for example, curl to send the 
> files to InfluxDB? I'm think about this:
> 
> https://docs.influxdata.com/influxdb/v0.9/guides/writing_data/
> 
> and 'Writing points from a file' described therein.
> 
>> Interested? Have a look at https://blog.haschek.at/post/fc060
> 
> Yes, this is very interesting. I looked at the line protocol 
> specification and it should be easy to implement with a formatting hook 
> for authentication. Accounting should be fairly easy too.
> 
> It might be worth considering a seprate log agent to forward the logs to 
> InfluxDB (or in genral to other logging, graphing, etc. systems). This 
> would separate the duties: radiator would create formatted logs and the 
> agent could handle the actual log forwarding.
> 
> This would also make it easier to add accounting and debug log 
> forwarding too since they can already be formatted when written to files.
> 
> If you need help with logformat hook, just let me know. I am interested 
> in helping you with this.
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

[Hugh Irvine]

Hello -

Thanks for letting me know.

regards

Hugh


> On 19 Jan 2016, at 22:10, SinTeZ Wh1te  wrote:
> 
> Hello Hugh.
> 
> I found your script in mailing list.
> http://www.open.com.au/pipermail/radiator/2010-March/016160.html
> 
> It work for me.
> 
> Thank for help!
> 
> 
> 2016-01-18 16:33 GMT+03:00 SinTeZ Wh1te :
> Hello Hugh.
> 
> Second AuthBy clause not send reply to NAS.
> 
> radius.cfg
> ---
> 
>   Identifier Primary
>   Host 10.0.6.151
>   Secret 123456
>   AuthPort 1812
>   AcctPort 1813
>   ReplyHook file:"/etc/radiator/AccessReject"
> 
> 
> 
>   Identifier Secondary
>   Host 10.0.6.152
>   Secret 123456
>   AuthPort 1812
>   AcctPort 1813
> 
> 
> 
>   AuthBy Primary
> 
> ---
> 
> /etc/radiator/AccessReject
> 
> sub 
> {
> my $p = ${$_[0]}; # proxy reply packet
> my $rp = ${$_[1]};# reply packet to NAS
> my $op = ${$_[2]};# original request packet
> my $sp = ${$_[3]};# packet sent to proxy 
>   
>   my $code = $p->code;
>   return unless $code eq 'Access-Reject';
>   
>   if($code eq 'Access-Reject'){
>   my $authby = Radius::AuthGeneric::find('Secondary');
>   if (defined $authby)
>   {
>   my ($rc, $reason) = $authby->handle_request($op, $rp);
>   if ($rc == 2)
>   {
>   $op->{RadiusResult} = $main::IGNORE;
>   }
>   }
>   return;
>   }
> }
> -
> 
> 
> #tshark -i eth0 port 1812 -w /opt/radius.pcap
> 
> Screenshot Wireshark
> 
> http://i.imgur.com/StKAJ18.png
> 
> 10.0.6.13 - NAS
> 10.0.6.150 - Radiator
> 10.0.6.151 - Primary RADIUS
> 10.0.6.152 - Secondary RADIUS
> 
> After 10.0.6.152 send Access-Accept - Radiator does nothing.
> 
> 
> 2016-01-18 13:29 GMT+03:00 Hugh Irvine :
> 
> Hello -
> 
> You don’t have to do anything - the second AuthBy RADIUS clause will send the 
> reply to the NAS.
> 
> If you want to do more than that you will also need a ReplyHook in the second 
> AuthBy RADIUS clause.
> 
> regards
> 
> Hugh
> 
> 
> > On 18 Jan 2016, at 18:15, SinTeZ Wh1te  wrote:
> >
> > Hello Hugh!
> >
> > > Again note that your hook code will not see the result of the second 
> > > AuthBy RADIUS clause.
> >
> > If hook code not see result how can I check that I received in reply from 
> > second RADIUS server?
> >
> > What is necessary my boss.
> > 1) NAS send Access-Request to Radiator
> > 2) Radiator re-send Access-Request to primary RADIUS server
> > 3) If primary server reply Access-Reject with attribute Reply-Message = 1, 
> > Radiator re-send Access-Request to secondary RADIUS server. If 
> > Reply-Message > 1 - send Access-Reject to NAS.
> > 4) After secondary server reply - Radiator send reply to NAS
> >
> > Reply hook does it?
> >
> > 2016-01-15 1:42 GMT+03:00 Hugh Irvine :
> >
> > Hello -
> >
> > The first thing to understand is that the AuthBy RADIUS clause(s) operate 
> > asynchronously.
> >
> > The hook code in your first AuthBy RADIUS clause will only execute when the 
> > response is received for that clause.
> >
> > When the hook code calls the second AuthBy RADIUS clause it will exit 
> > without waiting.
> >
> > As shown in the example, your hook code needs to alter the response.
> >
> > In this case you would change the response to IGNORE which will allow the 
> > second AuthBy RADIUS clause to execute and return its result.
> >
> >
> > …..
> >
> > $op->{RadiusResult} = $main::IGNORE;
> >
> > …..
> >
> > Again note that your hook code will not see the result of the second AuthBy 
> > RADIUS clause.
> >
> > hope that helps
> >
> > regards
> >
> > Hugh
> >
> >
> > > On 14 Jan 2016, at 23:34, SinTeZ Wh1te  wrote:
> > >
> > > Thank Hugh and Heikki!!!
> > >
> > > How can I get RADIUS reply packet from secondary server in hook script???
> > > Radiator send Access-Reject before secondary server reply.
> > >
> > >
> > > radius.cfg
> > > ...
> > > 
> > >   Identifier Primary
> > >   Host 10.0.6.151
> > >   Secret

Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

[Hugh Irvine]

Hello -

You don’t have to do anything - the second AuthBy RADIUS clause will send the 
reply to the NAS.

If you want to do more than that you will also need a ReplyHook in the second 
AuthBy RADIUS clause.

regards

Hugh


> On 18 Jan 2016, at 18:15, SinTeZ Wh1te  wrote:
> 
> Hello Hugh!
> 
> > Again note that your hook code will not see the result of the second AuthBy 
> > RADIUS clause.
> 
> If hook code not see result how can I check that I received in reply from 
> second RADIUS server?
> 
> What is necessary my boss.
> 1) NAS send Access-Request to Radiator
> 2) Radiator re-send Access-Request to primary RADIUS server
> 3) If primary server reply Access-Reject with attribute Reply-Message = 1, 
> Radiator re-send Access-Request to secondary RADIUS server. If Reply-Message 
> > 1 - send Access-Reject to NAS. 
> 4) After secondary server reply - Radiator send reply to NAS
> 
> Reply hook does it?
> 
> 2016-01-15 1:42 GMT+03:00 Hugh Irvine :
> 
> Hello -
> 
> The first thing to understand is that the AuthBy RADIUS clause(s) operate 
> asynchronously.
> 
> The hook code in your first AuthBy RADIUS clause will only execute when the 
> response is received for that clause.
> 
> When the hook code calls the second AuthBy RADIUS clause it will exit without 
> waiting.
> 
> As shown in the example, your hook code needs to alter the response.
> 
> In this case you would change the response to IGNORE which will allow the 
> second AuthBy RADIUS clause to execute and return its result.
> 
> 
> …..
> 
> $op->{RadiusResult} = $main::IGNORE;
> 
> …..
> 
> Again note that your hook code will not see the result of the second AuthBy 
> RADIUS clause.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te  wrote:
> >
> > Thank Hugh and Heikki!!!
> >
> > How can I get RADIUS reply packet from secondary server in hook script???
> > Radiator send Access-Reject before secondary server reply.
> >
> >
> > radius.cfg
> > ...
> > 
> >   Identifier Primary
> >   Host 10.0.6.151
> >   Secret 123456
> >   AuthPort 1812
> >   AcctPort 1813
> >   ReplyHook file:"/etc/radiator/AccessReject"
> > 
> >
> > 
> >   Identifier Secondary
> >   Host 10.0.6.152
> >   Secret 123456
> >   AuthPort 1812
> >   AcctPort 1813
> > 
> >
> > 
> >   AuthBy Primary
> > 
> > ...
> >
> >
> > /etc/radiator/AccessReject
> > ...
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]};# reply packet to NAS
> > my $op = ${$_[2]};# original request packet
> > my $sp = ${$_[3]};# packet sent to proxy
> >
> >   my $code = $p->code;
> >   &main::log($main::LOG_DEBUG, "Code = $code");
> >   return unless $code eq 'Access-Reject';
> >
> >   if($code eq 'Access-Reject'){
> >   my $authby = Radius::AuthGeneric::find('Secondary');
> >   if (defined $authby)
> >   {
> >   &main::log($main::LOG_DEBUG, "= 
> > HANDLE_REQUEST===");
> >   my ($rc, $reason) = $authby->handle_request($op, $rp);
> >   &main::log($main::LOG_DEBUG, "= RC 
> > === $rc");
> >   &main::log($main::LOG_DEBUG, "= REASON 
> > === $reason");
> >   if ($rc == 2)
> >   {
> >   &main::log($main::LOG_DEBUG, "= 
> > ACCEPT ===");
> >   }
> >   else
> >   {
> >   &main::log($main::LOG_DEBUG, "= 
> > REJECT ===");
> >   }
> >   }
> >   return;
> >   }
> > }
> > ...
> >
> > radiator log
> > ---
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.13 port 57565 
> > Code:   Access-Request
> > Identifier: 0
> > Authentic:1452774130
> > Attributes:
> >   User-Name = "testcoa10"
> &

Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

[Hugh Irvine]

Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Received from 10.0.6.151 port 1812 
> Code:   Access-Reject
> Identifier: 1
> Authentic:  <155><2><181><187><19>'<218><220>tK[\<224><137>,<194>
> Attributes:
>   Reply-Message = "1"
> 
> Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject
> Thu Jan 14 15:22:09 2016: DEBUG: = HANDLE_REQUEST===
> Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.152 port 1812 
> Code:   Access-Request
> Identifier: 1
> Authentic:1452774130
> Attributes:
>   User-Name = "testcoa10"
>   User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3
>   NAS-IP-Address = 10.0.6.13
>   NAS-Port = 1
>   NAS-Port-Id = "123"
>   Service-Type = Framed-User
>   Framed-Protocol = PPP
>   Acct-Session-Id = "1"
>   Calling-Station-Id = "0800.2727.0575"
> 
> Thu Jan 14 15:22:09 2016: DEBUG: = RC === 2
> Thu Jan 14 15:22:09 2016: DEBUG: = REASON === 
> Thu Jan 14 15:22:09 2016: DEBUG: = ACCEPT ===
> Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.13 port 57565 
> Code:   Access-Reject
> Identifier: 0
> Authentic:  <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3>
> Attributes:
>   Reply-Message = "Request Denied"
> 
> Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from 
> 10.0.6.152:1812
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Received from 10.0.6.152 port 1812 
> Code:   Access-Accept
> Identifier: 1
> Authentic:  T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127>
> Attributes:
>   Acct-Interim-Interval = 300
>   Framed-IP-Address = 192.168.0.203
> 
> Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied
> Thu Jan 14 15:22:09 2016: DEBUG: Packet dump:
> *** Sending to 10.0.6.13 port 57565 
> Code:   Access-Reject
> Identifier: 0
> Authentic:  <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl
> Attributes:
>   Reply-Message = "Request Denied"
>   Acct-Interim-Interval = 300
>   Framed-IP-Address = 192.168.0.203
> -
> 
> 
> 2016-01-13 1:18 GMT+03:00 Hugh Irvine :
> 
> Hello -
> 
> See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.
> 
> regards
> 
> Hugh
> 
> 
> > On 12 Jan 2016, at 18:52, SinTeZ Wh1te  wrote:
> >
> > Hello!
> >
> > I want to do if it's possible to proxy auth request in a
> > redundant fashion.
> >
> > On each requests, I want to proxy it to a primary server, if it's
> > success then move on.
> > If the auth fails (Access-Reject), I need to proxy Access-Request to a 
> > secondary server
> >
> > Is it possible?
> >
> > Thanks!
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> 
> 
> 
> -- 
> С уважением,
> Александр Якунин
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers

[Hugh Irvine]

Hello -

See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution.

regards

Hugh


> On 12 Jan 2016, at 18:52, SinTeZ Wh1te  wrote:
> 
> Hello!
> 
> I want to do if it's possible to proxy auth request in a 
> redundant fashion.
> 
> On each requests, I want to proxy it to a primary server, if it's 
> success then move on.
> If the auth fails (Access-Reject), I need to proxy Access-Request to a 
> secondary server
> 
> Is it possible?
> 
> Thanks!
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] IgnoreAccountingResponse

[Hugh Irvine]

Hello Ronald -

IgnoreAccountingResponse does not affect the retries and timeouts, it is 
typically used in conjunction with AccountingHandled in the Realm or Handler.

See section 5.31.30 in the Radiator manual (“doc/ref.pdf”):


5.31.30 IgnoreAccountingResponse

This optional flag causes AuthBy RADIUS to ignore replies to accounting 
requests, instead of forwarding them back to the originating host. 
This can be used in conjunction with the AccountingHandled flag in a Handler or 
Realm (see Section 5.20.10 on page 75) 
to ensure that every proxied accounting request is replied to immediately, and 
the eventual reply from the remote RADIUS server is dropped.


regards

Hugh


> On 21 Dec 2015, at 22:03, Ronald Pérez  wrote:
> 
> Hi all,
> 
> I just want to know what happened in the case that we have 
> IgnoreAccountingResponse in our Autby and the remote server don't reply or 
> don't receive the request, there will be a retry to other servers withing 
> this AuthBy? or this request just get lost? How do we will identify a remote 
> failing server?
> 
> 
> Kind regards and thanks for your help.
> 
> Ronald
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authlog FILE - file location

[Hugh Irvine]

Hello Michael -

Yes - set the LogDir parameter to whatever you wish:

…..

# set LogDir 

LogDir /var/log/radius

…..


   Identifier myauthlogger3
   Filename %L/authlog_dsl_cust_a
 
 …..

You can also use any of the special characters listed in section 5.2 of the 
Radiator 4.15 reference manual (“doc/ref.pdf”).

regards

Hugh


> On 4 Nov 2015, at 17:18, Michael Bellears  wrote:
> 
> Hi,
>  
> Hopefully a quick question, Ive had a read of the manual, but cant seem to 
> find if it is possible to set a path for each logfile?
>  
> i.e. 
>  
> 
>Identifier myauthlogger3
>Filename authlog_dsl_cust_a
>  
>  
> Will log to file authlog_dsl_cust_a in the dir that radiator was started from 
> – Is there any way to add a “path” to where the file will be located?
>  
>  
> Cheers.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Multithreading Radiator in Windows Server 2008/2012

[Hugh Irvine]

Hello Alan -

Yes absolutely - you typically want authentication to operate as quickly as 
possible, and its usually a fairly lightweight lookup operation.

Accounting on the other hand is less time-critical and usually involves more 
processing to store the records.

Therefore it makes sense to have these operations running in separate processes.

Ie.

….

# Authentication Instance Configuration
# Listen for authentication requests only

AuthPort1645, 1812

AcctPort

…..

….

# Accounting Instance Configuration
# Listen for accounting requests only

AuthPort

AcctPort1646, 1813

…..

regards

Hugh


> On 17 Oct 2015, at 23:39, Alan Buxey  wrote:
> 
> >BTW - it is generally a good idea to >have separate authentication and 
> >>accounting instances as well (ie. one >Windows service for authentication 
> >on >1645 and/or 1812, and another >Windows service for accounting on >1646 
> >and/or 1813).
> 
> I'm guessing this is also true for Unix/linux/solaris installs too?
> 
> alan


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Multithreading Radiator in Windows Server 2008/2012

[Hugh Irvine]

Hello Nadav -

Each instance of Radiator would be configured as a separate Windows service, 
with the “frontend” listening on the standard RADIUS ports (1645/1646 and/or 
1812/1813).

The “backend” Radiator instances would listen on whatever ports you want (ie. 
11812/11813, and 12812/12813, and 13812/13813, whatever…).

The “frontend” instance would then use AuthBy PROXY clauses to proxy to the 
corresponding “backend’s”.

BTW - it is generally a good idea to have separate authentication and 
accounting instances as well (ie. one Windows service for authentication on 
1645 and/or 1812, and another Windows service for accounting on 1646 and/or 
1813).

regards

Hugh


> On 16 Oct 2015, at 17:47, Nadav Hod  wrote:
> 
> Hi Hugh,
> 
> I came across your post on the matter from a few years back:
> http://www.open.com.au/pipermail/radiator/2012-August/018488.html
> 
> I was wondering if you could explain how this is performed on the same 
> Windows Server. For example, assuming I wanted to have a front-end server as 
> one process and three other Radiator processes for authenticating different 
> kinds of traffic. How would this be configured so that the backend could 
> communicate with the frontend and vica versa?
> 
> Would I need to install a different Windows service for each of these 
> processes? How would I ensure that each process would run under a different 
> core? Could one process which is CPU-intensive also use up a different core 
> if necessary so that this doesn't cause a bottleneck?


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Use FarmSize parameter

[Hugh Irvine]

Hi Antonio -

I would need to see your configuration file(s) before making suggestions.

If you send copies to me directly I will take a look.

regards

Hugh


> On 24 Sep 2015, at 18:10, António Mendes  
> wrote:
> 
> Hi Hugh, thanks for your answer.
> 
> The "father" process is consuming too much CPU due to the amount of requests, 
> it's perfectly normal because we have a huge amount of clients. The 
> Radiator's performance it's not a problem.
> We need to move forward because we see that the hardware it's underused(one 
> CPU core reaches several time 100% of use but the others are unused).  To 
> avoid this problem and make use of all cores available we take a look of 
> "Farmsize" feature, but like I said we are a bit worried about problems that 
> could arise, like concurrency problems. So my question is if there are known 
> problems in use the  Farmsize, or do you advise to upgrade the configuration 
> in another way.
> 
> Please note that we are thinking to use the Farmsize in accounting process, 
> so the known authentication problems will not be a problem for us.
> 
> Best regards,
> António Mendes
> 
> WIT Software | Software Engineer
> 
> This email was sent under WIT Software's Confidentiality Policy
> 
> Às 07:38 de 24-09-2015, Hugh Irvine escreveu:
>> Hello Antonio -
>> 
>> I am curious to know why your “father” process is taking so much time?
>> 
>> Have you checked a trace 4 debug with LogMicroseconds enabled to see what 
>> exactly is taking the time?
>> 
>> If you send me a copy of your configuration file(s) directly, I will take a 
>> look and try to make some suggestions.
>> 
>> FarmSize can be used in some situations, but it can cause problems in other 
>> situations.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> 
>>> On 24 Sep 2015, at 00:40, António Mendes 
>>>  wrote:
>>> 
>>> Hello all,
>>> 
>>> We are running a scenario with an instance acting as a father and 
>>> forwarding the traffic for children processes according to some parameters 
>>> in request. We done that changing the init script and starting several 
>>> instances of radiator(each one in a different port).
>>> 
>>> We are noticing that the father process are consuming too much processing 
>>> resources and is only using one core, we would like to change this 
>>> configuration to allow the distribution of load for all CPU cores available 
>>> in the server and to do that we are thinking to use "FarmSize" and create 
>>> several instances of father process.
>>> 
>>> Do you see any problem with this new approach(I'm a little bit worried 
>>> about the write concurrency of log files)? Do you have any concern or 
>>> recommendations?
>>> 
>>> 
>>> Thanks
>>> -- 
>>> António Mendes
>>> 
>>> WIT Software | Software Engineer
>>> 
>>> This email was sent under WIT Software's Confidentiality Policy
>>> 
>>> ___
>>> radiator mailing list
>>> 
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> --
>> 
>> Hugh Irvine
>> 
>> h...@open.com.au
>> 
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server 
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc. 
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
>> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Use FarmSize parameter

[Hugh Irvine]

Hello Antonio -

I am curious to know why your “father” process is taking so much time?

Have you checked a trace 4 debug with LogMicroseconds enabled to see what 
exactly is taking the time?

If you send me a copy of your configuration file(s) directly, I will take a 
look and try to make some suggestions.

FarmSize can be used in some situations, but it can cause problems in other 
situations.

regards

Hugh


> On 24 Sep 2015, at 00:40, António Mendes  
> wrote:
> 
> Hello all,
> 
> We are running a scenario with an instance acting as a father and forwarding 
> the traffic for children processes according to some parameters in request. 
> We done that changing the init script and starting several instances of 
> radiator(each one in a different port).
> 
> We are noticing that the father process are consuming too much processing 
> resources and is only using one core, we would like to change this 
> configuration to allow the distribution of load for all CPU cores available 
> in the server and to do that we are thinking to use "FarmSize" and create 
> several instances of father process.
> 
> Do you see any problem with this new approach(I'm a little bit worried about 
> the write concurrency of log files)? Do you have any concern or 
> recommendations?
> 
> 
> Thanks
> -- 
> António Mendes
> 
> WIT Software | Software Engineer
> 
> This email was sent under WIT Software's Confidentiality Policy
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Auth for another mysql table

[Hugh Irvine]

Hello Gabe -

If you send me a copy of your configuration file (not to the list), I’ll take a 
look and make some suggestions.

Also, what form are the usernames going to have?

regards

Hugh


> On 12 Sep 2015, at 08:45, Gabe Carmichael  wrote:
> 
> I have our wireless locked down to just machine mac addresses. Now the upper 
> folks want to use the same mysql db to have a un/pw field with a group id. 
> Would I add another realm that would look to the other table, and if it does 
> how can I reply with the group id attribute. Thanks. 
> 
> 
> -- 
> Gabe Carmichael
> Systems Analyst - Networking/Email
> Lower Kuskokwim School District
> 907-543-4860
> LKSD Internal 4 digit dial - 4860
> Skype: gabes72riv
> g...@lksd.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Hourly Authentication-Count Downward Spikes

[Hugh Irvine]

Hello Roberto -

This is almost always a problem with the backend authentication resource.

A trace 4 debug with LogMicroseconds (requires Time::HiRes from CPAN) will show 
you how long each processing step is taking.

What I generally see is Radiator waiting for an external resource and at some 
critical number of requests per second the UDP queue starts to fill up leading 
to timeouts and retransmissions.

