Re: (RADIATOR) altiga radius profile
Hello Edoardo, Have you seen this URL? http://www.cisco.com/warp/public/471/VSAs_rev22.html I think this is what you are looking for Thanks Matt At 05:34 PM 28/12/2000 +0100, Edoardo Martelli wrote: hi all does anybody know the radius attributes that an altiga/cisco vpn3005 needs to receive to authenticate groups and users? thank you Edoardo -- [EMAIL PROTECTED] phone: +39 051 6139242 fax: +39 051 6114455 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Matthew Nichols | | Level 10 Customer Support Engineer | | Building B Asia Pacific TAC ||| ||| 821-843 Pacific Hwy Ph:+61 2 8448 7038 .:|:..:|:. Chatswood Fx:+61 2 8448 7971 cisco Systems NSW, 2067 Email:[EMAIL PROTECTED] Australia Have you used Cisco TAC Web Site Lately? TAC CaseOpen: http://www.cisco.com/tac/caseopen/ TAC Newsletter: http://www.cisco.com/tac/newsletter/ TAC Tools: http://www.cisco.com/tac/tools/ TAC Documents: http://www.cisco.com/tac/documents/ TAC Product Page: http://www.cisco.com/tac/products/ TAC Technologies: http://www.cisco.com/tac/technologies/ TAC Solutions: http://www.cisco.com/tac/solutions/ TAC Top Issues: http://www.cisco.com/kobayashi/support/top_issues/
Re: (RADIATOR) multiple cisco-avpair attributes
Christian, cisco avpairs can be issued multiple tomes from radiator..we are doing it here. The only restriction we found is that you can only issue one avpair of one type...eg. AddToReply cisco-avpair="ip:addr-pool=setup_pool\ndns-servers=212.117.64.86 212.117.67.2\nidletime=89" , Note the \n telling the router the end of the command. I am not sure if this works for IP but it certainly does work for any interface-config options, \ eg cisco-avpair = "lcp:interface-config=ip policy route-map Route\nip access-group 100 in\nip access-group 101 out", \ This will allow you to define per-user configs via radius of different types. Hope this helps Regards, Matt At 08:22 AM 26/05/2000 +1000, you wrote: >Hello Christian - > >On Thu, 25 May 2000, Christian Hammers wrote: > > Hello > > > > As radiator is not able to fetch multiple attributes with the same name > > via ReplaceIfNotExistence I'm looking for another way to supply them. > > > > Does anybody know a strange mixture of any Reply mechanisms that would > > allow me to do what I want? Maybe using profiles, realms, default replies > > and LDAP fetched replies together etc? > > > > bye, > > > > -christian- > > > > [now we need some more tacacs attributes for VPNs, too and don't want to > > setup a tacacs server, too] > > > cisco-avpair=ip:addr-pool=setup_pool > > > cisco-avpair=ip:dns-servers=212.117.64.86 212.117.67.2 > > > cisco-avpair=ip:idletime=89 > > > Sadly radiator only takes one of them. > > > >There are a number of ways to do this. You can simply use an AddToReply if the >the attributes are always the same for a particular AuthBy, or you can define >the relevant reply attributes as normal parts of individual user records, or >you can set up DEFAULT/Auth-Type pairs to add the attributes that way. Perhaps >if you describe your requirements in more detail I can assist in finding the >best mechanism to use. > >regards > >Hugh > >-- >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. >Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > > >=== >Archive at http://www.starport.net/~radiator/ >Announcements on [EMAIL PROTECTED] >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. --- Matthew Nichols - Network/Systems Engineer CCNA HunterLink Pty Ltd Newcastle NSW Australia Phone: +61 2 4969 0122 Fax: +61 2 4969 0133 PGP Public Key: http://moonah.hunterlink.net.au/~matt/pgp/pgpkey.html HunterLink Web Site: http://www.hunterlink.net.au === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) advice requested on high availability configuration