Ie. if the external resource takes say 50 ms to respond, then it follows that 
at most you can process 20 requests per second - anything over that will lead 
to the problem I describe.

This is just one theory, but as I say, a trace 4 debug with LogMicroseconds 
will tell you where to look.

regards

Hugh


> On 25 Aug 2015, at 03:41, Ullfig, Roberto Alfredo  wrote:
> 
> Hello all,
> 
>  
> 
> It’s the first day of classes here and we’re seeing hourly successful 
> authentication-count downward spikes starting around 5-10 minutes before the 
> hour – was wondering if any other people here see the same thing in their 
> environments and
> 
>  
> 
> We’re looking at the number of successful authentications per 5 minutes. 
> During the summer we would max out at 5K but there were no downward spikes. 
> We are now hitting 30K (shortly before noon) and this span of perhaps 20 
> minutes.
> 
>  
> 
> ---
> 
> Roberto Ullfig – rull...@uic.edu
> 
> ACCC Research Programmer
> 
>  
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] MySQL accounting gets entered but not deleted

[Hugh Irvine]

Hello Gabe -

The RADONLINE table is used to maintain a list of “who is connected now”, ie. 
records are entered when a user connects (an accounting start message) and 
removed when the user disconnects (an accounting stop message).

The ACCOUNTING table is an historical record of all connections over time and 
is usually kept for some period of time for audit and/or billing purposes.

If you don’t want any records in the ACCOUNTING table, just disable the inserts.

If you need more help send me a copy of your configuration file and I will be 
happy to assist.

regards

Hugh


> On 15 Aug 2015, at 05:38, Gabe Carmichael  wrote:
> 
> Good morning,
> I am not good with mysql at all, but the example strings got me up and 
> running. I seem to have the radonline table auto purging after a user logs 
> off but the entry still exists in the accounting table. Is there a way to 
> have it flush those entries after a certain amount of time?
> 
> -- 
> Gabe Carmichael
> Systems Analyst - Networking/Email
> Lower Kuskokwim School District
> 907-543-4860
> LKSD Internal 4 digit dial - 4860
> Skype: gabes72riv
> g...@lksd.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Restricting login access by source device

[Hugh Irvine]

Hello Rob -

The usual way to do this is with Identifiers in the Client clauses to group the 
devices, then use the Identifier either as an authentication check item, or for 
separate Handlers.

regards

Hugh


> On 26 Jun 2015, at 07:34, Patrick, Robert (CONTR)  
> wrote:
> 
> How best to restrict RADIUS and TACACS auth to a specific source device (NAS) 
> for a specific user?
> 
>  
> 
> What is the best method to allow all users access all the time from any 
> source, except user X that is only to permitted access when authenticating 
> from device Y?
> 
>  
> 
> Customer is looking to permit the humans to login with 2-factor tokens from 
> anywhere, and scripts with username/password to login from a specific source.
> 
>  
> 
> Thanks!
> 
>  
> 
> -Rob Patrick
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Insert Accounting to DB Table.

[Hugh Irvine]

Hello again -

I’m not sure I understand what you are trying to do.

The AcctColumnDef that you show below is only for RADIUS accounting requests, 
not an access request which is what you show in the debug.

I see that your AuthSelect is looking for a column called “EXPIRATION” which 
again from the debug appears to contain a date prior to “now”, so it is failing.

Note that “Timestamp” is the UNIX integer number of seconds since the epoch 
(start of time at January 1, 1970).

regards

Hugh


> On 1 Jun 2015, at 14:12, Mohammed Alhaj Ali  wrote:
> 
> Hi Hugh
> 
> I'm using the same line in my configuration
> 
> "AcctColumnDef   TIME_STAMP,Timestamp,integer", below is trace 4 output for 
> account named testhua...@2048.itc.net.sa,
> 
> 
> 
> 
> Code:   Access-Request
> Identifier: 114
> Authentic:  <197><189>Qv<215>#<10><184><140><192><249>g<218><210><217><165>
> Attributes:
>User-Name = "testhua...@2048.itc.net.sa"
>CHAP-Password = <1>w<233><9>r<144><169>tI<15><29><14>+w<206><162><139>
>CHAP-Challenge = 
> <197><189>Qv<215>#<10><184><140><192><249>g<218><210><217><165>
>NAS-Port = 33554442
>NAS-IP-Address = 87.101.255.184
>Service-Type = Framed-User
>Framed-Protocol = PPP
>Calling-Station-Id = "c4:6e:1f:a5:72:3e"
>NAS-Identifier = "Jeddah-ME60"
>NAS-Port-Type = Ethernet
>NAS-Port-Id = "Jeddah-ME60 eth 0/2/0/0:10"
>Acct-Session-Id = "Jeddah-012020010042f0f7184912"
>Connect-Info = "10"
>Huawei-Startup-Stamp = 1422959894
>Huawei-IPHost-Addr = "255.255.255.255 c4:6e:1f:a5:72:3e"
>Huawei-Connect-ID = 184912
>Huawei-Version = "Huawei ME60"
>Huawei-Product-ID = "ME60"
>Huawei-Domain-Name = "2048.itc.net.sa"
>Huawei-User-Mac = "c4:6e:1f:a5:72:3e"
> 
> Sun May 31 08:57:47 2015: DEBUG: Handling request with Handler 
> 'Realm=/^(512|1024|2048)\.itc\.net\.sa$/'
> Sun May 31 08:57:47 2015: DEBUG:  Deleting session for 
> testhua...@2048.itc.net.sa, 87.101.255.184, 33554442
> Sun May 31 08:57:47 2015: DEBUG: Handling with Radius::AuthSQL: dpool_H
> Sun May 31 08:57:47 2015: DEBUG: Handling with Radius::AuthSQL: dpool_H
> Sun May 31 08:57:47 2015: DEBUG: Query is: 'select PASSWORD, 
> to_char(EXPIRATION, '-mm-dd HH24:MI:SS') Expiration, MAXSESSIONS, 
> EXPIRATION_D "Huawei-Domain-Name" , Session_Timeout "Session-Timeout" from 
> ITC_ACCOUNTS_H where upper(USERNAME)=upper('testhua...@2048.itc.net.sa')':
> Sun May 31 08:57:47 2015: ERR: Bad attribute=value pair: 3600
> Sun May 31 08:57:47 2015: DEBUG: Radius::AuthSQL looks for match with 
> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
> Sun May 31 08:57:47 2015: DEBUG: Expiration date converted to: 1427835600
> Sun May 31 08:57:47 2015: DEBUG: Radius::AuthSQL REJECT: Expiration date has 
> passed: testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
> Sun May 31 08:57:47 2015: DEBUG: Query is: 'select PASSWORD, 
> to_char(EXPIRATION, '-mm-dd HH24:MI:SS') Expiration, MAXSESSIONS, 
> EXPIRATION_D "Huawei-Domain-Name" , Session_Timeout "Session-Timeout" from 
> ITC_ACCOUNTS_H where upper(USERNAME)=upper('DEFAULT')':
> Sun May 31 08:57:47 2015: DEBUG: AuthBy SQL result: REJECT, Expiration date 
> has passed
> Sun May 31 08:57:47 2015: DEBUG: Handling with Radius::AuthFILE: flat
> Sun May 31 08:57:47 2015: DEBUG: Radius::AuthFILE looks for match with 
> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
> Sun May 31 08:57:47 2015: DEBUG: Radius::AuthFILE REJECT: No such user: 
> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
> Sun May 31 08:57:47 2015: DEBUG: AuthBy FILE result: REJECT, No such user
> Sun May 31 08:57:47 2015: INFO: Access rejected for 
> testhua...@2048.itc.net.sa: No such user
> Sun May 31 08:57:47 2015: DEBUG: Packet dump:
> *** Sending to 87.101.255.184 port 1812 
> 
> Packet length = 36
> 03 72 00 24 2f f5 e8 46 d5 1d 46 78 62 5e a1 1c
> 04 0f 93 b2 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:   Access-Reject
> Identifier: 114
> Authentic:  <197><189>Qv<215>#<10><184><140><192><249>g<218><210><217><165>
> Attributes:
>Reply-Message = "Request Denied"
> 
> Sun

Re: [RADIATOR] Insert Accounting to DB Table.

[Hugh Irvine]

Hello -

The Radiator timestamp is an attribute called “Timestamp” which is added to the 
accounting requests.

See “goodies/sql.cfg” in the Radiator distribution.

regards

Hugh


> On 31 May 2015, at 15:00, Mohammed Alhaj Ali  wrote:
> 
> Hi Hugh,
> 
> Actually as you said I was trying to use Radiator server timestamp, but I'm 
> not sure about syntax and where to pass it, can you help please
> 
> 
> Regards,
> 
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au]
> Sent: Friday, May 29, 2015 9:54 AM
> To: Mohammed Alhaj Ali
> Cc: Sami Keski-Kasari; radiator@open.com.au
> Subject: Re: [RADIATOR] Insert Accounting to BD Table.
> 
> 
> Hello -
> 
> You should check your accounting requests to see if Event-Timestamp is 
> present (I suspect it is not).
> 
> A trace 4 debug will show you what you are receiving in the accounting 
> requests.
> 
> You may need additional configuration on your Huawei equipment, or you may 
> need to use something else like the Radiator Timestamp.
> 
> regards
> 
> Hugh
> 
> 
> 
>> On 28 May 2015, at 22:09, Mohammed Alhaj Ali  wrote:
>> 
>> Hi Sami,
>> 
>> System calculate the Session-Timeout biased on the account first login
>> which rely on the Event-Timestamp, when it inserted on the  TIME_STAMP
>> column on the DB table, then it will check the account number of date
>> to calculate account expiry and then it return this value to
>> Session-Timeout,
>> 
>> Note that there's no problem for the account already active and having 
>> session-timeout configured, but for new subscription we did not get 
>> Event-Timestamp to be insert on the DB table.
>> 
>> Please let me know if you need any other information.
>> 
>> Thank you!
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> -Original Message-
>> From: radiator-boun...@open.com.au
>> [mailto:radiator-boun...@open.com.au] On Behalf Of Sami Keski-Kasari
>> Sent: Thursday, May 28, 2015 1:54 PM
>> To: radiator@open.com.au
>> Subject: Re: [RADIATOR] Insert Accounting to BD Table.
>> 
>> Hello Mohammed,
>> 
>> I think that the error message is due your SQL query doesn't return anything 
>> to Expiration Check item and you have AddToReply Session-Timeout = "until 
>> Expiration" in configuration.
>> 
>> Could you tell us more how the system should work?
>> Who should/will update EXPIRATION field in database?
>> 
>> Best Regards,
>> Sami
>> 
>> On 05/27/2015 11:32 AM, Mohammed Alhaj Ali wrote:
>>> Dears,
>>> 
>>> 
>>> 
>>> Recently we had some change on our network, as we replaced cisco
>>> platform with Huawei BRAS, now we're unable to get prober accounting
>>> specially, when customer account are newly created so we can't get
>>> account activation on the first logging in order to calculate
>>> Session-timeout, below are the error logs plus the part of the
>>> configuration:
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>   AccountingTable DSL_ACCOUNTING
>>> 
>>>   AcctColumnDef USERNAME,User-Name,%A
>>> 
>>>   AcctColumnDef TIME_STAMP,Timestamp,integer
>>> 
>>>   AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> 
>>>   AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> 
>>>   AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> 
>>>   AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> 
>>>   AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> 
>>>   AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> 
>>>   AcctColumnDef acctterminatecause, Acct-Terminate-Cause
>>> 
>>>   AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> 
>>>   AcctColumnDef NASPORT,NAS-Port,integer
>>> 
>>>   AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>>> 
>>>   #AcctInsertQuery insert into %0 (%1) values (%2)
>>> 
>>>   AuthColumnDef 0,User-Password, check
>>> 
>>>   AuthColumnDef 1,Expiration, check
>>> 
>>>   AuthColumnDef 2,Simultaneous-Use, check
>>> 
>>>   Au

Re: [RADIATOR] Insert Accounting to BD Table.

[Hugh Irvine]

;EAPFAST_PAC_Reprovision 2592000
>> 
>>EAPTLS_MaxFragmentSize 2048
>> 
>>EAPTLS_PEAPVersion 1
>> 
>>EAPTLS_SessionResumption 1
>> 
>>EAPTLS_SessionResumptionLimit 43200
>> 
>>EAPTLS_VerifyDepth 1
>> 
>>FailureBackoffTime 600
>> 
>>Identifier HUW_POOL
>> 
>>  NoConnectionsHook sub { my $self = shift;$self->log($main::LOG_ERR,
>> "Could not connect to any SQL database. Request is ignored. Backing
>> off for $self- >{FailureBackoffTime} seconds");}
>> 
>>NullPasswordMatchesAny 1
>> 
>>PasswordPrompt password
>> 
>>SIPDigestRealm DefaultSipRealm
>> 
>>Timeout 60
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> LOG:
>> 
>> 
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Handling request with Handler
>> 'Realm=/^(512|1024|2048)\.itc\.net\.sa$/'
>> 
>> Wed May 27 09:09:39 2015: DEBUG:  Deleting session for
>> testhua...@2048.itc.net.sa, 87.101.255.184, 33554442
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Handling with Radius::AuthSQL:
>> HUW_POOL
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Handling with Radius::AuthSQL:
>> HUW_POOL
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Query is: 'select PASSWORD,
>> to_char(EXPIRATION, '-mm-dd HH24:MI:SS') Expiration, MAXSESSIONS,
>> EXPIRATION_D "Huawei-Domain-Name" , Session_Timeout "Session-Timeout"
>> from ITC_ACCOUNTS_H where
>> upper(USERNAME)=upper('testhua...@2048.itc.net.sa')':
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL looks for match with
>> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL ACCEPT: :
>> testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Session-Timeout="until ValidTo" was
>> specified, but there was no ValidTo or Expiration check item for this
>> user. Ignored.
>> 
>> Wed May 27 09:09:39 2015: DEBUG: AuthBy SQL result: ACCEPT,
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Access accepted for
>> testhua...@2048.itc.net.sa <mailto:testhua...@2048.itc.net.sa>
>> 
>> 
>> 
>> Wed May 27 09:09:39 2015: ERR: There is no value named until
>> Expiration for attribute Session-Timeout. Using 0.
>> 
>> 
>> 
>> Wed May 27 09:09:39 2015: DEBUG: Packet dump:
>> 
>> *** Sending to 87.101.255.184 port 1812 
>> 
>> 
>> 
>> Mohammed Alhaj Ali
>> Integrated Telecom Co. Ltd.
>> Tel: +966(11) 406-  Ext.2384
>> Fax   : +966(11) 406-2221
>> GSM  :
>> m.al...@itc.sa <mailto:m.al...@itc.sa>
>> 
>> <http://www.execloud.net>
>> 
>> www.itc.sa <http://www.itc.sa>
>> 
>> 
>> 
>> 
>> 
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>> 
> 
> 
> --
> Sami Keski-Kasari 
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, 
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full 
> source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] RequestHook in AuthBy RADIUS

[Hugh Irvine]

Hi again -

You could also use an AuthBy MULTICAST clause instead of multiple AuthBy RADIUS 
clauses.

regards

Hugh


> On 25 Apr 2015, at 09:41, Hugh Irvine  wrote:
> 
> 
> Hi Jose -
> 
> Right - understood.
> 
> In this case I would probably use separate Radiator processes as 
> intermediates between your main server and the targets that require special 
> AVpair processing.
> 
> You would forward the original request unchanged and then deal with whatever 
> changes are required on the intermediate Radiator instances.
> 
> I tend to use this architecture quite often as it makes each individual piece 
> much simpler and cleaner.
> 
> Something like this:
> 
> …..
> 
> 
> 
>   Identifier  PGW_START
>   AccountingHandled
> 
>   
>   AuthByPolicy ContinueAlways
> 
>   
>   # Forward to intermediate instance
>   Hostlocalhost
>   AcctPort  11812
>   Secret  secret2
>   IgnoreAccountingResponse
>   
> 
>   
>   # Forward to intermediate instance
>   Hostlocalhost
>   AcctPort  11813
>   Secret  secret3
>   IgnoreAccountingResponse
>   
> 
>   
>   # Forward to intermediate instance
>   Hostlocalhost
>   AcctPort  11814
>   Secret  secret4
>   IgnoreAccountingResponse
>   
> 
>   
>   Host192.168.1.5
>   Secret  secret5
>   IgnoreAccountingResponse
>   
> 
>   
>   Host192.168.1.6
>   Secret  secret6
>   IgnoreAccountingResponse
>   
> 
> 
> 
>   MaxSessions 0
> 
> 
> 
> BTW - I agree with you that a RequestHook would be a useful addition in any 
> case.
> 
> regards
> 
> Hugh
> 
> 
>> On 25 Apr 2015, at 00:35, Jose Borges Ferreira  wrote:
>> 
>> Hi,
>> 
>> 
>> I have somthing similar to this:
>> 
>> 
>>   Identifier  PGW_START
>>   AccountingHandled
>> 
>>   
>>   AuthByPolicy ContinueUntilReject
>>   
>>   Host192.168.1.2
>>   Secret  secret2
>>   StripFromRequestAVP1__2,AVP2__2
>>   AllowInRequest  3GPP-IMSI,
>> Acct-Session-Id, NAS-Port-Type\
>>   Acct-Status-Type,
>> Called-Station-Id, Calling-Station-Id, Event-Timestamp,
>> Framed-IP-Address, User-Name
>>   
>>   
>>   Host192.168.1.3
>>   Secret  secret3
>> 
>>   RequestHook sub {\
>>   my $p   = ${$_[0]};\
>>   my $fp  = ${$_[1]};\
>>   my $imsi = $p->get_attr('3GPP-IMSI');\
>>   if ($imsi =~ /^1234/) { \
>> 
>> $fp->change_attr('3GPP-RAT-Type,', 'UMTS');\
>> 
>>   }\
>>   }
>> 
>>   AllowInRequest  3GPP-IMSI,
>> 3GPP-PDP-Type, 3GPP-RAT-Type, 3GPP-User-Location-Info,
>> Acct-Session-Id,NAS-Port-Type \
>>   Acct-Status-Type,
>> Called-Station-Id, Calling-Station-Id, Event-Timestamp,
>> Framed-IP-Address, User-Name
>> 
>>   
>>   
>>   Host192.168.1.4
>>   Secret  secret3
>>   AllowInRequest  3GPP-RAT-Type,
>> 3GPP-User-Location-Info, Acct-Session-Id, NAS-Port-Type\
>>   Acct-Status-Type,
>> Called-Station-Id, Calling-Station-Id, Event-Timestamp,
>> Framed-IP-Address, User-Name
>>   
>> 
>>   
>>   

Re: [RADIATOR] RequestHook in AuthBy RADIUS

[Hugh Irvine]

er setups I found that changing avps on one clause it will send
> AVP changes to the following servers, which was not intended
> 
> I achieved the intended behaviour by enclosing a AuthBy RADIUS in a
> GROUP  between a couple of INTERNALs. The first one to change the AVP
> and a final one to restore from original packet.
> 
> I found a RequestHook very useful and more clean approach. It is the
> counterpart of the Reply/NoReplyHook .
> I thought it could be useful for other and, eventually, included in
> next versions.
> 
> Thanks anyway,
> 
> Best regards,
> 
> José Borges Ferreira
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Wed, Apr 22, 2015 at 7:21 AM, Hugh Irvine  wrote:
>> 
>> Hello Jose -
>> 
>> One way to do this is with multiple Handler clauses and an AuthBy HANDLER 
>> clause in the first one.
>> 
>> See the example in “goodies/authhandler.cfg”.
>> 
>> See also section 5.76 AuthBy HANDLER in the manual (“doc/ref.pdf”).
>> 
>> You can have a different PreAuthHook in each target Handler clause, and the 
>> overall configuration will be much simpler.
>> 
>> I would also have separate configuration files for authentication and 
>> accounting (each listening only on the corresponding ports).
>> 
>> hope that helps
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> 
>>> On 22 Apr 2015, at 01:26, Jose Borges Ferreira  wrote:
>>> 
>>> Hi all,
>>> 
>>> I have a setup that forwards some accounting to several servers. I
>>> need to mangle some attributes before a forward to the remote
>>> server.One requirement is to have different mangling per host.
>>> I couldn't found a way to change hook some code at AuthBy RADIUS, so I
>>> implemented the attached patch.
>>> 
>>> So , my question is :
>>> 
>>> Is there a way to achieve what I want ?
>>> 
>>> Does the patch makes sense ?
>>> 
>>> Thanks in advanced,
>>> 
>>> José Borges Ferreira
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc.
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] RequestHook in AuthBy RADIUS

[Hugh Irvine]

Hello Jose -

One way to do this is with multiple Handler clauses and an AuthBy HANDLER 
clause in the first one.

See the example in “goodies/authhandler.cfg”.

See also section 5.76 AuthBy HANDLER in the manual (“doc/ref.pdf”).

You can have a different PreAuthHook in each target Handler clause, and the 
overall configuration will be much simpler.

I would also have separate configuration files for authentication and 
accounting (each listening only on the corresponding ports).

hope that helps

regards

Hugh



> On 22 Apr 2015, at 01:26, Jose Borges Ferreira  wrote:
> 
> Hi all,
> 
> I have a setup that forwards some accounting to several servers. I
> need to mangle some attributes before a forward to the remote
> server.One requirement is to have different mangling per host.
> I couldn't found a way to change hook some code at AuthBy RADIUS, so I
> implemented the attached patch.
> 
> So , my question is :
> 
> Is there a way to achieve what I want ?
> 
> Does the patch makes sense ?
> 
> Thanks in advanced,
> 
> José Borges Ferreira
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Processing delay in Diameter

[Hugh Irvine]

Hello Arthur -

The best way to see what is happening is to run Radiator at trace 4 with 
LogMicroseconds enabled.

This will show you exactly how long each processing step is taking and how long 
Raditor is waiting for external resources.

As Heikki says, this sort of problem is almost always due to slow responses 
from SQL and/or LDAP databases (or sometimes slow DNS lookups).

regards

Hugh


> On 27 Mar 2015, at 19:56, Heikki Vatiainen  wrote:
> 
> On 26.3.2015 14.45, Kaspar Jasper wrote:
> 
>> My Diameter peer sometimes complains about Diameter timeouts, which is 5
>> seconds. Debugging leads me to the interesting detail - Diameter
>> messages sometimes are processing with delays in Radiator.
>> 
>> For instance, Radiator's server Wireshark capture:
>> No.Time   Source Destination   Protocol Length Info
>> 231521 09:00:58.997242000 xxx.xxx.xx.xx  xxx.xxx.xx.xx DIAMETER 1622
>> cmd=Accounting Request(271) flags=RP-- appl=Diameter Base Accounting(3)
>> h2h=253e8654 e2e=253e8654
>> 
>> But in the Radiator this request appears 5.2 second later:
>> Thu Mar 26 09:01:04 2015 029052: DEBUG: StateMachine::event event
> 
> Most likely you see this request as delayed because there is already a 
> queue in the OS receive buffer. That is, the previous messages have 
> taken longer than than usually.
> 
> I would take a look at the request processing flow and consider what 
> external lookups radiusd is doing. For example, DNS lookups, SQL DB 
> queries and so on. Some functions in Radius/Util.pm may do DNS lookups. 
> This can happen if they are given a name instead of IP address.
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ODBC Connection Error

[Hugh Irvine]

Hello -

I am guessing there is something in your terminal session environment that is 
not available to your script.

regards

Hugh


> On 15 Mar 2015, at 19:38, Mohammed Alhaj Ali  wrote:
> 
> Hi Hugh,
> 
> 
> Issue fixed!!
> Actually I ran the below command, there was no error, before that when I use 
> radiator startup script then then I get the error, but when run radiusd it's 
> working fine, I don't know what the problem with startup command on the 
> startup script?!
> 
> I add option I for the startup script:
> 
> [ -z "${RADIUSD_ARGS}" ] && RADIUSD_ARGS="-I -pid_file $RADIUSD_PIDFILE 
> -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS".
> 
> Any  idea ?!
> 
> 
> Thank you,
> Regards,
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Friday, March 13, 2015 1:27 AM
> To: Mohammed Alhaj Ali
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] ODBC Connection Error
> 
> 
> Hello again -
> 
> If you run “radiusd” from the command line you will see any Perl error 
> messages:
> 
>   cd /your/Radiator/distribution/directory
> 
>   perl radiusd -foreground -log_stdout -trace 4 -config_file …..
> 
> regards
> 
> Hugh
> 
> 
>> On 12 Mar 2015, at 20:18, Mohammed Alhaj Ali  wrote:
>> 
>> Hi Hugh, but this lib file actually is there, and when I try to connect with 
>> other DBD ie. Oracle it also failed, how can I check if there any wrong with 
>> perl and  perl modules..
>> 
>> Thank you!
>> 
>> 
>> 
>> -Original Message-
>> From: Hugh Irvine [mailto:h...@open.com.au]
>> Sent: Thursday, March 12, 2015 11:17 AM
>> To: Mohammed Alhaj Ali
>> Cc: radiator@open.com.au
>> Subject: Re: [RADIATOR] ODBC Connection Error
>> 
>> 
>> Hello -
>> 
>> As the error message says, this shared library is not found:  
>> '/usr/lib/libsqora.so.11.1’ 
>> 
>> A quick Google search on "Can't open lib '/usr/lib/libsqora.so.11.1’” brings 
>> up lots of useful hits.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>>> On 12 Mar 2015, at 18:46, Mohammed Alhaj Ali  wrote:
>>> 
>>> Hi
>>> Need help; I'm getting this error log when try to connect to remote DB:
>>> 
>>> ERR: Could not connect to SQL database with DBI->connect 
>>> dbi:ODBC:DSLDB, zoouser, zoopass2009: [unixODBC][Driver Manager]Can't 
>>> open lib '/usr/lib/libsqora.so.11.1' : file not found (SQL-01000
>>> 
>>> However odbc connection seems to be fine, please check below:
>>> 
>>> 
>>> [root@radiator03 ~]# isql -v DSLDB
>>> +---+
>>> | Connected!    |
>>> |   |
>>> | sql-statement |
>>> | help [tablename]  |
>>> | quit  |
>>> |   |
>>> +---+
>>> SQL>
>>> 
>>> 
>>> Lookup forward to your help..
>>> 
>>> Thank you!
>>> Regards.
>>> 
>>> 
>>> 
>>> 
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server 
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, 
>> SIM, etc. 
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, 
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ODBC Connection Error

[Hugh Irvine]

Hello again -

If you run “radiusd” from the command line you will see any Perl error messages:

cd /your/Radiator/distribution/directory

perl radiusd -foreground -log_stdout -trace 4 -config_file …..

regards

Hugh


> On 12 Mar 2015, at 20:18, Mohammed Alhaj Ali  wrote:
> 
> Hi Hugh, but this lib file actually is there, and when I try to connect with 
> other DBD ie. Oracle it also failed, how can I check if there any wrong with 
> perl and  perl modules..
> 
> Thank you!
> 
> 
> 
> -----Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Thursday, March 12, 2015 11:17 AM
> To: Mohammed Alhaj Ali
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] ODBC Connection Error
> 
> 
> Hello -
> 
> As the error message says, this shared library is not found:  
> '/usr/lib/libsqora.so.11.1’ 
> 
> A quick Google search on "Can't open lib '/usr/lib/libsqora.so.11.1’” brings 
> up lots of useful hits.
> 
> regards
> 
> Hugh
> 
> 
>> On 12 Mar 2015, at 18:46, Mohammed Alhaj Ali  wrote:
>> 
>> Hi
>> Need help; I'm getting this error log when try to connect to remote DB:
>> 
>> ERR: Could not connect to SQL database with DBI->connect 
>> dbi:ODBC:DSLDB, zoouser, zoopass2009: [unixODBC][Driver Manager]Can't 
>> open lib '/usr/lib/libsqora.so.11.1' : file not found (SQL-01000
>> 
>> However odbc connection seems to be fine, please check below:
>> 
>> 
>> [root@radiator03 ~]# isql -v DSLDB
>> +---+
>> | Connected!|
>> |   |
>> | sql-statement |
>> | help [tablename]  |
>> | quit  |
>> |   |
>> +---+
>> SQL>
>> 
>> 
>> Lookup forward to your help..
>> 
>> Thank you!
>> Regards.
>> 
>> 
>> 
>> 
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, 
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ODBC Connection Error

[Hugh Irvine]

Hello -

As the error message says, this shared library is not found:  
'/usr/lib/libsqora.so.11.1’ 

A quick Google search on "Can't open lib '/usr/lib/libsqora.so.11.1’” brings up 
lots of useful hits.

regards

Hugh


> On 12 Mar 2015, at 18:46, Mohammed Alhaj Ali  wrote:
> 
> Hi
> Need help; I'm getting this error log when try to connect to remote DB:
> 
> ERR: Could not connect to SQL database with DBI->connect dbi:ODBC:DSLDB, 
> zoouser, zoopass2009: [unixODBC][Driver Manager]Can't open lib 
> '/usr/lib/libsqora.so.11.1' : file not found (SQL-01000
> 
> However odbc connection seems to be fine, please check below:
> 
> 
> [root@radiator03 ~]# isql -v DSLDB
> +---+
> | Connected!|
> |   |
> | sql-statement |
> | help [tablename]  |
> | quit  |
> |   |
> +---+
> SQL>
> 
> 
> Lookup forward to your help..
> 
> Thank you!
> Regards.
> 
> 
> 
> 
> _______
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Cisco 5508 passing mac for mac auth

[Hugh Irvine]

Hello Gabe -

I would probably use the third mode with MAC address for both username and 
password.

If you are doing simple authentication (ie. not EAP), a simple AuthBy FILE 
clause will suffice.

Something like this:


…..



Filename %D/macaddresses.txt
AddToReply …..



…..


macaddress.txt would look something like this:

# macaddress.txt
# file containing MAC addresses for both username and password

c8:2a:14:50:13:22  Password = c8:2a:14:50:13:22

c8:2a:14:50:13:33  Password = c8:2a:14:50:13:33

c8:2a:14:50:13:44  Password = c8:2a:14:50:13:44

…..


If you have further questions please include a trace 4 debug showing what is 
happening.

regards

Hugh


> On 18 Feb 2015, at 12:34, Gabe Carmichael  wrote:
> 
> All,
> When using a Cisco Wireless controller I have mac delimiters and 3 modes of 
> operation:
> 
> - Other - (In the Radius Access Request with Mac Authentication Password is 
> NOT sent.)
> 
> - Free Radius - (In the Radius Access Request with Mac Authentication 
> Password is controller's shared secret with radius server.)
> 
>  - Cisco ACS - (In the Radius Access Request with Mac Authentication password 
> is client's MAC address.)
> 
> my question is, I am trying to get Radiator to auth by mac addresses in a 
> flat file. Which mode do I need to use, and how would I need it mod my config 
> file? Attached is a copy of my config. 
> 
> -- 
> Gabe Carmichael
> Systems Analyst - Networking/Email
> Lower Kuskokwim School District
> 907-543-4860
> LKSD Internal 4 digit dial - 4860
> Skype: gabes72riv
> g...@lksd.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] COA log

[Hugh Irvine]

 None1
VALUE   OSC-TACACS-Authen-MethodKRB52
VALUE   OSC-TACACS-Authen-MethodLine3
VALUE   OSC-TACACS-Authen-MethodEnable  4
VALUE   OSC-TACACS-Authen-MethodLocal   5
VALUE   OSC-TACACS-Authen-MethodTACACSPLUS  6
VALUE   OSC-TACACS-Authen-MethodGuest   8
VALUE   OSC-TACACS-Authen-MethodRADIUS  16
VALUE   OSC-TACACS-Authen-MethodKRB417
VALUE   OSC-TACACS-Authen-MethodRCMD32

…..

Of course you can use OSC-AVPAIR for anything at all, and you can use the 
others as you see fit.

regards

Hugh


> On 5 Feb 2015, at 10:20, Michael  wrote:
> 
> 
> 
> I personally log COA/POD requests using a very custom method.  This may 
> not be desirable for others.  I do this by after processing the COA/POD 
> normally, pass it to an AuthBy config that essentially changes it to an 
> Accounting-Request packet, populates a few extra values, then passes it 
> to my normal accounting log AuthBy.  This also requires adding custom 
> values to the dictionary file.
> 
> 
> 
>  Identifier convert2accounting
> 
> 
> OtherHook sub {\
>   # some fancy code here.
> }
> 
> 
> # now that this packate has been converted to an accounting 
> packet, it is ready to be logged.  pass it to the accounting log AuthBy
> AuthBy accounting_log
> 
> 
> 
> an example result is something like this:
> 
> +--+-++---+--+
> | username | timestamp   | type   | sess_time | term_cause   |
> +--+-++---+--+
> | username | 2015-01-05 15:04:09 | login  |  NULL | NULL |
> | username | 2015-01-05 16:46:03 | info   |  NULL | rate-change  |
> | username | 2015-01-05 16:47:02 | info   |  NULL | kick-request |
> | username | 2015-01-05 16:47:02 | logout |  6173 | Admin-Reset  |
> +--+-++---+--+
> 
> 
> 
> 
> 
> On 04/02/15 05:57 PM, Hugh Irvine wrote:
>> Hello -
>> 
>> As COA is not an authentication, it therefore follows that it will not be 
>> logged by an AuthLog clause.
>> 
>> To see what happens with a COA you will need to look at the log file (not 
>> the authlog file).
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>>> On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP) 
>>>  wrote:
>>> 
>>> Dear all,
>>> 
>>> 
>>> 
>>> I have the following problem:
>>> 
>>> 
>>> 
>>> I can log authentification with the configuration here below,  it works 
>>> correctly.
>>> 
>>> But if I use event_log identifier to log a COA (and not a normal  
>>> Access-Request with Accept or Reject), nothing happens.
>>> 
>>> 
>>> 
>>> Can you indicate me how to log a COA with the answer (ACK or NACK)
>>> 
>>> 
>>> 
>>> Thanks in advance,
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> >> 
>>> AuthBy  toto
>>> 
>>> AuthLog event_log
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Identifier  event_log
>>> 
>>> Filename%L/event_auth.log
>>> 
>>> SuccessFormat   %v %d 
>>> %H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,
>>> 
>>> FailureFormat   %v %d 
>>> %H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1
>>> 
>>> LogSuccess  1
>>> 
>>>LogFailure  1
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> * Disclaimer *
>>> http://www.proximus.be/maildisclaimer
>>> _______
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinf

Re: [RADIATOR] COA log

[Hugh Irvine]

Hello -

As COA is not an authentication, it therefore follows that it will not be 
logged by an AuthLog clause.

To see what happens with a COA you will need to look at the log file (not the 
authlog file).

regards

Hugh


> On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP) 
>  wrote:
> 
> Dear all,
> 
>  
> 
> I have the following problem:
> 
>  
> 
> I can log authentification with the configuration here below,  it works 
> correctly.
> 
> But if I use event_log identifier to log a COA (and not a normal  
> Access-Request with Accept or Reject), nothing happens.
> 
>  
> 
> Can you indicate me how to log a COA with the answer (ACK or NACK)
> 
>  
> 
> Thanks in advance,
> 
>  
> 
>  
> 
>  
> 
>  
> AuthBy  toto
> 
> AuthLog event_log
> 
> 
> 
>  
> 
> 
> 
> Identifier  event_log
> 
> Filename%L/event_auth.log
> 
> SuccessFormat   %v %d 
> %H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,
> 
> FailureFormat   %v %d 
> %H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1
> 
> LogSuccess  1
> 
>LogFailure  1
> 
> 
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> * Disclaimer *
> http://www.proximus.be/maildisclaimer
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Account log to MySQL

[Hugh Irvine]

Hello Chad -

From what you show below, you have two “” lines - if this is not a 
typo it will certainly confuse the configuration file parser.

The best way to debug is to set the Trace level to 4 (DEBUG) so you can see 
exactly what is happening.

You set the Trace level in the configuration file:


…..

Trace 4

…..


regards

Hugh


> On 4 Feb 2015, at 08:39, Chad Roseburg  wrote:
> 
> Goal:
> Capture successful logins as well as failures for stats purposes.
> 
> I am setting up logging to a local MySQL instance. Here's what I've done:
> 
> * Following instructions in the 'mysqlcreate.sql' file, I created the radius 
> table and user(s). 
> * Created the Mysql tables using the provided 'mysqlCreate.sql' in goodies.
> * Added the following stanza to my Handler just below the SIP Authby stanza:
> 
> -- conf -
> 
> 
>
> Port   6001
> Host  siphost.com
>  
> Delimiter |
>  
> LoginUserID sipuser
> LoginPassword supersecret
> LocationCode Radiator
>  
>  SendChecksum no
>  VerifyChecksum no
>  
> NoDefault
> EAPType GTC
> 
> 
> DBSourcedbi:mysql:radius:localhost
> DBUsername  radius
> DBAuth  secrets
> LogSuccess
> SuccessQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, 
> TYPE, REASON) values (%t, '%n', 1)
> LogFailure
> FailureQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, 
> TYPE, REASON) values (%t, '%n', 0, %1)
> 
> 
> -- /conf ---
> 
> I'm not seeing anything with:
> SELECT * FROM RADAUTHLOG;
> 
> Is it just a quiet day or am I missing something?
> 
> Last question is: does USERNAME refer to the client?
> 
> Thank you!
> 
> -- 
> Chad Roseburg
> Automation Dept.
> North Central Regional Library
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Additional radius attributes for particular users on shared realm :: how to?!!

[Hugh Irvine]

Hi -

In that case I would use a separate AuthBy FILE something like this:

…..


Identifier prefixforciscoavpair
   Filename %D/PrefixForCiscoAVPair



   
  AuthByPolicy ContinueWhileAccept
  
 AuthByPolicy ContinueWhileReject
 AuthBy dpool
 AuthBy flat
 PostAuthHook file:"%D/FixedIP"
 PacketTrace
  
  AuthBy prefixforciscoavpair
   


…..


The contents of the file PrefixForCiscoAVPair would look something like this:


# PrefixForCiscoAVPair
# Add reply attributes only for certain usernames

DEFAULT User-Name = /^pizza/
   AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream, 
   cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream, 
   cisco-avpair = "lcp:interface-config=description ***> PizzaHut 
<***”, 
   cisco-avpair = "lcp:interface-config=ip vrf forwarding PizzaHut”, 
   cisco-avpair = "lcp:interface-config=ip unnumbered loopback 99”

DEFAULT Auth-Type = Accept


hope that helps

regards

Hugh




> On 29 Jan 2015, at 23:42, Mohammed Alhaj Ali  wrote:
> 
> Hi Hugh,
> 
> Thank you for your reply,
> 
> Please note that this user share one realm with other subscribers, and also 
> maybe other realms start with same user name, what I need to do is to 
> configure this parameter under responding realm, kindly check the below realm 
> configuration and how we can add additional attribute for some subscribers 
> which their accounts started with specific characters..
> 
> 
> I need to include this configuration under the below handler:
> 
> 
>AuthByPolicy ContinueWhileReject
>AuthBy dpool
>AuthBy flat
>PostAuthHook file:"%D/FixedIP"
>PacketTrace
> 
> 
> 
> Suppose that user name is 'pizzahu...@1024.itc.net.sa', which's share same 
> realm, whenever you find 'pizza*' on user name just add other additional 
> attribute to reply.
> 
> AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream, 
> cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream, cisco-avpair = 
> "lcp:interface-config=description ***> PizzaHut <***", cisco-avpair = 
> "lcp:interface-config=ip vrf forwarding PizzaHut", cisco-avpair = 
> "lcp:interface-config=ip unnumbered loopback 99"
> 
> 
> 
> Thank you!
> 
> 
> Regards,
> 
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au]
> Sent: Thursday, January 29, 2015 1:25 AM
> To: Mohammed Alhaj Ali
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Additional radius attributes for particular users on 
> shared realm :: how to?!!
> 
> 
> Hello -
> 
> The answer to this depends on what else you are doing in your configuration 
> file.
> 
> The simplest way to do it is with Handlers (not Realms) like this:
> 
> 
> …….
> 
> 
>
>…..
>AddToReply cisco-avpair = 
> ip:sub-qos-policy-in=ISP_1024_UpStream,
>cisco-avpair = 
> ip:sub-qos-policy-out=ISP_1024_DownStream,
>cisco-avpair = "lcp:interface-config=description 
> ***> XYZ <***”,
>cisco-avpair = "lcp:interface-config=ip vrf forwarding 
> xyz”,
>cisco-avpair = "lcp:interface-config=ip unnumbered 
> loopback 99”,
>Framed-MTU = 1492,
>Framed-Protocol = PPP,
>Service-Type = Framed-User
>
> 
> 
> 
>
>…..
>
> 
> 
> …..
> 
> 
> There are many other possibilities depending on your exact requirements.
> 
> regards
> 
> Hugh
> 
> 
>> On 29 Jan 2015, at 00:32, Mohammed Alhaj Ali  wrote:
>> 
>> Hi,
>> 
>> I'd asking how to use AddToReply to add additional radius attributes
>> for particular users on shared realm, for example if I've user name start 
>> with 'xyz' then reply with additional radius attribute to requested NAS, We 
>> already this configuration on Cisco AAA (car), and now we trying to migrate 
>> on radiator, below script were applied on CAR please let me know how to 
>> translate this to radiator configuration file.
>> 
>> 
>> (tcl script)...
>> if { [ string match "xyz*" $userName ] } {
>>$response addProfile "PPPoEProfile-XYZ-$realm"
>> 
>> } else {
>>$response addProfile &quo

Re: [RADIATOR] Additional radius attributes for particular users on shared realm :: how to?!!

[Hugh Irvine]

Hello -

The answer to this depends on what else you are doing in your configuration 
file.

The simplest way to do it is with Handlers (not Realms) like this:


…….



…..
AddToReply cisco-avpair = 
ip:sub-qos-policy-in=ISP_1024_UpStream,
cisco-avpair = 
ip:sub-qos-policy-out=ISP_1024_DownStream,
cisco-avpair = "lcp:interface-config=description 
***> XYZ <***”,
cisco-avpair = "lcp:interface-config=ip vrf forwarding 
xyz”,
cisco-avpair = "lcp:interface-config=ip unnumbered 
loopback 99”,
Framed-MTU = 1492,
Framed-Protocol = PPP,
Service-Type = Framed-User





…..



…..


There are many other possibilities depending on your exact requirements.

regards

Hugh


> On 29 Jan 2015, at 00:32, Mohammed Alhaj Ali  wrote:
> 
> Hi,
> 
> I'd asking how to use AddToReply to add additional radius attributes for 
> particular users on shared realm, for example if I've user name start with 
> 'xyz' then reply with additional radius attribute to requested NAS,
> We already this configuration on Cisco AAA (car), and now we trying to 
> migrate on radiator, below script were applied on CAR please let me know how 
> to translate this to radiator configuration file.
> 
> 
> (tcl script)...
> if { [ string match "xyz*" $userName ] } {
> $response addProfile "PPPoEProfile-XYZ-$realm"
> 
> } else {
> $response addProfile "PPPoEProfile-$realm"
> 
> 
> Attribute profile for any user start with 'xyz'
> 
> --> ls
> 
> [ //localhost/Radius/Profiles/PPPoEProfile-XYZ-1024.example.com/Attributes ]
>Cisco-AVPair = ip:sub-qos-policy-in=ISP_1024_UpStream
>Cisco-AVPair = ip:sub-qos-policy-out=ISP_1024_DownStream
>Cisco-AVPair = "lcp:interface-config=description ***> XYZ <***"
>Cisco-AVPair = "lcp:interface-config=ip vrf forwarding xyz"
>Cisco-AVPair = "lcp:interface-config=ip unnumbered loopback 99"
>Framed-MTU = 1492
>    Framed-Protocol = PPP
>Service-Type = Framed
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Simple update of Radiator

[Hugh Irvine]

Hi again -

Of course you must make sure you have backups of your configuration files and 
so on before changing anything.

I personally prefer to keep all of my Radiator source distributions in 
individual directories so I can easily change between them.

This also makes it very simple to go back to the previous version if there is a 
problem with the newer version.