Hello Jay, If you have the resources, ie flash and memory (and are game enough!!) IOS 12.1(1)T supports AAA Broadcast Accounting. In the past a cisco router would allow you to configure multiple radius/tacacs(+) servers to use in the order they were configured, and in the event of a timeout the next server would be used. Broadcast accounting allows you to send the accounting records to multiple radius servers simultaneously. There is also the ability to use different AAA server groups based on DNIS in 12.0(7)T and later. This feature has also been enhanced in 12.1(1)T to provide broadcast functionality. The other feature that is available is configuring the same host multiple times for multiple processes on different ports without binding to different addresses, eg: radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 This will allow you to run multiple radius processes on different ports on the same machine Check out the docs at: For AAA Accounting Broadcast - http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/dt_aaaba.htm And IOS 12.1 AAA - http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/index.htm Just remember that 12.1(1) + mainline is based on 12.0(7)T. 12.1(1)T + is the "bleeding edge". I know this will only solve part of your problem, but I thought it was worth mentioning on the list. You could set up different timeout values on the server for authentication requests and accounting, but this would require you to specify a multiple groups, one for authentication and one for accounting. Regards, Matt At 07:39 AM 6/04/2000 -0500, Jay West wrote: >I'm not sure if this went out to the list, so pardon me if I'm reposting... > > > Current setup: > > Two FreeBSD machines, each one running radiator (radius1 and radius2) > > Two FreeBSD machines, each one running MySQL for the radiator database > > (mysql1 and mysql2) > > Cisco 3640 router (NAS) terminating L2F sessions for each dialup user > > > > The cisco 3640 is set to try authenticating via radius first on radius1, >and > > if that times out to authenticate on radius2. Radius1 uses the SQL >database > > on mysql1 and radius2 uses the SQL database on mysql2. There are some high > > availability problems with this setup - if mysql1 goes down, the cisco >won't > > know it and will keep querying radius1. The cisco does support (at the > > latest IOS release) rotating between multiple radius servers, but that >would > > only let half the folks in. > > > > Changes I want to make: > > What's the best way to set up high availability so that any host (except >the > > router) can fail and things will still work? I'm not currently using > > maxlogins (or simultaneous-logins or maxsessions or whatever) but do plan >to > > in the very near future. I see many possibilities - but the first one I'm > > thinking of is to set each of the two radius servers to query sql1 and if > > that fails query sql2 (this done via specifying multiple sql servers in >the > > radius config file). But then the question becomes how to keep the >databases > > in sync between sql1 and sql2. I could set up some batch process to copy >the > > databases nightly, but doesn't this get in the way of trying to enforce > > multiple logon limits? > > > > On a directly related note - is there any problems with having two copies >of > > radiator - one on each machine - working on the same database? > > > > Any hints from those who've done this before?? Net result should be two > > radiator machines and two sql machines and any one can fail. > > > > Thanks in advance! > > > > Jay West > > > >=== >Archive at http://www.starport.net/~radiator/ >Announcements on [EMAIL PROTECTED] >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. --- Matthew Nichols - Network/Systems Engineer CCNA HunterLink Pty Ltd Newcastle NSW Australia Phone: +61 2 4969 0122 Fax: +61 2 4969 0133 PGP Public Key: http://moonah.hunterlink.net.au/~matt/pgp/pgpkey.html HunterLink Web Site: http://www.hunterlink.net.au === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) advice requested on high availability configuration
Hello Jay, If you have the resources, ie flash and memory (and are game enough!!) IOS 12.1(1)T supports AAA Broadcast Accounting. In the past a cisco router would allow you to configure multiple radius/tacacs(+) servers to use in the order they were configured, and in the event of a timeout the next server would be used. Broadcast accounting allows you to send the accounting records to multiple radius servers simultaneously. There is also the ability to use different AAA server groups based on DNIS in 12.0(7)T and later. This feature has also been enhanced in 12.1(1)T to provide broadcast functionality. The other feature that is available is configuring the same host multiple times for multiple processes on different ports without binding to different addresses, eg: radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 This will allow you to run multiple radius processes on different ports on the same machine Check out the docs at: For AAA Accounting Broadcast - http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/dt_aaaba.htm And IOS 12.1 AAA - http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/index.htm Just remember that 12.1(1) + mainline is based on 12.0(7)T. 12.1(1)T + is the "bleeding edge". I know this will only solve part of your problem, but I thought it was worth mentioning on the list. You could set up different timeout values on the server for authentication requests and accounting, but this would require you to specify a multiple groups, one for authentication and one for accounting. Regards, Matt At 07:39 AM 6/04/2000 -0500, Jay West wrote: >I'm not sure if this went out to the list, so pardon me if I'm reposting... > > > Current setup: > > Two FreeBSD machines, each one running radiator (radius1 and radius2) > > Two FreeBSD machines, each one running MySQL for the radiator database > > (mysql1 and mysql2) > > Cisco 3640 router (NAS) terminating L2F sessions for each dialup user > > > > The cisco 3640 is set to try authenticating via radius first on radius1, >and > > if that times out to authenticate on radius2. Radius1 uses the SQL >database > > on mysql1 and radius2 uses the SQL database on mysql2. There are some high > > availability problems with this setup - if mysql1 goes down, the cisco >won't > > know it and will keep querying radius1. The cisco does support (at the > > latest IOS release) rotating between multiple radius servers, but that >would > > only let half the folks in. > > > > Changes I want to make: > > What's the best way to set up high availability so that any host (except >the > > router) can fail and things will still work? I'm not currently using > > maxlogins (or simultaneous-logins or maxsessions or whatever) but do plan >to > > in the very near future. I see many possibilities - but the first one I'm > > thinking of is to set each of the two radius servers to query sql1 and if > > that fails query sql2 (this done via specifying multiple sql servers in >the > > radius config file). But then the question becomes how to keep the >databases > > in sync between sql1 and sql2. I could set up some batch process to copy >the > > databases nightly, but doesn't this get in the way of trying to enforce > > multiple logon limits? > > > > On a directly related note - is there any problems with having two copies >of > > radiator - one on each machine - working on the same database? > > > > Any hints from those who've done this before?? Net result should be two > > radiator machines and two sql machines and any one can fail. > > > > Thanks in advance! > > > > Jay West > > > >=== >Archive at http://www.starport.net/~radiator/ >Announcements on [EMAIL PROTECTED] >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco As5300 and VOIP and Debit card
Mark, Make sure these are in your dictionary VENDORATTR 9 cisco-h323-remote-address 23 string VENDORATTR 9 cisco-h323-conf-id 24 string VENDORATTR 9 cisco-h323-setup-time 25 string VENDORATTR 9 cisco-h323-call-origin 26 string VENDORATTR 9 cisco-h323-call-type27 string VENDORATTR 9 cisco-h323-connect-time 28 string VENDORATTR 9 cisco-h323-disconnect-time 29 string VENDORATTR 9 cisco-h323-disconnect-cause 30 string VENDORATTR 9 cisco-h323-voice-quality31 string VENDORATTR 9 cisco-h323-ivr-out 32 string VENDORATTR 9 cisco-h323-gw-id33 string VENDORATTR 9 cisco-h323-call-treatment 34 string VENDORATTR 9 cisco-h323-ivr-in 100 string VENDORATTR 9 cisco-h323-credit-amount101 string VENDORATTR 9 cisco-h323-credit-time 102 string VENDORATTR 9 cisco-h323-return-code 103 string VENDORATTR 9 cisco-h323-prompt-id104 string VENDORATTR 9 cisco-h323-time-and-day 105 string VENDORATTR 9 cisco-h323-redirect-number 106 string VENDORATTR 9 cisco-h323-preferred-lang 107 string VENDORATTR 9 cisco-h323-redirect-ip-addr 108 string VENDORATTR 9 cisco-h323-billing-model109 string VENDORATTR 9 cisco-h323-currency-type110 string Regards, Matt At 03:43 PM 7/03/00 +1300, you wrote: >Has anyone used Radiator to send back the credit amount and credit time and >return code in vsa's for the Cisco debit card platform ? We use an As5300 >and are currently authing using radiator 2.15. The Cisco radius debug says >the pair is an invalid format for type 26, 26 referring to vendor specof >attribute I presume. > >We send and have defined in our dictionary : > >vendorattr 9 Credit_Amount 101 string > >Radius handles it OK, the AS5300 does not. > >Help > >=== >Archive at http://www.