You should also test fully on a test machine before running new versions in 
production.

regards

Hugh


> On 23 Jan 2015, at 14:55, Hugh Irvine  wrote:
> 
> 
> Hello Bernhard -
> 
> You just need to install the new version Radiator-4.14 over the top of your 
> existing installation.
> 
> regards
> 
> Hugh
> 
> 
>> On 23 Jan 2015, at 01:14, it.netzwerk_firew...@bawagpsk.com wrote:
>> 
>> Hi everyone, 
>> sorry for the basic question, but i can't  find a manual for grading up an 
>> existing installation for Radiator (just the normal installation). 
>> Can you tell me the easiest way to do that, please. My actual installation 
>> is an 4.12.1 on Windows in directory e:\Radiator with Perl 5.16.3 
>> 
>> Locally applied patches: 
>>   ActivePerl Build 1603 [296746] 
>> Built under MSWin32 
>> Compiled at Mar 13 2013 11:29:21 
>> @INC: 
>>   E:/software32p/perl/site/lib 
>>   E:/software32p/perl/lib 
>>   . 
>> Regards, 
>> Bernhard
>> 
>> 
>> 
>> 
>> 
>> Diese Information und eventuelle Anhaenge sind vertraulich 
>> und ausschliesslich zur Kenntnisnahme durch den oder die 
>> genannten Adressaten bestimmt. Sollten Sie nicht der 
>> vorgesehene Adressat sein, ersuchen wir Sie, uns unverzueglich 
>> zu informieren und die Nachricht zu loeschen. Der Inhalt der 
>> fehlgeleiteten Nachricht darf weder aufgezeichnet noch 
>> Unbefugten mitgeteilt oder fuer irgendwelche Zwecke verwertet 
>> werden. Bitte beachten Sie weiters, dass trotz hoechstmoeglicher 
>> Sorgfalt unsererseits aufgrund der technischen Gegebenheiten 
>> im Internet keine Verantwortung fuer die Existenz von Viren 
>> uebernommen werden kann.
>> 
>> This message and any attachments are confidential and are 
>> only intended for the recipient(s) to which they have been 
>> addressed. If you have received this message in error, please 
>> notify the sender immediately and delete the message from 
>> your system. The contents of this misdirected mail may not be 
>> saved, recorded or used for any purpose whatsoever or made 
>> available to unauthorised persons. This message has been 
>> prepared and sent with the greatest possible care, including 
>> scanning for viruses. In spite of this, we assume no liability 
>> whatsoever for the existence of any viruses.
>> 
>> Firma: BAWAG P.S.K. Bank fuer Arbeit und Wirtschaft und Oesterreichische 
>> Postsparkasse Aktiengesellschaft
>> Rechtsform: Aktiengesellschaft
>> Sitz: politische Gemeinde Wien
>> Firmenbuchnummer: 205340x
>> Firmenbuchgericht: Handelsgericht Wien
>> DVR-Nummer: 1075217
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Simple update of Radiator

[Hugh Irvine]

Hello Bernhard -

You just need to install the new version Radiator-4.14 over the top of your 
existing installation.

regards

Hugh


> On 23 Jan 2015, at 01:14, it.netzwerk_firew...@bawagpsk.com wrote:
> 
> Hi everyone, 
> sorry for the basic question, but i can't  find a manual for grading up an 
> existing installation for Radiator (just the normal installation). 
> Can you tell me the easiest way to do that, please. My actual installation is 
> an 4.12.1 on Windows in directory e:\Radiator with Perl 5.16.3 
> 
>  Locally applied patches: 
>ActivePerl Build 1603 [296746] 
>  Built under MSWin32 
>  Compiled at Mar 13 2013 11:29:21 
>  @INC: 
>E:/software32p/perl/site/lib 
>E:/software32p/perl/lib 
>. 
> Regards, 
> Bernhard
> 
> 
> 
> 
> 
> Diese Information und eventuelle Anhaenge sind vertraulich 
> und ausschliesslich zur Kenntnisnahme durch den oder die 
> genannten Adressaten bestimmt. Sollten Sie nicht der 
> vorgesehene Adressat sein, ersuchen wir Sie, uns unverzueglich 
> zu informieren und die Nachricht zu loeschen. Der Inhalt der 
> fehlgeleiteten Nachricht darf weder aufgezeichnet noch 
> Unbefugten mitgeteilt oder fuer irgendwelche Zwecke verwertet 
> werden. Bitte beachten Sie weiters, dass trotz hoechstmoeglicher 
> Sorgfalt unsererseits aufgrund der technischen Gegebenheiten 
> im Internet keine Verantwortung fuer die Existenz von Viren 
> uebernommen werden kann.
> 
> This message and any attachments are confidential and are 
> only intended for the recipient(s) to which they have been 
> addressed. If you have received this message in error, please 
> notify the sender immediately and delete the message from 
> your system. The contents of this misdirected mail may not be 
> saved, recorded or used for any purpose whatsoever or made 
> available to unauthorised persons. This message has been 
> prepared and sent with the greatest possible care, including 
> scanning for viruses. In spite of this, we assume no liability 
> whatsoever for the existence of any viruses.
> 
> Firma: BAWAG P.S.K. Bank fuer Arbeit und Wirtschaft und Oesterreichische 
> Postsparkasse Aktiengesellschaft
> Rechtsform: Aktiengesellschaft
> Sitz: politische Gemeinde Wien
> Firmenbuchnummer: 205340x
> Firmenbuchgericht: Handelsgericht Wien
> DVR-Nummer: 1075217
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator+Mikrotik

[Hugh Irvine]

Hello Sergio -

Yes - have a look at the current packages in the “Radius/Nas/…” directory of 
the Radiator-4.14 distribution.

regards

Hugh


> On 23 Jan 2015, at 13:41, sergio  wrote:
> 
> hello
> 
> It is possible to create a package for the Mikrotik? MikrotikSessionMIB.pm
> 
> 
>> -Original Message-
>> From: nath...@fsr.com
>> Sent: Mon, 8 Dec 2014 05:30:26 -0800
>> To: m.abdelsa...@wimd.com.kw, radiator@open.com.au
>> Subject: Re: [RADIATOR] Radiator+Mikrotik
>> 
>> On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote:
>> 
>>> Hello all,
>>> 
>>> As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request,
>>> the hook script will send Disconnect-Request to Mikrotik once the
>>> session
>>> exceeds the quota, here is how i send Disconnect-Request:
>> 
>> [snip]
>> 
>>> This works fine but the problem is that user can't re-authenticate again
>>> because it reaches Maxsessions although I have this in my config file:
>> 
>> [snip]
>> 
>>> The user would successfully authenticate again when I manually remove
>>> the
>>> session from RADONLINE by executing the DeleteQuery.
>> 
>> It has been a while since I have had to look at/think about this, but as
>> I recall, this is how it works:
>> 
>> DeleteQuery doesn't get executed unless the Radiator server receives
>> Accounting-Stop from the MikroTik.
>> 
>> PoD/Disconnect-Request may or may not cause Accounting-Stop to be issued
>> by MikroTik RouterOS; I can't remember and I will have to simulate this
>> later and run a packet capture to see what happens.  (Maybe if you are
>> running an older version of RouterOS, try upgrading?  It could be a bug
>> that got fixed later, and they have definitely had their share of RADIUS
>> client bugs in the past.)
>> 
>> In any case, you can work around a problem where Radiator does not
>> receive Accounting-Stop by having Radiator verify that any active
>> sessions for the user that are recorded in the RADONLINE table are valid
>> at the moment that the user tries to authenticate again.  Radiator does
>> this by executing an SNMP query to the NAS that is on record for each
>> session to see if the Session-ID for that row in the table is still
>> valid.  If the NAS does not return anything for the OID, then Radiator
>> assumes the session is dead and purges that entry from RADONLINE,
>> reducing MaxSessions count by 1.
>> 
>> To enable this functionality, you need to make sure that SNMP is enabled
>> and configured on each MikroTik NAS, you need to make sure that Net-SNMP
>> is installed and configured on the Radiator server, and you need to add
>> these options to your Client clause in your Radiator config file:
>> 
>> 
>>[...]
>># MikroTik supports this MIB
>>NasType CiscoSessionMIB
>>SNMPCommunity public
>> 
>> 
>> Replace 'public' with the SNMP community string that you have configured
>> on the MikroTik.
>> 
>> We also made a slight change to the Radiator code, because by default, if
>> Radiator does not get a response back from its SNMP "get" to the
>> MikroTik, it gives the benefit of the doubt to RADONLINE.  We have found
>> that more often than not, it is better to give the benefit of the doubt
>> to the user.  That way, a user is not unfairly punished by problems with
>> our NAS or problems on our network that might make it impossible for
>> Radiator to communicate with our NAS.  Here is the patch to make that
>> change in behavior:
>> 
>> diff -r -d -u -N Radius/Nas/CiscoSessionMIB.pm
>> Radius-patched/Nas/CiscoSessionMIB.pm
>> --- Radius/Nas/CiscoSessionMIB.pm2009-10-26 15:23:55.0 -0700
>> +++ Radius-patched/Nas/CiscoSessionMIB.pm2014-12-08 05:20:02.0
>> -0800
>> @@ -39,7 +39,7 @@
>>   $client->{SNMPCommunity},
>>   "$Radius::Nas::CiscoMIB.9.150.1.1.3.1.2.$session_id");
>> 
>> -return 1 if (!$result || $result =~ /no response/i); # Could not
>> SNMP. Assume still there
>> +return 0 if (!$result || $result =~ /no response/i); # Could not
>> SNMP. Give benefit of doubt to user.
>> return 0 if $result =~ /no such variable/i;  # Not in the MIB means
>> no such session
>> return uc($1) eq uc($name)
>>  if ($result =~ /^.*\"([^"]+)".*$/);
>> 
>> Hope this helps,
>> 
>> --
>> Nathan Anderson
>> First Step Internet, LL

Re: [RADIATOR] AVP with ipv4 or ipv6 values

[Hugh Irvine]

Hello Arthur -

This will need some special code in Radiator to deal with this properly.

Look for a patch soon.

regards

Hugh


> On 25 Nov 2014, at 22:22, Arthur Konovalov  wrote:
> 
> Hello,
> 
> Asking a little suggestion how to solve raised problem.
> My system storing Diameter offline charging events to the MySQL.
> Usually in the Served-Party-IP-Address AVP I have an ipv4 value and all 
> works fine (printout from Wireshark):
> AVP: Served-Party-IP-Address(848) l=18 f=VM- vnd=TGPP val=194.106.126.181
> AVP Code: 848 Served-Party-IP-Address
> AVP Flags: 0xc0
> AVP Length: 18
> AVP Vendor Id: 3GPP (10415)
> Served-Party-IP-Address: 0001c26a7eb1
>Served-Party-IP-Address Address Family: IPv4 (1)
>Served-Party-IP-Address Address: 194.106.126.181
> 
> But some equipment send an ipv6 address:
> AVP: Served-Party-IP-Address(848) l=30 f=VM- vnd=TGPP 
> val=2a00:16e0:20:2:924d:7fc:ff47:7c4c
> AVP Code: 848 Served-Party-IP-Address
> AVP Flags: 0xc0
> AVP Length: 30
> AVP Vendor Id: 3GPP (10415)
> Served-Party-IP-Address: 00022a0016e00022924d07fcff477c4c
>Served-Party-IP-Address Address Family: IPv6 (2)
>Served-Party-IP-Address Address: 2a00:16e0:20:2:924d:7fc:ff47:7c4c
> 
> and there a problem arise - address not properly converted.
> Trace level 4 output for this AVP shows as:
> Served-Party-IP-Address: VM., 
> <0><2>*<0><22><224><0>0<0><1><4><190>T/<30><17><238>s
> 
> For Diameter dictionary entry for this AVP:
> VANDORATTR 10415 Server-Party-IP-Address 848 Address
> For Radius converted:
> VANDORATTR 10415 Server-Party-IP-Address 80 string
> 
> Radiator version 4.9 in use.
> 
> Is there any suggestion how to implement how to store both ip addresses 
> variants to SQL?
> Does upgrading Radiator might help there?
> 
> br,
> Arthur
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Duplicate request issues

[Hugh Irvine]

Hello Patrick -

This sounds to me like the internal servers are not processing requests quickly 
enough and don’t respond to the external servers before the external servers 
time out and resend.

When the resent request arrives at the internal server(s) they are indeed 
marked as duplicates because the previous request is still in process.

We often see this sort of problem with slow responses from authentication 
resources like SQL and/or LDAP databases.

A trace 4 debug with LogMicroseconds will show you exactly where the time is 
being spent waiting.

Of course it may not be the external servers that are timing out - it may be 
the upstream devices and/or proxies that are resending.

In any case, trace 4 debug with LogMicroseconds will show what Radiator is 
doing (or not doing), and the corresponding Wireshark trace will show you what 
packets are actually on the wire.

regards

Hugh


> On 25 Nov 2014, at 02:39, Patrik Forsberg  wrote:
> 
> Hello,
> 
> I have a problem where we have two external and two internal radius servers. 
> The external radius servers proxy almost all requests on to the internal 
> radius servers but the internal servers seem to think that the requests are 
> duplicates ?
> 
> I've done all I can think of to disable the duplicate filtration but I seem 
> to be unable to stop the behavior.
> I've tried setting DupInterval 0, NoIgnoreDuplicates 
> Access-Request,Accounting-Request and UseContentsForDuplicateDetection, all 
> of them by themselves and in various combinations, but neither seem to remedy 
> the problem ?
> When the external radius servers get to many requests on them the internal 
> starts ignoring the requests due to duplicates ?
> 
> Are there some other directive I can put in Clients, or other parts of the 
> configuration, to stop this from happening ?
> 
> 
> Best Regards,
> Patrik Forsberg
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Using Radiator and Net-SNMP on the same server?

[Hugh Irvine]

Hello Eivind -

You will need to use different port numbers.

regards

Hugh


> On 21 Nov 2014, at 08:13, Eivind Olsen  wrote:
> 
> What's an easy way of running both Net-SNMP and Radiator (with its
> SNMPAgent). Is there some nice and fancy way of using both at the same
> time, or is the best / only way to tell them to listen on different ports
> such as UDP 161 for Net-SNMP and some other UDP-port for Radiator?
> 
> Regards
> Eivind Olsen
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CoA-Request vs Change-Filter-Request in radpwtst

[Hugh Irvine]

Hello Heikki -

These could be added as synonyms as is done for some RADIUS attribute 
definitions.


# Radius.pm
# Implements Radius message packet object
#
# Contains the following additional attributes
#  SendTo
#  StatsTrail, array or refs to statistics hashes
#
# Handles multiple instances of the same attribute
# Handles accounting packets, and authentication of same
# Handles EAP
#
# Author: Mike McCauley (mi...@open.com.au),
# Copyright (C) Open System Consultants
# $Id: Radius.pm,v 1.175 2014/04/02 20:44:24 hvn Exp $

package Radius::Radius;
@ISA = qw(Radius::AttrVal);
use Radius::AttrVal;
use Radius::BigInt;
use Socket;
use Digest::MD5;
use Radius::Util;
use strict;

# RCS version number of this module
$Radius::Radius::VERSION = '$Revision: 1.175 $';

# These map request names into request types. 
# Some are from RFC 2882. Add synonyms from RFC 5176.
my %codes  = ( 
'Access-Request' => 1,
'Access-Accept'  => 2,
'Access-Reject'  => 3,
'Accounting-Request' => 4,
'Accounting-Response'=> 5,
'Accounting-Status'  => 6,
'Access-Password-Request'=> 7,
'Access-Password-Ack'=> 8,
'Access-Password-Reject' => 9,
'Accounting-Message' => 10,
'Access-Challenge'   => 11,
'Status-Server'  => 12,
'Status-Client'  => 13,
'Resource-Free-Request'  => 21,
'Resource-Free-Response' => 22,
'Resource-Query-Request' => 23,
'Resource-Query-Response'=> 24,
'Alternate-Resource-Reclaim-Request' => 25,
'NAS-Reboot-Request' => 26,
'NAS-Reboot-Response'=> 27,
'Ascend-Access-Next-Code'=> 29,
'Ascend-Access-New-Pin'  => 30,
'Ascend-Terminate-Session'   => 31,
'Ascend-Password-Expired'=> 32,
'Ascend-Access-Event-Request'=> 33,
'Ascend-Access-Event-Response'   => 34,
'Disconnect-Request' => 40,
'Disconnect-Request-ACKed'   => 41,
'Disconnect-Request-NAKed'   => 42,
'Change-Filter-Request'  => 43,
'CoA-Request' => 43,
'Change-Filter-Request-ACKed'=> 44,
‘CoA-ACKed’ => 44,
'Change-Filter-Request-NAKed'=> 45,
'CoA-NAKed’  => 45,
'IP-Address-Allocate'=> 50,
'IP-Address-Release' => 51,
);


The decode can use the new definitions.

Thoughts?

regards

Hugh


> On 13 Nov 2014, at 08:08, Heikki Vatiainen  wrote:
> 
> On 11/11/2014 02:14 PM, Vangelis Kyriakakis wrote:
> 
>>  Radpwtst client uses code Change-Filter-Request for message 43
>> which is based on old rfc2882. Message 43 has been renamed to
>> CoA-Requestin later rfc5176. The same stands for messages 44,45. It
>> would be nice to change the names to the new ones since the old names
>> cause some misunderstandings especially when talking to vendor support
>> teams in order to solve CoA problems.
> 
> Good point. We have discussed updating the names too because of the
> confusion the old names create. The drawback is that doing this requires
> changes to existing scripts that use radpwtst and any existing Radiator
> modules or hooks that do not come with Radiator (own custom code).
> 
> The change could be applied to just radpwtst, but likely it would be
> less confusing to change them both.
> 
> I'll see when to get this in the patches.
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ::Accounting Request Proxying for Remote OSS Systems::

[Hugh Irvine]

Hello -

Quite right - I didn’t notice you already had one.

regards

Hugh


> On 4 Nov 2014, at 23:22, Mohammed Alhaj Ali  wrote:
> 
> Hi..
> Thank you Sir, I'll try to use the existing identifier on  clause.
> 
> 
> Regards,
> 
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au]
> Sent: Monday, November 03, 2014 2:08 AM
> To: Mohammed Alhaj Ali
> Cc: Heikki Vatiainen; radiator@open.com.au
> Subject: Re: [RADIATOR] ::Accounting Request Proxying for Remote OSS Systems::
> 
> 
> Hello -
> 
> You need to reference both AuthBy clauses in your Handler:
> 
> 
> 
> 
>   # Add Identifier for reference in accounting Handler
>   Identifier SQLAccounting
>   AccountingTable zooomonline.ZOOOM_ACCOUNTING
>   AcctColumnDef USERNAME,User-Name,%A
>   AcctColumnDef TIME_STAMP,Timestamp,integer
>   AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>   AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>   AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>   AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>   AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>   AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>   AcctColumnDef acctterminatecause, Acct-Terminate-Cause
>   AcctColumnDef NASIDENTIFIER,NAS-Identifier
>   AcctColumnDef NASPORT,NAS-Port,integer
>   AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>   AcctInsertQuery insert into %0 (ACCOUNT_ID, DATE_TIME, %1) values 
> (zooomonline.ZOOOM_ACCOUNTING_SEQ.nextval, SYSDATE, %2)
> #   AddToReply Service-Type=Framed-User, Framed-Protocol=PPP, 
> Framed-MTU=1492, Session-Timeout = "until Expiration"
>   AddToReply Service-Type=Framed-User, Framed-Protocol=PPP, 
> Framed-MTU=1492
>   AuthColumnDef 0,User-Password, check
> #   AuthColumnDef 1,Expiration, check
>   AuthColumnDef 1,Session-Timeout, reply
>   AuthColumnDef 2,Simultaneous-Use, check
>   AuthColumnDef 3,GENERIC, reply
> #   AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd 
> HH24:MI:SS') EXPIRATION, MAXSESSIONS, REPLYATTR, Session_Timeout 
> "Session-Timeout" from zooomonline.view_zooom_user_auth where 
> upper(USERNAME)=upper('%n')
>   AuthSelect select PASSWORD, (Session_Timeout) EXPIRATION, MAXSESSIONS, 
> REPLYATTR, Session_Timeout "Session-Timeout" from 
> zooomonline.view_zooom_user_auth where upper(USERNAME)=upper('%n')
>   CachePasswordExpiry 86400
>   ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource = 
> shift;my $dbusername = shift;my $dbauth = shift;$self->log($main::LOG_ERR, 
> "Could not connect to SQL database with DBI->connect $dbsource, $dbusername, 
> $dbauth: $@ $DBI::errstr");}
>   DBAuth zooomonline2009
>   DBSource dbi:ODBC:DSLPROD
>   DBUsername zooomonline
>   DateFormat %b %e, %Y %H:%M
>   EAPAnonymous anonymous
>   EAPContextTimeout 1000
>   EAPFAST_PAC_Lifetime 7776000
>   EAPFAST_PAC_Reprovision 2592000
>   EAPTLS_MaxFragmentSize 2048
>   EAPTLS_PEAPVersion 1
>   EAPTLS_SessionResumption 1
>   EAPTLS_SessionResumptionLimit 43200
>   EAPTLS_VerifyDepth 1
>   FailureBackoffTime 600
>   Identifier ZooomAuth
>   NoConnectionsHook sub { my $self = shift;$self->log($main::LOG_ERR, 
> "Could not connect to any SQL database. Request is ignored. Backing off for 
> $self->{FailureBackoffTime} seconds");}
>   NullPasswordMatchesAny 1
>   PasswordPrompt password
>   SIPDigestRealm DefaultSipRealm
>   Timeout 60
> 
> 
> 
> Handler Request-Type=Accounting-Request>
>   AuthByPolicy ContinueAlways
>   
>  Secret 123456
>  Host 1.2.3.1
>  Host 1.2.3.2
>  AuthPort 1812
>  AcctPort 1813
>  IgnoreAccountingResponse
>
>   # store accounting in SQL
>   # use the Identifier to reference the AuthBy SQL clause
>   AuthBy SQLAccounting
> 
> 
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
>> On 2 Nov 2014, at 20:24, Mohammed Alhaj Ali  wrote:
>> 
>> Hi,
>> 
>> I'm trying to setup only accounting request proxying for remote OSS systems, 
>> as well to keep accounting messages to be written on SQL database with the 
>> original  . I applied the below configuration, and I had 
>> received the accounting on the remote system, but I loss accounting update 
>> on the sql database table...
>&

Re: [RADIATOR] ::Accounting Request Proxying for Remote OSS Systems::

[Hugh Irvine]

ING_SEQ.nextval, SYSDATE, %2)
> #   AddToReply Service-Type=Framed-User, Framed-Protocol=PPP, 
> Framed-MTU=1492, Session-Timeout = "until Expiration"
>AddToReply Service-Type=Framed-User, Framed-Protocol=PPP, 
> Framed-MTU=1492
>AuthColumnDef 0,User-Password, check
> #   AuthColumnDef 1,Expiration, check
>AuthColumnDef 1,Session-Timeout, reply
>AuthColumnDef 2,Simultaneous-Use, check
>AuthColumnDef 3,GENERIC, reply
> #   AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd 
> HH24:MI:SS') EXPIRATION, MAXSESSIONS, REPLYATTR, Session_Timeout 
> "Session-Timeout" from zooomonline.view_zooom_user_auth where 
> upper(USERNAME)=upper('%n')
>AuthSelect select PASSWORD, (Session_Timeout) EXPIRATION, MAXSESSIONS, 
> REPLYATTR, Session_Timeout "Session-Timeout" from 
> zooomonline.view_zooom_user_auth where upper(USERNAME)=upper('%n')
>CachePasswordExpiry 86400
>ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource = 
> shift;my $dbusername = shift;my $dbauth = shift;$self->log($main::LOG_ERR, 
> "Could not connect to SQL database with DBI->connect $dbsource, $dbusername, 
> $dbauth: $@ $DBI::errstr");}
>DBAuth zooomonline2009
>DBSource dbi:ODBC:DSLPROD
>DBUsername zooomonline
>DateFormat %b %e, %Y %H:%M
>EAPAnonymous anonymous
>EAPContextTimeout 1000
>EAPFAST_PAC_Lifetime 7776000
>EAPFAST_PAC_Reprovision 2592000
>EAPTLS_MaxFragmentSize 2048
>EAPTLS_PEAPVersion 1
>EAPTLS_SessionResumption 1
>EAPTLS_SessionResumptionLimit 43200
>EAPTLS_VerifyDepth 1
>FailureBackoffTime 600
>Identifier ZooomAuth
>NoConnectionsHook sub { my $self = shift;$self->log($main::LOG_ERR, 
> "Could not connect to any SQL database. Request is ignored. Backing off for 
> $self->{FailureBackoffTime} seconds");}
>NullPasswordMatchesAny 1
>PasswordPrompt password
>SIPDigestRealm DefaultSipRealm
>Timeout 60
> 
> 
> 
> Handler Request-Type=Accounting-Request>
> 
>  AuthByPolicy ContinueAlways
>  AccountingHandled
> 
> Secret 123456
> Host 1.2.3.1
> Host 1.2.3.2
> AuthPort 1812
> AcctPort 1813
> IgnoreAccountingResponse
>   
> 
> 
> Is there's any additional required configuration.
> 
> 
> 
> Thank you!
> Regards,
> 
> 
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]

[Hugh Irvine]

Hi all -

We discussed this at length many times over the years and our decision was 
always that “DEBUG” meant show everything that is going on, otherwise debugging 
is very hard.

I suppose we could consider two levels: “DEBUG” as it is now, and 
“DEBUGWITHOUTPASSWORDS” with passwords obscured.

Thoughts?

regards

Hugh


On 13 Oct 2014, at 08:57, Keith Morrell  wrote:

> UNCLASSIFIED
> 
> We use debug level 4 on all our subprocesses (we use radiator proxies for 
> front ends) to gather detailed data about what’s going on – it’s just the way 
> we like it.
>  
> Personally, I think showing any passwords in clear text in logs is generally 
> not a good idea…
>  
> -Keith
>  
>  
> From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] 
> Sent: Monday, 13 October 2014 8:49 AM
> To: Keith Morrell; Vangelis Kyriakakis; Radiator
> Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 
> [SEC=UNCLASSIFIED]
>  
> Why would you be running in this mode? Surely only debug level that high for 
> debugging? And how could you be sure that the issue want due to incorrect 
> password? ;)
> 
> alan
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Combining AuthSQLTOTP with other authication sources

[Hugh Irvine]

Hello Tom -

There is an example of how to do this sort of thing in:

goodies/digipassStatic.txt and goodies/digipassStatic.cfg

regards

Hugh


On 3 Aug 2014, at 22:19, Thomas Neumann  wrote:

> I'd like to use AuthSQLTOTP (or maybe also AuthSQLHOTP for that matter)
> in a way where the static password (PIN) is not stored in AuthSQLTOTP's
> SQL table but is verified against another auth source, such as existing
> Active Directory accounts checked by AuthLDAP2.
> 
> Any idea if/how that might work?
> 
>> From looking at the source I think it's currently not possible, even if
> I were to chain Authby LDAP2 and Authby SQLTOTP in one handler and use
> ContinueUntilReject or something like that, because Authby LDAP2 would
> need to know that it must strip the OTP part of the password (say the
> last six chars) before it checks the password against LDAP, and later on
> Authby SQLTOTP would insist on having the user in its own SQL user table.
> 
> To solve this in the most flexible way would require a method of
> stripping the OTP part (last N chars) from the password before it gets
> handled by some other auth method (LDAP2 or anything else that can check
> static passwords) and SQLTOTP would need to be modified to use its SQL
> table for bookkeeping (per-user num of failed logins, brute-force
> defense, ...) only, not as a primary source of usernames and static
> passwords.
> 
> Any idea on how to solve this?
> 
> 
> --Tom
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

[Hugh Irvine]

Hello Chris -

Thanks for letting us know.

regards

Hugh


On 26 Jul 2014, at 03:50, Christopher Chance  wrote:

> Removing the synchronous did in fact fix the problem for some reason! Thanks!
> 
> Best regards,
>  
> Chris Chance
> Network Engineer - CaribServe
> 
> Phone: +1 721 542-4233
> Email:   ccha...@newtechgrp.com
> 
> 
> -----Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Thursday, July 24, 2014 6:49 PM
> To: Christopher Chance
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
> 
> 
> Hello Chris -
> 
> The other difference between what I sent and what you are doing is your use 
> of Synchronous in the AuthBy RADIUS clause.
> 
> In my suggestion I have removed it, and we think it is this that is causing 
> the problem for some reason.
> 
>> 
>> # this proxies to the machine that can then proxy to OTHERSITE NPS # 
>> strongly suggest you don't use Synchronous
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host 192.168.125.236
>>   Secret x
>>   AuthPort 1812
>>   AcctPort 1813
>>   Retries 2
>>   AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
>> Tunnel-Private-Group-ID=nn
>>   
>> 
> 
> 
> 
> You might also want to upgrade to the latest Radiator 4.13.
> 
> FYI - we had another site that was having problems with NTLM and it was 
> resolved by my suggestion to have Radiator proxy to NPS.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> 
> On 25 Jul 2014, at 04:23, Christopher Chance  wrote:
> 
>> Got to work and was looking at it and basically you're doing the same thing 
>> I am, thought the MYSITE radius isn't needed as theirs nothing wrong with 
>> the MYSITE NTLM it works fine..
>> 
>> As for the OTHERSITE ... that's exactly how it is now, except instead of 
>> Microsoft NPS the other side is a radiator that authenticates via NTLM on 
>> the secondary domain...
>> 
>> The problem is when that second radiator responds this radiator with the 
>> Access-Accept, this radiator as you can see in the logs does a bunch of eap 
>> challenges but never builds the final access-accept from what I can see for 
>> the client wifi device... and the client device hangs.
>> 
>> The logs I included the good one was Local NTLM auth that 
>> authenticates and sends the client an access-accept
>> 
>> The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner 
>> request to the second radiator and getting the access accept from that 
>> radiator and then it does some eap challenges and just hangs.
>> 
>> Don't really want to switch from linux-radiator to NPS as the ESX we're 
>> running this on is tight on resources currently for another windows vm, 
>> especially since its only basically standing in as a Radius-MSCHAPv2->NTLM 
>> proxy.
>> 
>> 
>> -Original Message-
>> From: Hugh Irvine [mailto:h...@open.com.au]
>> Sent: Wednesday, July 23, 2014 9:43 PM
>> To: Christopher Chance
>> Cc: radiator@open.com.au
>> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
>> 
>> 
>> Hello Chris -
>> 
>> OK - this is what I had imagined.
>> 
>> What I would suggest is running Microsoft NPS on each domain, then just 
>> proxy the inner requests to the corresponding NPS.
>> 
>> In this case the inner requests are just straight MSCHAP-V2.
>> 
>> Something like this:
>> 
>> 
>> Foreground
>> LogStdout
>> LogDir /etc/radiator/log/
>> DbDir /etc/radiator
>> PidFile %L/radiusd.pid
>> DictionaryFile %D/dictionary, %D/dictionary.cambium, 
>> %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813
>> 
>> 
>>   Secret xxx
>>   Identifier Ruckus
>> 
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host 
>>  Secret 
>>  AuthPort .
>>  AcctPort .
>>   AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
>> Tunnel-Private-Group-ID=52
>>   
>> 
>> 
>> 
>>   
>>   StripFromRequest ConvertedFromEAPMSCHAPV2
>>   Host .
>>  Secret 
>>  AuthPort

Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

[Hugh Irvine]

Hello Chris -

The other difference between what I sent and what you are doing is your use of 
Synchronous in the AuthBy RADIUS clause.

In my suggestion I have removed it, and we think it is this that is causing the 
problem for some reason.

> 
> # this proxies to the machine that can then proxy to OTHERSITE NPS
> # strongly suggest you don't use Synchronous
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host 192.168.125.236
>Secret x
>AuthPort 1812
>AcctPort 1813
>Retries 2
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=nn
>
> 



You might also want to upgrade to the latest Radiator 4.13.

FYI - we had another site that was having problems with NTLM and it was 
resolved by my suggestion to have Radiator proxy to NPS.

hope that helps

regards

Hugh



On 25 Jul 2014, at 04:23, Christopher Chance  wrote:

> Got to work and was looking at it and basically you're doing the same thing I 
> am, thought the MYSITE radius isn't needed as theirs nothing wrong with the 
> MYSITE NTLM it works fine..
> 
> As for the OTHERSITE ... that's exactly how it is now, except instead of 
> Microsoft NPS the other side is a radiator that authenticates via NTLM on the 
> secondary domain...
> 
> The problem is when that second radiator responds this radiator with the 
> Access-Accept, this radiator as you can see in the logs does a bunch of eap 
> challenges but never builds the final access-accept from what I can see for 
> the client wifi device... and the client device hangs.
> 
> The logs I included the good one was Local NTLM auth that authenticates and 
> sends the client an access-accept 
> 
> The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request 
> to the second radiator and getting the access accept from that radiator and 
> then it does some eap challenges and just hangs.
> 
> Don't really want to switch from linux-radiator to NPS as the ESX we're 
> running this on is tight on resources currently for another windows vm, 
> especially since its only basically standing in as a Radius-MSCHAPv2->NTLM 
> proxy.
> 
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Wednesday, July 23, 2014 9:43 PM
> To: Christopher Chance
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
> 
> 
> Hello Chris -
> 
> OK - this is what I had imagined.
> 
> What I would suggest is running Microsoft NPS on each domain, then just proxy 
> the inner requests to the corresponding NPS.
> 
> In this case the inner requests are just straight MSCHAP-V2.
> 
> Something like this:
> 
> 
> Foreground
> LogStdout
> LogDir /etc/radiator/log/
> DbDir /etc/radiator
> PidFile %L/radiusd.pid
> DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus 
> Trace 4 AuthPort 1812 AcctPort 1813
> 
> 
>Secret xxx
>Identifier Ruckus
> 
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host 
>   Secret 
>   AuthPort .
>   AcctPort .
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=52
>
> 
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host .
>   Secret 
>   AuthPort .
>   AcctPort .
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=52
>
> 
> 
> # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly 
> suggest you don't use Synchronous
> 
> 
>
>StripFromRequest ConvertedFromEAPMSCHAPV2
>Host 192.168.125.236
>Secret x
>AuthPort 1812
>AcctPort 1813
>Retries 2
>AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
> Tunnel-Private-Group-ID=nn
>
> 
> 
> 
>
>EAPType MSCHAP-V2
>EAP_PEAP_MSCHAP_Convert 1
>
> 
> 
> 
>
>  CachePasswordExpiry 3600
>  Filename %D/users_anon
>  EAPType PEAP,TLS,TTLS
>  EAPTLS_PrivateKeyPassword whatever
>  EAPTLS_CAFile /etc/radiator/certs/ca.pem
>  EAPTLS_CertificateFile /etc/radiator/certs/server.pem
>  E

Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

[Hugh Irvine]

Hello Chris -

OK - this is what I had imagined.

What I would suggest is running Microsoft NPS on each domain, then just proxy 
the inner requests to the corresponding NPS.

In this case the inner requests are just straight MSCHAP-V2.

Something like this:


Foreground
LogStdout
LogDir /etc/radiator/log/
DbDir /etc/radiator
PidFile %L/radiusd.pid
DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus
Trace 4
AuthPort 1812
AcctPort 1813


Secret xxx
Identifier Ruckus




StripFromRequest ConvertedFromEAPMSCHAPV2
Host ….
Secret ….
AuthPort …..
AcctPort …..
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
Tunnel-Private-Group-ID=52





StripFromRequest ConvertedFromEAPMSCHAPV2
Host …..
Secret ….
AuthPort …..
AcctPort …..
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
Tunnel-Private-Group-ID=52



# this proxies to the machine that can then proxy to OTHERSITE NPS
# strongly suggest you don’t use Synchronous



StripFromRequest ConvertedFromEAPMSCHAPV2
Host 192.168.125.236
Secret x
AuthPort 1812
AcctPort 1813
Retries 2
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802,  
Tunnel-Private-Group-ID=nn





EAPType MSCHAP-V2
EAP_PEAP_MSCHAP_Convert 1





  CachePasswordExpiry 3600
  Filename %D/users_anon
  EAPType PEAP,TLS,TTLS
  EAPTLS_PrivateKeyPassword whatever
  EAPTLS_CAFile /etc/radiator/certs/ca.pem
  EAPTLS_CertificateFile /etc/radiator/certs/server.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem
  EAPTLS_PEAPVersion 0
  EAPTTLS_NoAckRequired
  UsernameMatchesWithoutRealm
  AutoMPPEKeys




regards

Hugh


On 24 Jul 2014, at 11:08, Christopher Chance  wrote:

> 2 domains are on 2 seperate vlans... for authentication i'm filtering it by 
> the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM 
> locally, if the second domain forward to secondary radius that has an 
> interface on domain2 and is part of domain2's domain.
> 
> This is being done so that my wireless in my office can accept both logins 
> and sort users to the correct vlan based on their credentials, if a user logs 
> in with Domain1\user then they get sent to Vlan 2 if they get on as 
> domain2\user they login to vlan3 for instance.
> 
> we have an office with different companies but want to simplify our wireless 
> (atleast at the user level) so that it is 1 wireless network via wpa2 
> enterprise (802.1x eaps)... hence how what i'm trying to do above.
> 
> Originally i was going to have the main radius server just filter by domains 
> and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt 
> work with mschapv2 i had to go the ntlm way. 
> 
> And yes the linux version is what we're using as we plan to use the radius 
> for some other things too but windows was giving us some headaches, but thats 
> a different story for a different day.
> 
> hope i've explained :S
> 
> Chris
> 
> From: Hugh Irvine [h...@open.com.au]
> Sent: Wednesday, July 23, 2014 8:07 PM
> To: Christopher Chance
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
> 
> Hello Chris -
> 
> Could you please explain in detail what exactly you are trying to accomplish?
> 
> It sounds like you are authenticating against Active Directory but you are 
> running Radiator on Linux?
> 
> Can you tell us how you differentiate between the 2 domains?
> 
> We can make better suggestions if we clearly understand the problem.
> 
> regards
> 
> Hugh
> 
> 
> On 24 Jul 2014, at 03:30, Christopher Chance  wrote:
> 
>> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM 
>> authentication….
>> 
>> The issue is we have 2 domains on our network and want to be able to have 
>> the single 802.1x authentication, sorted by domain authenticate and return 
>> the correct vlan for the user... I couldn’t figure a way out to do it with 
>> LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever 
>> reason… So NTLM I went to, and it works but that meant I had to join the 
>> linux server to the domain, and only 1 domain per server.
>> 
>>

Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)

[Hugh Irvine]

Hello Chris -

Could you please explain in detail what exactly you are trying to accomplish?

It sounds like you are authenticating against Active Directory but you are 
running Radiator on Linux?

Can you tell us how you differentiate between the 2 domains?

We can make better suggestions if we clearly understand the problem.

regards

Hugh


On 24 Jul 2014, at 03:30, Christopher Chance  wrote:

> Let me just say I got 802.1x working with PEAP/MSCHAPv2 -> NTLM 
> authentication….
>  
> The issue is we have 2 domains on our network and want to be able to have the 
> single 802.1x authentication, sorted by domain authenticate and return the 
> correct vlan for the user... I couldn’t figure a way out to do it with LDAP2 
> as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever reason… 
> So NTLM I went to, and it works but that meant I had to join the linux server 
> to the domain, and only 1 domain per server.
>  
> To solve this I followed someone’s recommendation to have a second radius 
> server (vm), that’s on the other domain that just checks domains and the 
> first server will proxy the request to it… simple enough…
>  
> The issue is it doesn’t work, the secondary radius sends the access-accept 
> but for some reason the main server doesn’t seem to handle the 
> challenge/accept process correctly anymore and the signin process just hangs 
> on the wireless…
>  
> So now I’m 110% lost and don’t know what else could be the issue…
>  
> If you can take a look at this and help me out it would be greatly 
> appreciated, as to where I’m going wrong.
>  
> Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya
> Login that’s hanging being processed from remote Radius: 
> http://pastebin.com/Lj3MCset
>  
> Config is http://pastebin.com/UCr2vMdk
>  
> Thanks,
> Chris
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens

[Hugh Irvine]

Hello Craig -

There are several steps:

1. define the AuthorizeGroup’s you require

2. specify the return attributes you need for each AuthorizeGroup (syntax will 
depend on the specific device)

3. perform the authentication and set which AuthorizeGroup the user belongs to

…..

See the examples in section 5.96.10 in the Radiator 4.13 reference manual 
(“doc/ref.pdf”).

See also the examples in “goodies/tacacsplusserver.cfg” and 
“goodies/tacplus.txt”.

regards

Hugh


On 25 Jun 2014, at 10:51, Craig Ayliffe  wrote:

> Hi Hugh,
> 
> Actually I was looking for a way to set the vsys/privilege to restrict what a 
> user can do.
> 
> i.e. wanted to do something like this:
>   AuthorizeGroup READ permit service=netscreen {vsys=root 
> privilege=read-only}
>   AuthorizeGroup WRITE permit service=netscreen {vsys=root privilege=root}
> 
> Or do I need to use something like AuthorizeAdd/AuthorizeReplace to pass back 
> attribute-value pairs?
> 
> Regards,
> 
> Craig
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Wednesday, 25 June 2014 8:39 AM
> To: Craig Ayliffe
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens
> 
> 
> Hello Craig -
> 
> The usual way to do this is with Identifiers in the Client clauses and 
> Handlers to match.
> 
> Something like this:
> 
> 
> .
> 
> 
>   Identifier JuniperNetscreen
>   Secret .
>   .
> 
> 
> 
>   Identifier JuniperNetscreen
>   Secret .
>   .
> 
> 
> 
>   Identifier JuniperNetscreen
>   Secret .
>   .
> 
> 
> .
> 
> 
> 
>   
>   .
>   
> 
> 
> 
> .
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
> On 24 Jun 2014, at 23:24, Craig Ayliffe  
> wrote:
> 
>> Hi,
>> 
>> I am looking for examples of Radiator configuration to restrict users 
>> logging into Juniper Netscreens running ScreenOS 6.3 and higher.
>> 
>> Need to be able to specify the vsys to be Root and the privilege to be 
>> either 'root' or 'read-only' depending of their AuthorizeGroup configuration.
>> 
>> Haven't been able to find any examples anywhere.
>> Would appreciate any assistance.
>> 
>> Regards,
>> 
>> Craig
>> 
>> Craig Ayliffe | Brennan IT | Infrastructure Engineer
>> 
>> T: 02 8235 3515 | M: 0410 400 546 | craig.ayli...@brennanit.com.au | 
>> www.brennanit.com.au
>> 
>> 
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens

[Hugh Irvine]

Hello Craig -

The usual way to do this is with Identifiers in the Client clauses and Handlers 
to match.

Something like this:


…..


Identifier JuniperNetscreen
Secret …..
…..



Identifier JuniperNetscreen
Secret …..
…..



Identifier JuniperNetscreen
Secret …..
…..


…..




…..




…..

hope that helps

regards

Hugh


On 24 Jun 2014, at 23:24, Craig Ayliffe  wrote:

> Hi,
>  
> I am looking for examples of Radiator configuration to restrict users logging 
> into Juniper Netscreens running ScreenOS 6.3 and higher.
>  
> Need to be able to specify the vsys to be Root and the privilege to be either 
> ‘root’ or ‘read-only’ depending of their AuthorizeGroup configuration.
>  
> Haven’t been able to find any examples anywhere.
> Would appreciate any assistance.
>  
> Regards,
> 
> Craig
> 
> Craig Ayliffe | Brennan IT | Infrastructure Engineer
> 
> T: 02 8235 3515 | M: 0410 400 546 | craig.ayli...@brennanit.com.au | 
> www.brennanit.com.au
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radius proxying to Microsoft NAP/NPS server

[Hugh Irvine]

Hello Markus -

Yes this is possible and yes it has been done successfully.

You just need separate Handler’s with the corresponding AuthBy RADIUS clauses.

regards

Hugh


On 20 Jun 2014, at 07:43, Markus Moeller  wrote:

> Hi,
>  
>   has anybody used Radiator as a proxy Radius server for Microsoft NAP.   I 
> have WLAN setup with multiple SSIDs and would like to send the radius 
> requests for SSID COMPANY1 to NPS server 1 and for SSID COMPANY2 to server 2 
> ( e.g. company 1 has a set of NPS rules different to company 2). One reason 
> to do this would be to check on machine through a NPS policy/certifcate and 
> user via smartcard at the same time so I can correlate  the two (e.g. allow 
> company 1 user smartcard login only from COMPANY1 machines) . 
>  
> Does that make sense ( assuming a Windows laptop environment ) ? Is there a 
> better way to do this ?
>  
> Thank you
> Markus
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator / Radmin - bulk add users

[Hugh Irvine]

Hello Michael -

See buildsql in the main Radiator distribution directory.

See also section 10.0 in the Radiator 4.13 reference manual (“doc/ref.pdf”).

Here is the help for buildsql:


Radiator-4.13 hugh$ perl buildsql -h

usage: buildsql [-h] -dbsource dbi:drivername:option
[-dbusername dbusername] [-dbauth auth] [-password | -dbm | -flat]
[-z] [-u] [-f] [-d username] [-l username] [-t dbmtype]
[-tablename name] [-v]
[-username_column columnname]
[-password_column columnname]
[-encryptedpassword]
[-checkattr_column columnname]
[-replyattr_column columnname] filename ...



regards

Hugh


On 12 Jun 2014, at 12:45, Michael Bellears  wrote:

> Hi,
>  
> We have a need to add ~150users to Radmin – Doing this via the (Radmin) web 
> interface would be tedious/error-prone – Is anyone aware of a script to bulk 
> add users?
>  
> Cheers.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] translate LDAP to radius

[Hugh Irvine]

Hello Kaiser -

You might also be interested in FreeSWITCH:

http://www.freeswitch.org

We have done a RADIUS integration for FreeSWITCH, and I am sure there are 
RADIUS implementations for Asterisk.

regards

Hugh


On 10 Jun 2014, at 17:16, kai...@gentrice.net wrote:

> I am surprised too m and I try to make it for asterisk.
> 
> br,
> kaiser cheng
> ✉
> 
> Hugh Irvine  於 2014/6/10 下午3:01 寫道：
> 
>> 
>> Hello Kaiser -
>> 
>> No, Radiator can “translate” from RADIUS or TACACS+ or Diameter, to LDAP, 
>> not the other way around.
>> 
>> I would be surprised if your SIP server did not support RADIUS and/or 
>> Diameter directly.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 10 Jun 2014, at 12:03, kai...@gentrice.net wrote:
>> 
>>> Dear sir,
>>> 
>>> Can we use radiator as a proxy between LDAP and radius?
>>> We have a SIP server support LDAP, but user DB is radius server
>>> if it is possible, we hope to put a radiator as a translator, can we do it?
>>> 
>>> 
>>> 
>>> kaiser cheng
>>> ✉
>>> 
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server 
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER, SIM, etc. 
>> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] translate LDAP to radius

[Hugh Irvine]

Hello Kaiser -

No, Radiator can “translate” from RADIUS or TACACS+ or Diameter, to LDAP, not 
the other way around.

I would be surprised if your SIP server did not support RADIUS and/or Diameter 
directly.

regards

Hugh


On 10 Jun 2014, at 12:03, kai...@gentrice.net wrote:

> Dear sir,
> 
> Can we use radiator as a proxy between LDAP and radius?
> We have a SIP server support LDAP, but user DB is radius server
> if it is possible, we hope to put a radiator as a translator, can we do it?
> 
> 
> 
> kaiser cheng
> ✉
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] SQL Server connection

[Hugh Irvine]

Hello -

You should start with the example SQL configuration file in “goodies/sql.cfg”.

On Windows you should use ODBC and DBD-ODBC.

To say any more we will need to see a copy of the configuration file together 
with a trace 4 debug showing what is happening.

regards

Hugh


On 9 Jun 2014, at 21:05, Vojislav Mihailovic  wrote:

> Hi,
> my company Antamedia has taken a Radiator Evaluation version.
> We installed the Strawberry Perl (64-bit) 5.18.2.2-64bit and DBI 1.631
> on Windows Server 2012.
> 
> We tested, but only work with auth file.
> We have created SQL server database, and all tables from sql file,
> but we have problem with connection on sql server.
> 
> On this link is our radis config file.
> www.antamedia.com/download/radius.cfg
> 
> We  have  problem  to  setup  with  auth  sql  and  check account from
> database.
> 
> 
> Please  help  us  to solve the problem and correct the error in radius
> config, in order to be able to continue testing.
> 
> 
> Thanks in advance
> 
> Antamedia
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] How to increase session time

[Hugh Irvine]

Hello Dennis -

If you want different values for your different user groups, you would put 
something like this in your AuthBy LSA clauses:

…..

# Session-Timeout = nnn 
# where nnn is the number of seconds

# netadmin

AddToReply Session-Timeout = nnn
…..


# users

AddToReply Session-Timeout = nnn
…..


…..

Otherwise if you want the same one for both groups you can do this instead:

…..


AddToReply Session-Timeout = nnn
…..


…..

BTW - I am located in Australia, so no need to send your email twice.

regards

Hugh


On 8 May 2014, at 06:35, Qiu, Dennis  wrote:

> Hugh,
> 
> Can you let me know where I can put Session-Timeout attribute in my 
> radius.cfg file?
> 
> Thank you
> 
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis@davispolk.com
> 
> 
> 
> Confidentiality Note: This email is intended only for the person or entity to 
> which it is addressed and may contain information that is privileged, 
> confidential or otherwise protected from disclosure. Unauthorized use, 
> dissemination, distribution or copying of this email or the information 
> herein or taking any action in reliance on the contents of this email or the 
> information herein, by anyone other than the intended recipient, or an 
> employee or agent responsible for delivering the message to the intended 
> recipient, is strictly prohibited. If you have received this email in error, 
> please notify the sender immediately and destroy the original message, any 
> attachments thereto and all copies. Please refer to the firm's privacy policy 
> located at www.davispolk.com for important information on this policy.
> 
> 
> -----Original Message-
> From: Qiu, Dennis 
> Sent: Tuesday, May 06, 2014 9:15 PM
> To: 'Hugh Irvine'
> Cc: radiator@open.com.au
> Subject: RE: [RADIATOR] How to increase session time
> 
> Hugh,
> 
> I only see sessiontime in my HTTP session. That session is not used by 
> network device.
> 
> I  do not see such attribute as "Session-Timeout". Do I need to add this 
> attribute into radius.cfg file? If I need to add, where I should add.
> 
> Following is my radius.cfg. Can you advise?
> 
> Thank you
> 
> ###
> # windows.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with # a simple system 
> on Windows. You can then add and change features.
> # We suggest you start simple, prove to yourself that it # works and then 
> develop a more complicated configuration.
> #
> # This example is expected to be installed in 
> #   c:\Program Files\Radiator\radius.cfg
> # It will authenticate from a standard users file in
> #   c:\Program Files\Radiator\users
> # it will log debug and other messages to
> #   c:\Program Files\Radiator\logfile
> # and log accounting to a file in
> #   c:\Program Files\Radiator\detail
> # (of course you can change all these by editing this config file if you 
> wish) # # It will accept requests from any client and try to handle requests 
> # for any realm.
> # And it will print out what its doing in great detail to the log file.
> #
> # See radius.cfg for more complete examples of features and # syntax, and 
> refer to the reference manual for a complete description # of all the 
> features and syntax.
> #
> # You should consider this file to be a starting point only # $Id: 
> windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
> 
> AcctPort 1646,1813
> AuthPort 1645,1812
> BindAddress 144.211.2.97
> #BindAddress 0.0.0.0
> DbDir c:/Program Files/Radiator
> DictionaryFile %D/dictionary
> Foreground 1
> LogDir c:/Program Files/Radiator/Logs
> #LogFile logfile
> LogStdout 1
> 
> MaxChildren 0
> PidFile %L/radiusd.pid
> PmwhoProg /usr/local/sbin/pmwho
> SnmpNASErrorTimeout 60
> SnmpgetProg /usr/bin/snmpget
> SnmpsetProg /usr/bin/snmpset
> SnmpwalkProg /usr/bin/snmpwalk
> Trace 4
> 
> 
>   DupInterval 0
>   FramedGroupMaxPortsPerClassC 255
>   LivingstonHole 2
>   LivingstonOffs 29
>   NasType unknown
>   SNMPCommunity 450dpw$
>   Secret mysecret
> 
> 
> 
>   AuthByPolicy ContinueWhileIgnore
> 
>   
>   AuthByPolicy ContinueUntilAccept
>   C

Re: [RADIATOR] How to increase session time

[Hugh Irvine]

Hello Dennis -

The attribute you want is “Session-Timeout”, although you will need to do some 
testing to verify that your network devices support it.

regards

Hugh


On 7 May 2014, at 08:02, Qiu, Dennis  wrote:

> Support,
>  
> Our networking devices use Radiator for authentication. Many times, guys are 
> working on the network devices and they are prompted to authenticate again. 
> It becomes very annoying.
>  
> I am wondering what is the value of  variables I can adjust to increase the 
> session time.
>  
> Thank you
>  
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis@davispolk.com
> 
> Confidentiality Note: This email is intended only for the person or entity to 
> which it is addressed and may contain information that is privileged, 
> confidential or otherwise protected from disclosure. Unauthorized use, 
> dissemination, distribution or copying of this email or the information 
> herein or taking any action in reliance on the contents of this email or the 
> information herein, by anyone other than the intended recipient, or an 
> employee or agent responsible for delivering the message to the intended 
> recipient, is strictly prohibited. If you have received this email in error, 
> please notify the sender immediately and destroy the original message, any 
> attachments thereto and all copies. Please refer to the firm's privacy policy 
> located at www.davispolk.com for important information on this policy.
> 
>  
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Define a global array

[Hugh Irvine]

Hello Steve -

What you describe makes perfect sense - and this is exactly what globals are 
for.

See the hooks in “goodies/hooks.txt” for lots of examples.

regards

Hugh


On 2 Apr 2014, at 10:59, Steve Phillips  wrote:

> Hi there,
> 
> I am trying to setup a system that, on startup reads a DB table into a 
> hashed array and then makes this available to the rest of the hooks. A 
> later hook then takes this hashed array and parses it to add a value to 
> a custom attribute which is then used for later processing within a handler.
> 
> While I understand that globals are bad and should never be used, I 
> believe that making a DB request on every radius packet would have more 
> of an impact on performance for something that rarely changes (maybe 
> once a week or so) and so the positives outweigh the negatives.
> 
> What I had which doesn't seem to work was something along these lines.
> 
> 
> 
> # Hooks
> StartupHook file:"%D/hooks/StartupHook-SetupGlobals.pl"
> 
> .
> .
> 
>   Secret blah
>   PreHandlerHook file:"$D/hooks/AddAttribute.pl"
> 
> 
> 
> .
>  Do Stuff
> 
> 
> in the SetupGlobals file I have something like;
> 
> # Define a global (obviously, there is where I'd read in the DB table)
> our %global_steve = (
>   'message1' => 'Steve was here',
>   'message2' => 'woot'
> );
> 
> and then, when trying to reference it I have in the PreHandler hook
> 
> sub {
>   &main::log($main::LOG_INFO, "Test: $main::global_steve{'messsage1'}");
> }
> 
> Which ends up printing out a blank.
> 
> Does anyone know of either, a way to get this going, or a way to read in 
> a db table of data and cache it for use in later hooks without having 
> each radius request generate another database call?
> 
> Thanks in advance,
> 
> -- 
> Steve.
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] max reauthentication

[Hugh Irvine]

Hello Judy -

There is no default.

You can set the Session-Timeout value to whatever you wish in the RADIUS accept 
accept.

Depending on what else you are doing, something like this:

…..

# whatever AuthBy you are using
# add the number of seconds you wish for Session-Timeout
# where “nn” below is the number of seconds



…..

AddToReply Session-Timeout = nn



…..

See section 13.2.8 in the Radiator 4.12.1 reference manual (“doc/ref.pdf”).

regards

Hugh



On 22 Mar 2014, at 09:21, Judy Angel  wrote:

> 
> Please see the reply from the wireless controller vendor.
> 
>> the re-auth timer can be set by the RADIUS server. It is the
>> Session-Timeout attribute. It would be good to see what the RADIUS is
>> presently configured for
> 
> What is the default setting
> Thanks
> Judy
> 
> --On 19 March 2014 23:22 + Alan Buxey  wrote:
> 
>> It's usually a function of your NAS (eg wireless controller). Check its
>> settings for session-timeout ... which is usually an attribute that you
>> can send back from your RADIATOR server in the access-accept packet too
>> (though you may need to change your controller setting so that it honours
>> that value)
>> 
>> Alan
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Delayed Stop Record and Active Sessions

[Hugh Irvine]

Hello Rohan -

Depending on the actual delay, you may be able to do something clever with the 
timestamps.

regards

Hugh


On 22 Feb 2014, at 08:21, rohan.henry @cwjamaica.com 
 wrote:

> Thanks for the feedback Heikki.
> 
> I am thinking that the suggestion would solve the problem but defeats the 
> state limit function. It means that a connection would now become unique 
> based on Acct-Session-Id which changes for every connection and would grant 
> access to the same user multiple times since the new Acct-Session-Id will not 
> allow a database match.
> 
> Rohan
> 
> 
> 
> On Wed, Feb 19, 2014 at 3:40 PM, Heikki Vatiainen  wrote:
> On 02/19/2014 09:22 PM, rohan.henry @cwjamaica.com wrote:
> 
> > How can fix an issue where the DeleteQuery statement in my Sessions DB
> > config deletes the row for a new active session because of a delayed
> > Stop record?
> 
> A quick idea: Do you think the DeleteQuery could be changed to include
> Acct-Session-Id in the query. That is, the NAS-Port, etc, and
> Acct-Session-Id must match the existing entry.
> 
> If the session has been replaced, the delete will not match any rows
> because the new entry on the row it would otherwise match has a
> different session id that belongs to the new session.
> 
> Please let us know how this works.
> Thanks,
> Heikki
> 
> 
> > Scenario:
> >
> > 1. A session is up (and row entered in the database for active session)
> > 2. The session is dropped because of a premature disconnection (eg.
> > modem line cable unplugged) but Stop record is delayed.
> > 3. New session is created after modem line cable is restored (and after
> > DeleteQuery statement removes database row for previous session)
> > 4. The delayed Stop record finally comes in - the DeleteQuery statement
> > now removes the row for the active session (An unwanted behavior).
> >
> > How do I compensate for the delayed Stop record that is causing active
> > session database records to be deleted?
> 
> 
> --
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] SIP2 + Fortigate setup

[Hugh Irvine]

Hello Chad -

You don’t need to do anything special - Radiator will process the password 
automatically.

If you are using a flat file for your user records you should add an entry like 
this:



# flat file user definitions

29030pretend  User-Password = gulash



hope that helps

regards

Hugh


On 20 Feb 2014, at 09:42, Chad Roseburg  wrote:

> Thanks Heikki ~ there is an option to change the authentication scheme. I 
> changed it to PAP as you suggest. 
> 
> Now it appears as though the fortigate is sending the password encrypted 
> ...Ex:
> 
> Test credentials:
> user: 29030pretend
> pass: gulash
> 
> Server output excerpt:
> DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal 
> password|AD�$.%�6Է!H�'
> 
> In looking at the docs, I see several encryption/decrypt options ...what do I 
> include in my config to allow Radiator to decrypt
> this password?
> 
> Thank you!
> 
> Chad
> 
> 
> 
> 
> 
> On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen  wrote:
> On 02/15/2014 02:42 AM, Chad Roseburg wrote:
> > I have an evaluation version of Radiator 4.12.1. I need to set up a web
> > captive portal on a Fortigate 60D that uses SIP2 authentication.
> >
> > The SIP2 part works ...tests successful:
> 
> Hello Chad,
> 
> radpwtst uses PAP with the options you have specified and sends
> User-Password which can be then used with AuthBy SIP2.
> 
> However, it looks like the Fortigate is trying to do MS-CHAP instead of
> PAP. With MS-CHAP there is not password, only a challenge and response,
> and for this reason it does not work.
> 
> Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is
> tried. There should be a MS-CHAP-Response too with the attributes, but
> maybe you have left that out. These two attributes are used by MS-CHAP.
> 
> See if there's 'Authentication Scheme', I think this is the option in
> Fortigate, or something similar that has been set to MS-CHAP or defaults
> to MS-CHAP. There should be an option to switch it to PAP.
> 
> Please let us know if the above helps.
> 
> Thanks,
> Heikki
> 
> 
> > Ex.
> > perl radpwtst -noacct -user 29030pretend -password secrets
> > sending Access-Request...
> > OK
> >
> > On RADIUS server I see:
> > -
> > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214
> >  160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|'
> > Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24  00020140214
> >160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|'
> > Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend
> > [29030pretend]
> > Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT
> >
> > But the second part is that I need to connect the fortigate to the
> > RADIUS server. I add the fortigate as a client in the config using IP
> > and a 'Secret'
> >
> > Here's some edited output when I test from the fortigate using the same
> > creds:
> > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214
> >  162344AONCRL|AA29030pretend|ACterminal password|AD|'
> > Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24  00020140214
> >162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|'
> > Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password:
> > 29030002429839 [29030002429839]
> > Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password
> >
> > It looks like it's not sending the password. Also, at the top of the
> > transmission there's mention of a MS-CHAP-Challenge:
> > Attributes:
> > NAS-Identifier = "Fortinet_RTR"
> > MS-CHAP-Challenge =
> > b<137><238><146>4<165><145>.9<229><163>j<129>"<220>M
> > Acct-Session-Id = "0021"
> > Connect-Info = "test"
> > Fortinet-Vdom-Name = "root"
> >
> > This is the Client config:
> > 
> > Secret  secretspass
> > DupInterval 0
> > 
> >
> > Thanks for any advice!
> >
> > --
> > Chad
> >
> >
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> >
> 
> 
> --
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, 

Re: [RADIATOR] Radiator sotp to respond to request : stuck in a script : I/O error Interrupted

[Hugh Irvine]

Salut Pascal -

Bonne Annee 2014!

There are many examples of how to do this in the Radiator source code.

Here is an extract from “Radius/AuthLDAP2.pm”:


#
# Check a password for a DN, by attempting to bind with a 
# supplied password. Careful: an empty password will always appear 
# to match, so we reject that case
sub checkPassword
{
my ($self, $dn, $password) = @_;

my $result;
return if $self->{LDAPRejectEmptyPassword} && $password eq '';
&Radius::Util::exec_timeout($self->{Timeout},
sub {$result = $self->{ld}->bind(dn => $dn, 
password => $password);});
if (!$result || 
($result->code() 
 && $result->code() != Net::LDAP::Constant->LDAP_INAPPROPRIATE_AUTH
 && $result->code() != Net::LDAP::Constant->LDAP_INVALID_CREDENTIALS))
…….


regards

Hugh



On 17 Jan 2014, at 06:56, Pascal Beauregard  
wrote:

> Hi,
> yesterday we have experienced twice a situation where Radiator stops to 
> respond to requests apparently because the server was stuck in the execution 
> of a script.
>  
> Here is what we saw in the logfile :
>  
> Tue Jan 14 13:13:56 2014: DEBUG:  Deleting session for demk2801, 10.40.0.130, 
> 1
> Tue Jan 14 13:13:56 2014: DEBUG: Handling with Radius::AuthFILE:
> Tue Jan 14 13:13:56 2014: DEBUG: Handling with EAP: code 2, 11, 43, 25
> Tue Jan 14 13:13:56 2014: DEBUG: Response type 25
> Tue Jan 14 13:13:56 2014: DEBUG: EAP Success, elapsed time 0.267233
> Tue Jan 14 13:13:56 2014: DEBUG: EAP result: 0,
> Tue Jan 14 13:13:56 2014: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Jan 14 13:13:56 2014: DEBUG: Running aeriusSecurise_VLAN: for user 
> demk2801 (Jan 14, 2014 13:13) : Accept
> Tue Jan 14 13:13:56 2014: DEBUG: Running aeriusSecurise_VLAN: verify demk2801 
> is memberOf... for VLAN selection
> 13:47
> Tue Jan 14 13:24:23 2014: ERR: Error in PostAuthHook(): I/O Error Interrupted 
> system call at /etc/radiator/hooks/ADI.pm line 111,  line 16081.
>  
> Here is what we have at line 111 of ADI.pm
>  
> #print " Bind LDAP session with user $ldapuser \n";
>my $mesg = $ldap->bind($ldapuser,
>  password => pack('H*',$ldappass))
>  or die $@;
>  
> Is there a way to make sure that if a bind does not work we exit the script 
> after a period of time ?
>  
>  
> __
> Pascal Beauregard
> Analyste en télécommunications
> Service des Technologies de l'information
> Université de Sherbrooke
>  
> Tél. : 819-821-7770
> Courriel : pascal.beaureg...@usherbrooke.ca
>  
>  
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Alive\Update handlers with proxy

[Hugh Irvine]

Hello -

There is an example showing how to use the Class attribute in 
“goodies/hooks.txt”.

regards

Hugh


On 23 Dec 2013, at 20:33, Heikki Vatiainen  wrote:

> On 12/23/2013 09:25 AM, eliran shlomo wrote:
> 
>> How can i copy the attribute vales that are sent in the Access-Accept to
>> the Accounting-Request?
> 
> If the attributes are fetched during the authentication, you could
> consider AuthenticateAccounting and creating a Handler for the
> accounting message which has an AuthBy with AuthenticateAccounting set
> and for example, NoCheckPassword set.
> 
> This would force Radiator to run SQL and LDAP lookups for accounting too
> allowing you to pull attribute values from the authentication backend.
> 
> Another alternative might be storing the values during authentication in
> the Class attribute which the client will return with
> Accounting-Requests. A hook could then process Class and push the
> attributes in the accounting request message.
> 
> Yes another alternative is to create a hook that does all the necessary
> lookups for the accounting messages. However, it might be possible to
> use the two alternatives described above instead of doing everything
> with a hook.
> 
> Thanks,
> Heikki
> 
> 
>> On Wed, Dec 18, 2013 at 5:33 PM, Heikki Vatiainen > <mailto:h...@open.com.au>> wrote:
>> 
>>On 12/18/2013 09:44 AM, eliran shlomo wrote:
>> 
>>> The attribute in the LDAP for RB-Context-Name has changed from
>>safe to ngn.
>>> 
>>> but in the accounting that sent to the proxy the attribute value
>>didn't
>>> changed.
>>> RB-Context-Name = "safe"
>>> 
>>> the hook is acting as expected the problem is that some of attribute
>>> values stay the same and some of them changed.
>> 
>>Hello Eliran,
>> 
>>the Hook you sent only changes Class attribute. In other words, only
>>$p->change_attr('Class', ...) is called but values of other attributes
>>are not touched.
>> 
>>The log you sent earlier shows that authentication and accounting
>>requests are processed by different Handlers. This is very likely one
>>reason why they change the attributes differently.
>> 
>>Thanks,
>>Heikki
>> 
>> 
>>--
>>Heikki Vatiainen mailto:h...@open.com.au>>
>> 
>>Radiator: the most portable, flexible and configurable RADIUS server
>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>NetWare etc.
>>___
>>radiator mailing list
>>radiator@open.com.au <mailto:radiator@open.com.au>
>>http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
> 
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Use of attribute in accounting file name

[Hugh Irvine]

Hello Markus -

Yes you can - see section 5.2 in the Radiator 4.12 reference manual 
(“doc/ref.pdf”).


%{attr}

The value of the named attribute in the current packet (if any).
For example, %{User-Name} is the same as %n.


regards

Hugh



On 23 Dec 2013, at 01:16, Markus Moeller  wrote:

> Hi
>  
>  
>   I  know you can use special character in the accounting file name (e.g. %c 
> or  %C), but is it also possible to use an attribute value ?
>  
>   When I read the client database I add an attribute e.g. host = Host1. Could 
> I use that instead of %C to avoid the reverse DNS lookup ?
>  
> Thank you
> Markus
>  
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Infinera with AuthBy SQL

[Hugh Irvine]

Hello -

I generally find it easiest to use Identifiers in the Client clauses with 
corresponding Handlers instead of Realm(s).

Something like this:


…..


Identifier Infinera
…..



Identifier Infinera
…..



Identifier Infinera
…..


…..



…..

AddToRequest NAS-Identifier=TACACS



# Deal with Infinera devices



…..



# Deal with TACACS



…..



…..


regards

Hugh


On 5 Dec 2013, at 14:33, nho...@gmail.com wrote:

> Hi
> 
> I have been tasked with getting our new Infinera infrastructure to
> authenticate against our radiator servers.
> 
> The catch here is that our current configuration is  TACACS+ for our
> Cisco equipment and the Infinera kit only supports Radius.
> 
> We wanted to use the same database (example below) so that our
> engineers would have the same credentials and access levels across
> both environments.
> 
> | test   | {SSHA} | tacacsgroup = admin  |
> | test2 | {SSHA} | tacacsgroup = readonly  |
> 
> I have a working solution but was wondering if there was a more
> elegant way keeping in mind that I probably can't touch the database.
> 
> 
> AuthByPolicy ContinueUntilAccept
> 
>
>   Identifier tacacsauth
>   DBSource dbi:mysql:tacacs
>   DBUsername radius
>   DBAuth *
> 
>   NoDefault
>   NoDefaultIfFound
>   IgnoreAccounting
>   FailureBackoffTime 10
> 
>   AuthSelect select password, checkattr, replyattr \
>   from tacacsUser \
>   where username=%0 \
>   and replyattr rlike "admin$"
>   AuthColumnDef 0, Encrypted-Password, check
> 
>   AddToReply Infinera-User-Priv-SA = SA-PRIVILEGED,\
>   Infinera-User-Priv-NE = NE-PRIVILEGED,\
>   Infinera-User-Priv-NA = NA-PRIVILEGED,\
>   Infinera-User-Priv-PR = PR-PRIVILEGED,\
>   Infinera-User-Priv-TT = TT-PRIVILEGED,\
>   Infinera-User-AdminDomain = "FX,LAB",\
>   Infinera-User-Max-Concurrent-Session =2,\
>   Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
>   Infinera-User-TimeZone = "IST",\
>   Service-Type = Framed-User,\
>   Framed-Protocol = PPP,\
>   Framed-IP-Netmask = 255.255.255.255,\
>   Framed-Routing = None,\
>   Framed-MTU = 1500,\
>   Framed-Compression = Van-Jacobson-TCP-IP
>
> 
>
>   Identifier tacacsauth
>   DBSource dbi:mysql:tacacs
>   DBUsername radius
>   DBAuth iepu0oeC
> 
>   NoDefault
>   NoDefaultIfFound
>   IgnoreAccounting
>   FailureBackoffTime 10
> 
>   AuthSelect select password, checkattr, replyattr \
>   from tacacsUser \
>   where username=%0 \
>   and replyattr rlike "readonly$"
>   AuthColumnDef 0, Encrypted-Password, check
> 
>   AddToReply Infinera-User-Priv-SA = SA-NONPRIVILEGED,\
>   Infinera-User-Priv-NE = NE-NONPRIVILEGED,\
>   Infinera-User-Priv-NA = NA-NONPRIVILEGED,\
>   Infinera-User-Priv-PR = PR-NONPRIVILEGED,\
>   Infinera-User-Priv-TT = TT-NONPRIVILEGED,\
>   Infinera-User-Priv-MA = MA-PRIVILEGED,\
>   Infinera-User-AdminDomain = "FX,LAB",\
>   Infinera-User-Max-Concurrent-Session =2,\
>   Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
>   Infinera-User-TimeZone = "IST",\
>   Service-Type = Framed-User,\
>   Framed-Protocol = PPP,\
>   Framed-IP-Netmask = 255.255.255.255,\
>   Framed-Routing = None,\
>   Framed-MTU = 1500,\
>   Framed-Compression = Van-Jacobson-TCP-IP
>
> 
> 
> Any ideas would be appreciated.
> 
> Regards
> Derick
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Variables

[Hugh Irvine]

Hello Rohan -

Most if not all of these attributes should be included in the RADIUS accounting 
stop request, assuming RADIUS accounting is turned on in the NAS device.

Note that there is a difference between “Event-Timestamp” as shown below which 
may be sent by the NAS, and “Timestamp” which is internal to Radiator.

Have a look at a trace 4 debug to see exactly what you are receiving in the 
RADIUS accounting requests.

regards

Hugh


On 26 Nov 2013, at 08:26, rohan.henry @cwjamaica.com 
 wrote:

> Hello,
>  
> Are values for any of the foll. attributes automatically stored somewhere in 
> Radiator where they can be fetched anytime during or at the end of the 
> session? For example the Timestamp attribute.
>  
> If not, how can I store values for use later in or at the end of the session?
>  
> Attributes:
> Acct-Status-Type = Start
> User-Name = 
> Event-Timestamp = 
> Acct-Delay-Time = 
> NAS-Identifier = 
> Acct-Session-Id = 
> NAS-IP-Address = 
> Class = 
> Service-Type = 
> Framed-Protocol = 
> Framed-Compression = 
> Unisphere-Pppoe-Description = 
> Framed-IP-Address = 
> Framed-IP-Netmask = 
> Calling-Station-Id = 
> Connect-Info = 
> NAS-Port-Type = 
> NAS-Port = 
> NAS-Port-Id = 
> Acct-Authentic =
>  
> Thanks.
>  
> Regards,
> Rohan
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] If-then-else logic for AuthBy

[Hugh Irvine]

Hello again -

Actually, I think Heikki’s answer is correct, due to the AuthBy DUO returning 
IGNORE.

Its simpler too, although if the AuthBy DUO returns REJECT you’ll still call 
the AuthBy RADIUS.

regards

Hugh


On 9 Nov 2013, at 10:40, Hugh Irvine  wrote:

> 
> Hello Christopher -
> 
> What are the possible return values from your LDAP2 and DUO clauses?
> 
> If I understand what you describe correctly you should be able to do this:
> 
> 
>   
> 
>   AuthByPolicy ContinueWhileIgnore
> 
>   
> 
>   AuthByPolicy ContinueWhileAccept
> 
>   
>   …..
>   
> 
>   
> 
>   AuthByPolicy ContinueWhileReject
> 
>   
>   …..
>   
> 
>   
>   DefaultResult IGNORE
>   
> 
>   
> 
>   
> 
>   
>   …..
>   
> 
>   
> 
> 
> regards
> 
> Hugh
> 
> 
> 
> On 8 Nov 2013, at 05:31, Christopher Bongaarts  wrote:
> 
>> That would seem to yield the effective logic:
>> 
>> AuthBy LDAP2
>> if result = ACCEPT
>> then
>> AuthBy DUO
>> if result != ACCEPT
>> then
>>   AuthBy RADIUS
>> endif
>> endif
>> 
>> which is not what I want - either DUO or RADIUS should be invoked, never 
>> both; which one is invoked is determined by the result of LDAP2.
>> 
>> This is close:
>> 
>> 
>> AuthByPolicy ContinueUntilAccept
>> 
>>   AuthByPolicy ContinueWhileAccept
>>   AuthBy LDAP2
>>   AuthBy DUO
>> 
>> AuthBy RADIUS
>> 
>> 
>> but will invoke RADIUS unnecessarily if LDAP2 returns ACCEPT but DUO returns 
>> REJECT or IGNORE.  Security-wise this is OK (it is not possible for this 
>> RADIUS to succeed if LDAP2 succeeded) but does put an extra load on the 
>> proxied RADIUS service.
>> 
>> On 11/6/2013 4:24 PM, Hugh Irvine wrote:
>>> Hello Christopher -
>>> 
>>> Something like this:
>>> 
>>> 
>>> AuthByPolicy ContinueWhileAccept
>>> AuthBy LDAP2
>>> 
>>> AuthByPolicy ContinueUntilAccept
>>> AuthBy DUO
>>> AuthBy RADIUS
>>> 
>>> 
>>> 
>>> regards
>>> 
>>> Hugh
>>> 
>>> 
>>> On 7 Nov 2013, at 08:51, Christopher Bongaarts  wrote:
>>> 
>>>> I have a need to handle multiple authentication methods which returns
>>>> something like this:
>>>> 
>>>> AuthBy LDAP2
>>>> if result = ACCEPT
>>>> then
>>>>AuthBy DUO
>>>> else
>>>>AuthBy RADIUS
>>>> 
>>>> with the ultimate authentication result coming from either the DUO or
>>>> RADIUS module.  I tried to figure out a way to arrange some combination
>>>> of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to
>>>> figure out a way to make it work.  Any suggestions?
>>>> 
>>>> -- 
>>>> %%  Christopher A. Bongaarts   %%  c...@umn.edu  %%
>>>> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
>>>> %%  University of Minnesota%%  +1 (612) 625-1809%%
>>>> 
>>>> ___
>>>> radiator mailing list
>>>> radiator@open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> --
>>> 
>>> Hugh Irvine
>>> h...@open.com.au
>>> 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>> DIAMETER etc.
>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>> 
>> 
>> 
>> -- 
>> %%  Christopher A. Bongaarts   %%  c...@umn.edu  %%
>> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
>> %%  University of Minnesota%%  +

Re: [RADIATOR] If-then-else logic for AuthBy

[Hugh Irvine]

Hello Christopher -

What are the possible return values from your LDAP2 and DUO clauses?

If I understand what you describe correctly you should be able to do this:




AuthByPolicy ContinueWhileIgnore



AuthByPolicy ContinueWhileAccept


…..




AuthByPolicy ContinueWhileReject


…..



DefaultResult IGNORE







…..





regards

Hugh



On 8 Nov 2013, at 05:31, Christopher Bongaarts  wrote:

> That would seem to yield the effective logic:
> 
> AuthBy LDAP2
> if result = ACCEPT
> then
>  AuthBy DUO
>  if result != ACCEPT
>  then
>AuthBy RADIUS
>  endif
> endif
> 
> which is not what I want - either DUO or RADIUS should be invoked, never 
> both; which one is invoked is determined by the result of LDAP2.
> 
> This is close:
> 
> 
>  AuthByPolicy ContinueUntilAccept
>  
>AuthByPolicy ContinueWhileAccept
>AuthBy LDAP2
>AuthBy DUO
>  
>  AuthBy RADIUS
> 
> 
> but will invoke RADIUS unnecessarily if LDAP2 returns ACCEPT but DUO returns 
> REJECT or IGNORE.  Security-wise this is OK (it is not possible for this 
> RADIUS to succeed if LDAP2 succeeded) but does put an extra load on the 
> proxied RADIUS service.
> 
> On 11/6/2013 4:24 PM, Hugh Irvine wrote:
>> Hello Christopher -
>> 
>> Something like this:
>> 
>>  
>>  AuthByPolicy ContinueWhileAccept
>>  AuthBy LDAP2
>>  
>>  AuthByPolicy ContinueUntilAccept
>>  AuthBy DUO
>>  AuthBy RADIUS
>>  
>>  
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 7 Nov 2013, at 08:51, Christopher Bongaarts  wrote:
>> 
>>> I have a need to handle multiple authentication methods which returns
>>> something like this:
>>> 
>>> AuthBy LDAP2
>>> if result = ACCEPT
>>> then
>>> AuthBy DUO
>>>  else
>>> AuthBy RADIUS
>>> 
>>> with the ultimate authentication result coming from either the DUO or
>>> RADIUS module.  I tried to figure out a way to arrange some combination
>>> of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to
>>> figure out a way to make it work.  Any suggestions?
>>> 
>>> -- 
>>> %%  Christopher A. Bongaarts   %%  c...@umn.edu  %%
>>> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
>>> %%  University of Minnesota%%  +1 (612) 625-1809%%
>>> 
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
> 
> 
> -- 
> %%  Christopher A. Bongaarts   %%  c...@umn.edu  %%
> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
> %%  University of Minnesota%%  +1 (612) 625-1809%%
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radius domain only auth, with password='cisco'

[Hugh Irvine]

Hello Michael -

This is configured on the Cisco box - you will need to ask your network people 
to turn it off.

regards

Hugh


On 7 Nov 2013, at 10:05, Michael  wrote:

> i'm looking to stop it. not set it up.  i'm not sure what had 
> enabled/configured it to start happening.  I guess this is probably the wrong 
> place to ask.
> 
> On 06/11/13 04:56 PM, Hugh Irvine wrote:
>> Hello Michael -
>> 
>> This sounds like Cisco VPDN tunnelling.
>> 
>> This example is from the standard “users” file in the Radiator distribution:
>> 
>> 
>> # This example shows how to configure a Cisco VPDN circuit:
>> open.com.au User-Password=cisco, Service-Type=Outbound-User
>> cisco-avpair = "vpdn:tunnel-id=cca-gw",
>> cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
>> cisco-avpair = "vpdn:nas-password=pw",
>> cisco-avpair = "vpdn:gw-password=pw”
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 7 Nov 2013, at 04:56, Michael  wrote:
>> 
>>> Has anyone ever seen a situation where, for every authentication attempt
>>> to a radiator system from a cisco device, there is an authentication
>>> attempt right before it that appears to be:
>>> 
>>> - a domain (the username with the 'username@' part stripped off).
>>> - plain text password is always 'cisco'.
>>> - Service-Type = Outbound-User
>>> 
>>> if I remove this line from the cisco lns:
>>> aaa authorization network TEST group TEST
>>> ...the extra auth attempts stop, but then my radius network static
>>> profiles don't work, so it's not a solution but it narrows down the problem.
>>> 
>>> my auth requests for the radiator system are essentially doubled due to
>>> this.  This only started happening recently.  Network guys sometimes are
>>> like a ticking time bomb and asking them can cause an explosion so i
>>> thought i would ask here.
>>> 
>>> 
>>> Mike
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc.
>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> 
>> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] If-then-else logic for AuthBy

[Hugh Irvine]

Hello Christopher -

Something like this:


AuthByPolicy ContinueWhileAccept
AuthBy LDAP2

AuthByPolicy ContinueUntilAccept
AuthBy DUO
AuthBy RADIUS



regards

Hugh


On 7 Nov 2013, at 08:51, Christopher Bongaarts  wrote:

> I have a need to handle multiple authentication methods which returns 
> something like this:
> 
> AuthBy LDAP2
> if result = ACCEPT
> then
> AuthBy DUO
>  else
> AuthBy RADIUS
> 
> with the ultimate authentication result coming from either the DUO or 
> RADIUS module.  I tried to figure out a way to arrange some combination 
> of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to 
> figure out a way to make it work.  Any suggestions?
> 
> -- 
> %%  Christopher A. Bongaarts   %%  c...@umn.edu  %%
> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
> %%  University of Minnesota%%  +1 (612) 625-1809%%
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radius domain only auth, with password='cisco'

[Hugh Irvine]

Hello Michael -

This sounds like Cisco VPDN tunnelling.

This example is from the standard “users” file in the Radiator distribution:


# This example shows how to configure a Cisco VPDN circuit:
open.com.au User-Password=cisco, Service-Type=Outbound-User
cisco-avpair = "vpdn:tunnel-id=cca-gw",
cisco-avpair = "vpdn:ip-addresses=1.2.3.4",
cisco-avpair = "vpdn:nas-password=pw",
cisco-avpair = "vpdn:gw-password=pw”


regards

Hugh   


On 7 Nov 2013, at 04:56, Michael  wrote:

> 
> Has anyone ever seen a situation where, for every authentication attempt 
> to a radiator system from a cisco device, there is an authentication 
> attempt right before it that appears to be:
> 
> - a domain (the username with the 'username@' part stripped off).
> - plain text password is always 'cisco'.
> - Service-Type = Outbound-User
> 
> if I remove this line from the cisco lns:
> aaa authorization network TEST group TEST
> ...the extra auth attempts stop, but then my radius network static 
> profiles don't work, so it's not a solution but it narrows down the problem.
> 
> my auth requests for the radiator system are essentially doubled due to 
> this.  This only started happening recently.  Network guys sometimes are 
> like a ticking time bomb and asking them can cause an explosion so i 
> thought i would ask here.
> 
> 
> Mike
> _______
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Migrate Cisco ACS to Radiator

[Hugh Irvine]

Hi Jim -

I believe we offer this as a custom service.

I've copied Heikki on this email and he can provide details and costs.

regards

Hugh


On 11 Oct 2013, at 06:25, Jim Tyrrell  wrote:

> Hi, we need to migrate a customers users from their own Cisco ACS RADIUS 
> server into our Radiator servers, but apparently its not possible to 
> export the users passwords in a format we can import.  I don't have 
> direct access to the ACS server but have been given a dump that includes 
> passwords in the following format
> 
> Password  :0x0020 8e 0c b4 cb 26 7b 20 10 fa 0f 80 77 ec c5 f5 
> 20 a5 4c ea ac f1 f9 dd ca 7b 8e 81 39 ca 21 d0 f4
> Chap password :0x0020 84 12 e3 bb 64 65 53 f9 61 7b 5d b4 f0 f4 9a 
> 1b a4 8c da 6e 52 fa fd 34 95 c2 fb 8a a8 a8 fa 16
> 
> Does anyone have experience importing usernames and passwords into 
> Radiator from ACS (textfile, or MySQL or LDAP)?  From what I understand 
> you can only export with the passwords encrypted using a Cisco algorithm 
> so you can only import into another ACS server.
> 
> Thanks.
> 
> Jim.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Converting from using a plaintext users file, to using LDAP

[Hugh Irvine]

Hello Elvind -

Yes your approach will also work - I misunderstood your original question and 
thought you wanted to retain the AuthBy FILE component.

The AuthBy FILE part would only be to hold the "group" reply attributes, which 
as you say can also be done with AddToReply in the simple case.

regards

Hugh


On 25 Sep 2013, at 10:11, "Eivind Olsen"  wrote:

> Hugh Irvine wrote:
>> Yes this is fairly simple to do with multiple AuthBy clauses - in this
>> case with a trailing AuthBy FILE to set the required reply attributes.
> 
> My plan is to avoid the entire AuthBy FILE, if I can, so whoever is
> provisioning these users won't have to also edit a file, adding the users
> to the groups in LDAP should be sufficient. And if we need to make new
> levels of user access / giving special attributes to some, we'll add a new
> group and do a small change in radiusd.cfg
> 
> I'll add the attributes with AddToReply, in the specific AuthBy block, and
> won't need to use an AuthBy FILE then?
> 
> Regards
> Eivind Olsen
> 
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Converting from using a plaintext users file, to using LDAP

[Hugh Irvine]

Hello Elvind -

Yes this is fairly simple to do with multiple AuthBy clauses - in this case 
with a trailing AuthBy FILE to set the required reply attributes.

Depending on how many groups you need, it may be preferable to have a group 
attribute in each user record rather than use memberOf.

In either case you would do something like this:


……

AuthByPolicy ContinueWhileAccept



# check users and determine group

AuthByPolicy ContinueUntilAccept


…..



…..


…..





# apply per-group reply attributes

…..



…..

hope that helps

regards

Hugh


On 24 Sep 2013, at 23:00, Eivind Olsen  wrote:

> Hello.
> 
> I've very recently been given the task of migrating an existing Radiator
> installation from having its users in a plaintext file (AuthBy FILE), to
> authenticating against LDAP.
> 
> This sounds straight forward enough, I'm somewhat familiar with AuthBy LDAP2.
> 
> Now, what gets me a bit confused is this: the current users textfile has
> entries with various attributes. Often it's the same attribute for many
> users, but not always. For example, some have Timetra-Cmd attribute
> listing read-only commands.
> 
> Oh, and if possible, I'd prefer to _not_ store these directly in the LDAP
> (if I can avoid extending the LDAP schema and avoid having to mess up the
> user provisioning tool, I'd prefer that). What I'd like to accomplish
> somehow is mapping the various userlevels to group-membership in LDAP. If
> someone are a member of for example the group "timetra-full-admin" they'll
> get a Timetra-Cmd set to one thing ,and if they're a member of
> "timetra-read-only" they'll have it set to something else. Makes sense?
> If I have to store the attribute values directly in LDAP, there's also a
> high chance that whoever is provisioning users might make a typo of some
> sorts. In other words: I don't want to "extract attribute X from LDAP, and
> returns its exact value". Oh, and if I can avoid using Perl hooks, that
> would also be a good thing for me :)
> 
> One way I've thought might work is having multiple AuthBy LDAP2-blocks
> chained together, with different searchfilters and replying with specific
> attributes, similar to this pseudo-code:
> 
> Auth-block1: if memberOf=timetra-full-admins" reply with attr
> Timetra-Cmd="abcd", otherwise continue to next block
> Auth-block2: if memberOf=timetra-read-only" reply with attr
> Timetra-Cmd="efgh", otherwise continue to next block
> ...
> no more blocks? Reject user.
> 
> Part of me thinks there's bound to be a better way than this, though. Can
> anyone lend me a clue? :)
> 
> Regards
> Eivind Olsen
> eiv...@aminor.no
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Attribute Error Vendor 20942

[Hugh Irvine]

Hi Heikki -

Actually I was meaning the attribute numbers.

According to what I looked at Served-MDN should be 100 and Charging-Type should 
be 101?

regards

Hugh


On 19 Sep 2013, at 19:14, Heikki Vatiainen  wrote:

> Thanks, Hugh. Looks like I should not trust my memory with dictionary
> format. This should be in correct format:
> 
> #
> # China Telecom-Guangzhou Research and Development Center (Huawei)
> #
> VENDORCNCTC   20942
> VENDORATTR20942   CNCTC-Charging-Type 100 integer
> VENDORATTR20942   CNCTC-Served-MDN101 string
> 
> VALUE CNCTC-Charging-Type Post-Paid   1
> VALUE CNCTC-Charging-Type Pre-Paid2
> VALUE CNCTC-Charging-Type Post-Paid-And-Pre-Paid  3
> 
> Heikki
> 
> 
> On 09/19/2013 12:00 PM, Hugh Irvine wrote:
>> 
>> Hello Heikki -
>> 
>> I think it should be this(?):
>> 
>> 
>> #
>> # China Telecom-Guangzhou Research and Development Center (Huawei)
>> #
>> VENDOR   CNCTC   20942
>> CNCTC-Served-MDN 100 string
>> CNCTC-Charging-Type  101 integer
>> 
>> VALUECNCTC-Charging-Type 1 Post-Paid
>> VALUECNCTC-Charging-Type 2 Pre-Paid
>> VALUECNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid
>> 
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 19 Sep 2013, at 18:44, Heikki Vatiainen  wrote:
>> 
>>> On 09/19/2013 11:30 AM, Hugh Irvine wrote:
>>> 
>>>> So you could add the following to your dictionary:
>>>> 
>>>> #
>>>> # Vendor-specific attributes for China Telecom
>>>> #
>>>> 
>>>> VENDOR  China-Telecom 20942
>>>> 
>>>> VENDORATTR  20942   China-Telecom-Served-MDN  
>>>> 100   string
>>>> VENDORATTR  20942   China-Telecom-Charging-Type
>>>> 101   integer
>>>> 
>>>> VALUE   China-Telecom-Charging-Type Post-paid  
>>>>   1
>>>> VALUE   China-Telecom-Charging-Type Pre-paid
>>>>   2
>>>> VALUE   China-Telecom-Charging-Type
>>>> Both-post-and-pre-paid  3
>>>> 
>>>> 
>>>> When you do get the real attribute definitions please send us a copy.
>>> 
>>> Hello Mlungisi, Hello Hugh,
>>> 
>>> here's another doc I found:
>>> http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22_xr/feature/guide/pdsn5_0_fcs.pdf
>>> 
>>> 
>>> I propose this. It's the same as Hugh suggested but here the vendor name
>>> follows an existing example. I also changed the value names to follow
>>> the existing Dashes-And-Capitals notation the dictionary mostly uses.
>>> 
>>> Mlungisi, please let us know if you get reasonably looking attributes
>>> with these dictionary entries. Also, as Hugh mentions, if you have or
>>> find out more information about the attributes, please let us know.
>>> 
>>> #
>>> # China Telecom-Guangzhou Research and Development Center (Huawei)
>>> #
>>> VENDOR  CNCTC   20942
>>> CNCTC-Charging-Type 100 integer
>>> CNCTC-Served-MDN101 string
>>> 
>>> VALUE   CNCTC-Charging-Type 1 Post-Paid
>>> VALUE   CNCTC-Charging-Type 2 Pre-Paid
>>> VALUE   CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid
>>> 
>>> Thanks,
>>> Heikki
>>> 
>>> -- 
>>> Heikki Vatiainen 
>>> 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>> NetWare etc.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> --
>> 
>> Hugh Irvine
>> h...@open.com.au
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server 
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
>&

Re: [RADIATOR] Attribute Error Vendor 20942

[Hugh Irvine]

Hello Heikki -

I think it should be this(?):


#
# China Telecom-Guangzhou Research and Development Center (Huawei)
#
VENDOR  CNCTC   20942
CNCTC-Served-MDN100 string
CNCTC-Charging-Type 101 integer

VALUE   CNCTC-Charging-Type 1 Post-Paid
VALUE   CNCTC-Charging-Type 2 Pre-Paid
VALUE   CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid



regards

Hugh


On 19 Sep 2013, at 18:44, Heikki Vatiainen  wrote:

> On 09/19/2013 11:30 AM, Hugh Irvine wrote:
> 
>> So you could add the following to your dictionary:
>> 
>> #
>> # Vendor-specific attributes for China Telecom
>> #
>> 
>> VENDOR  China-Telecom 20942
>> 
>> VENDORATTR  20942   China-Telecom-Served-MDN  
>> 100   string
>> VENDORATTR  20942   China-Telecom-Charging-Type
>> 101   integer
>> 
>> VALUE   China-Telecom-Charging-Type Post-paid  
>>1
>> VALUE   China-Telecom-Charging-Type Pre-paid
>>2
>> VALUE   China-Telecom-Charging-Type
>> Both-post-and-pre-paid  3
>> 
>> 
>> When you do get the real attribute definitions please send us a copy.
> 
> Hello Mlungisi, Hello Hugh,
> 
> here's another doc I found:
> http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22_xr/feature/guide/pdsn5_0_fcs.pdf
> 
> 
> I propose this. It's the same as Hugh suggested but here the vendor name
> follows an existing example. I also changed the value names to follow
> the existing Dashes-And-Capitals notation the dictionary mostly uses.
> 
> Mlungisi, please let us know if you get reasonably looking attributes
> with these dictionary entries. Also, as Hugh mentions, if you have or
> find out more information about the attributes, please let us know.
> 
> #
> # China Telecom-Guangzhou Research and Development Center (Huawei)
> #
> VENDORCNCTC   20942
> CNCTC-Charging-Type   100 integer
> CNCTC-Served-MDN  101 string
> 
> VALUE CNCTC-Charging-Type 1 Post-Paid
> VALUE CNCTC-Charging-Type 2 Pre-Paid
> VALUE CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Attribute Error Vendor 20942

[Hugh Irvine]

Hello Miungisi -The IANA list shows vendor 20942 to be China Telecom:20942  China Telecom-Guangzhou Research and Development Center    guomw      guomw&gsta.com;liuchenglong&huawei.comsee http://www.iana.org/assignments/enterprise-numbers/enterprise-numbersUntil you get the real attribute definitions, you can add something like this to your Radiator dictionary:## Vendor-specific attributes for China Telecom#VENDOR          China-Telecom     20942VENDORATTR      20942       China-Telecom-Attr-100                 100       stringI also found the following with a quick Google search on "China Telecom radius attributes" at:http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22yd3/feature_guide/ha_othera_3.html#wp1079945…..Interaction with AAAThe HA will deal with the following attributes during the interaction with AAA for authentication and Accounting,•Correlation-IdThe received Correlation-Id in RRQ is sent in Accounting Start/Stop/Interim Messages to the AAA server. This attribute is not included during Authentication with AAA.•Calling-Station-IdThe received Calling-Station-Id in RRQ is sent in an Access-Request during Authentication with AAA for MN subscriber. This attribute is also sent in Accounting Start/Stop/Interim Messages to AAA server. The HA sends the Calling-Station-Id to AAA in the format of standard RADIUS Attribute [31] , as defined in RFC 2865.•Served-MDNThe HA receives the Served MDN value in an Access-Accept after successful authentication with the AAA server. The received attribute is sent in Accounting Start/Stop Messages only to the AAA for accounting purposes.•Charging-TypeThe HA receives the Charging-Type value in an Access-Accept after successful authentication with the AAA server. The received attribute is sent in Accounting Start/Stop messages only to the AAA for accounting purposes.Charging-Type values include the following:–0x0001- Post-paid accounting–0x0002- Pre-paid accounting–0x0003- both post-paid and pre-paid accounting•HA-Service-AddressThe HA sends the user's HA service address to the AAA in an accounting-start message.Table 16-1 illustrates how the HA incorporates the attribute values in various Radius messages (RFC 2865 and 2866) during interaction with AAA.Table 16-1	HA Attributes in Radius Messages During ttributeAttribute ValueAccess- RequestAccess- AcceptAccounting- StartAccounting- StopAccounting- Interim-UpdateCalling-Station- Id310-100-10-10-1Correlation-Id26/5535/44000-10-10-1Served-MDN26/ 20942/ 1-10-10-10Charging-Type26/ 20942/ 10100-10-10-10HA-Service- Addres26/5535/7000-10-10So you could add the following to your dictionary:## Vendor-specific attributes for China Telecom#VENDOR          China-Telecom     20942VENDORATTR      20942       China-Telecom-Served-MDN                    100       stringVENDORATTR      20942       China-Telecom-Charging-Type                 101       integerVALUE           China-Telecom-Charging-Type         Post-paid               1VALUE           China-Telecom-Charging-Type         Pre-paid                 2VALUE           China-Telecom-Charging-Type         Both-post-and-pre-paid                  3When you do get the real attribute definitions please send us a copy.regardsHughOn 19 Sep 2013, at 17:17, Mlungisi Sibanda  wrote:Hello,We are getting an attribute error below in our debug log.  ERR: Attribute number 100 (vendor 20942) is not defined in your dictionaryThis is supposed to be an accounting attribute and vendor belongs to China Telecom, We have been asked to forward attribute values so that they can be added to the default dictionary but we can't seem to find these values.Does any have these attributes ?We are kinda desperate.RegardsMlungisi___radiator mailing listradiator@open.com.auhttp://www.open.com.au/mailman/listinfo/radiator--Hugh Irvineh...@open.com.auRadiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AddressAllocator DHCP and STOP Accounting packets

[Hugh Irvine]

Hello Vangelis -

An accounting stop should release the address.

I will need to see a copy of your configuration file together with a trace 4 
debug showing an accounting start and an accounting stop.

regards

Hugh


On 18 Sep 2013, at 23:44, Vangelis Kyriakakis  wrote:

> Hello,
> 
> I'm trying to use AuthBy DYNADDRESS combined with AddressAllocator
> DHCP in order to allocate IPv4 addresses from an DHCP server.
> IP allocation during authentication is working fine but there is no any
> de-allocation happening with the STOP accounting packet. Is this the
> expected behaviour?
> 
>  Regards
>  Vangelis
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] MongoDB \ Accounting

[Hugh Irvine]

Hello Joe -

I would be inclined to use method d) so you get a copy of the accounting 
requests in a separate process where you can do whatever you need to without 
impacting your main process.

You would do something like this (assuming you are using Handlers):


…..



AuthByPolicy ContinueAlways



# forward a copy to a separate process

……

IgnoreAccountingResponse





# do normal accounting

…..






Its also a good idea to have separate Radiator processes for authentication and 
accounting in any case.

regards

Hugh



On 28 Jul 2013, at 18:21, Joe Hughes  wrote:

> Hi
> 
> Simple question really.
> 
> I want to introduce MongoDB as a "test" server for storing accounting and 
> session data.
> 
> We currently use MSSQL, it works well, but the large amount of data (and 
> related joins into other data islands) can become unwieldy over time - 
> especially for historic reporting. I have done some work with MongoDB and 
> other systems (with relatively straight forward schemas), and storing 
> accounting\session seems well suited for this.  Don't get me wrong, its not 
> that MSSQL\MySQL aren't up to the task, I just think this is well suited for 
> NoSQL and I am keen to satisfy my technical curiosity..
> 
> I am considering the best ways of getting the accounting data from our RADIUS 
> servers \ SQL databases into MongoDB.
> 
> Looking for some feedback\comments.
> 
> Some options;
> 
> a) Write a accounting hook to break apart the accounting message, construct a 
> JSON request and send it off to a remote application server. * Downside is 
> the risk of blocking\disrupting the main process.
> 
> b) Spool the messages to disk, have an out-of-process script parse the files, 
> construct a JSON (or MongoDB request) , send it to a remote server and delete 
> the file. Downside is some disk\write IO, nothing too taxing. * Out of 
> process = good.
> 
> c) At the DB level, clone the accounting messages into another table. Script 
> reads the rows, processes as above, then deletes the rows. * Some extra DB 
> load.
> 
> d) Possibly silently forwarding (or replicating) the accounting message to 
> another server and doing one of the above
> 
> Anything I have missed. I am leaning towards b) or c)
> 
> Is anybody else using NoSQL for this type of application? Any feedback?
> 
> Regards
> 
> Joe
> 
> 
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] logging EAP method

[Hugh Irvine]

Hello Stuart -

Have a look at the code in "Radius/EAP.pm".

The EAPType is added to the current request as 

$p->{EAPType}

and the name is added as

$p->{EAPTypeName}

You can easily write a little hook to use one or the other or both.

regards

Hugh


On 12 Jul 2013, at 04:32, Stuart Kendrick  wrote:

> Is there a way to log the EAP method employed?
> 
> I'm doing this currently:
> LogSuccess 1
> SuccessFormat%l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T: 
> %{Calling-Station-Id}: %{Called-Station-Id}
> LogFailure 1
> FailureFormat%l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T: 
> %{Calling-Station-Id}: %{Called-Station-Id}
> 
> I was imagining something like %{EAP Method} ... but I don't see such a 
> token defined in "Section 5.2 Special characters" of the manual (pp. 
> 20-24) ...
> 
> [I'm trying to figure out which clients are still using LEAP ... ergo my 
> desire to log the EAP method ...]
> 
> --sk
> 
> Stuart Kendrick
> FHCRC
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Redirect Clients when Capped

[Hugh Irvine]

Hello Robert -

You will probably need a hook to do this sort of thing.

See the example hooks in "goodies/hooks.txt".

regards

Hugh


On 3 Jul 2013, at 19:17, Robert kennedy  wrote:

> 
> Hi All
>  
> I’m running an older version of radiator. 3.6 to be exact.
>  
> I would like to redirect users when they are capped. I do see the ascend 
> client dns attributes, but I cannot seems to figure out how to use them only 
> when a user is capped.
>  
> I did read the FAQ and saw how they used the ascend dns attribute but it 
> doesn’t seem to help me for capped users only.
>  
> I’ve tried this, which has failed badly I get WARNING: No such attribute 
> Ascend-Client-Primary-DNS . From my radius.cfg
>  
> 
> Identifier AuthLocal
>  
> DBSourcedbi:Pg:dbname=visp;host=127.0.0.1
> DBUsername radiator
> DBAuth  xx
> Timeout 2
> RejectEmptyPassword
>  
> AuthSelect select CAST(CASE WHEN adsl.token = 
> 'test_online' THEN \
> 'x.x.x.x' ELSE 'x.x.y.y' END AS varchar) as \
> dns, adsl.pass_word, adsl.adsl_class_id, \
> adsl_disconnect_time_bw_cap (%0) as 
> session_timeout, \
> login_limit, adsl.token \
> from adsl_accounts adsl, services s where \
> adsl.bw_allowed <> 0 and adsl.username=%0 and 
> adsl.enabled='1' \
> and adsl.account_id=s.account_id and 
> adsl.bw_allowed > adsl.bw_used
>  
> AuthColumnDef 0, Ascend-Client-Primary-DNS, 
> reply
> AuthColumnDef 1, Password, check
> AuthColumnDef 2, Class, reply
> AuthColumnDef 3, Session-Timeout, reply
> AuthColumnDef 4, Simultaneous-Use, check
> AuthColumnDef 5, Configuration-Token, reply
>  
> 
>  
>  
> Any help would be greatly appreciated.
>  
> Warm Regards
>  
> Robert
>  
>  
>   
>  
>  
>  
> 
> Technical HOD
> tel. 011 317 1800 fax. 0866 467 737 cell. email. 
> rob...@onlinedirect.co.za
> 
> 
> This email and any files transmitted with it is confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. If 
> you have received this email in error please notify the system manager. 
> Please note that any views or opinions presented in this email are solely 
> those of the author and do not necessarily represent those of the company. 
> The company accepts no liability for any damage caused by any virus 
> transmitted by this email.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ipv6::: bind results in no match on IPv4 client

[Hugh Irvine]

Hello Jason -

According to section 5.5 in the Radiator 4.11 reference manual ("doc/ref.pdf") 
you need to specify both ipv6 and ipv4 like this:


BindAddress  ipv6:::, 0.0.0.0


5.5 Address binding

One of the main functions of Radiator is to listen for UDP packets and TCP 
connections from other systems according to the Radiator configuration. The 
various Radiator clauses that can accept packets or connections from other 
systems all support the BindAddress parameter, which controls which IP 
addresses Radiator will listen on. IP packets sent to an IP address which is on 
the Radiator host, but which Radiator has not bound with BindAddress will not 
be received by Radiator.

The driver for this is that a single host may have multiple IP addresses, and 
those addresses may be IPV4, IPV6 and/or IPV4-over-IPV6. You may require 
Radiator to only honour requests directed to one of or a subset of the IP 
addresses for the host.

With BindAddress you can control which destination IP addresses Radiator will 
accept. You can specify one or more IPV4 or IPV6 addresses, including wildcard 
addresses. You can specifiy one or more comma separated bind addresses in the 
BindAddress parameter. The following forms may be used:

• 0.0.0.0 (the default) Any IPV4 address on the host

• 1.2.3.4 A specific IPV4 address on the host

• ipv6::: Any IPV6 address on the host (and this may include any 
IPV4-over-IPV6 address, depending on how the host is configured

• ipv6:2001:610:148:100::31 A specific IPV6 address on the host They 
may be combined in one BindAddress parameter like so:

BindAddress 0.0.0.0
BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 
BindAddress ipv6:::, 0.0.0.0

Hint: Linux also has a special file to control the system wide behaviour: 
/proc/sys/net/ipv6/bindv6only

By default this seems to be 0. When it is 0, this will not work as expected: 
BindAddress ipv6:::, 0.0.0.0
But if it is set to 1, the IPV6 bind wil not include the IPV4 bind and will 
work as expected.

Hint: In order to support IPV6 address, you must install the Perl Socket6 
module.


regards

Hugh



On 27 Jun 2013, at 08:56, "Mueller, Jason C"  wrote:

> Hello,
> 
> I am using Radiator 4.11.
> 
> I will show relevant portions of my config and then comment on them (IP 
> addresses changed and Secret ***'d out to protect the guilty):
> --
> BindAddress ipv6:::
> AuthPort  1812
> AcctPort  1813
> # ipv6 client
> 
>   Secret  ***
>   DupInterval 0
>   AddToReply Session-Timeout=0,cisco-avpair=shell:roles="network-admin"
> 
> # ipv4 client
> 
>   Secret  ***
>   DupInterval 0
>   AddToReply Session-Timeout=0,Filter-Id=15
> 
> # ipv4 subnet
> 
>   Secret  ***
>   DupInterval 0
>   AddToReply Session-Timeout=0,Filter-Id=10
> 
> --
> 
> When I use the "BindAddress ipv6:::" configuration parameter, neither of the 
> IPv4 client definitions work. Radiator will give the following log message:
> Wed Jun 26 16:56:38 2013: NOTICE: Request from unknown client 128.255.90.90: 
> ignored
> 
> In the above configuration, the IPv6 client works just fine.
> 
> If I add a "" clause when I still have the "BindAddress 
> ipv6:::" parameter configured, the IPv4 clients that I want to match more 
> specifically will match on the DEFAULT client stanza. I cannot have a DEFAULT 
> client stanza in my config.
> 
> Additionally, if I remove the "BindAddress ipv6:::" parameter from the config 
> (or comment it out), then the IPv4 clients work as expected.
> 
> It appears that when I enable IPv6 like above, that I lose my ability to 
> match on more specific IPv4 client clauses, and I have to use the DEFAULT 
> client stanza, which is not an option for me.
> 
> Thoughts? Any help is appreciated.
> 
> -Jason
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Error: Attribute number 1 (vendor 3561) is not defined in your dictionary

[Hugh Irvine]

Hello -

These attributes are defined in the Radiator 4.11 dictionary:


VENDOR  ADSL-Forum 3561
VENDORATTR  3561DSLForum-Agent-Circuit-Id1  
 string
VENDORATTR  3561DSLForum-Agent-Remote-Id 2  
 string 
VENDORATTR  3561DSLForum-Actual-Data-Rate-Upstream   129
 integer
VENDORATTR  3561DSLForum-Actual-Data-Rate-Downstream 130
 integer
VENDORATTR  3561DSLForum-Minimum-Data-Rate-Upstream  131
 integer
VENDORATTR  3561DSLForum-Minimum-Data-Rate-Downstream132
 integer 
VENDORATTR  3561DSLForum-Attainable-Data-Rate-Upstream   133
 integer
VENDORATTR  3561DSLForum-Attainable-Data-Rate-Downstream 134
 integer
VENDORATTR  3561DSLForum-Maximum-Data-Rate-Upstream  135
 integer
VENDORATTR  3561DSLForum-Maximum-Data-Rate-Downstream136
 integer 
VENDORATTR  3561DSLForum-Minimum-Data-Rate-Upstream-Low-Power137
 integer 
VENDORATTR  3561DSLForum-Minimum-Data-Rate-Downstream-Low-Power  138
 integer 
VENDORATTR  3561DSLForum-Maximum-Interleaving-Delay-Upstream 139
 integer 
VENDORATTR  3561DSLForum-Actual-Interleaving-Delay-Upstream  140
 integer 
VENDORATTR  3561DSLForum-Maximum-Interleaving-Delay-Downstream   141
 integer 
VENDORATTR  3561DSLForum-Actual-Interleaving-Delay-Downstream142
 integer 
VENDORATTR  3561DSLForum-Access-Loop-Encapsulation   144
 string
VENDORATTR  3561DSLForum-IWF-Session 254
 integer 


regards

Hugh


On 26 Jun 2013, at 20:22, Muni Raj  wrote:

> 
> HI , I am gettin gthe following error in my radiator .. Could some help for  
> investigating on this ???
> -- 
> Regards
> 
> P.Muniraj
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator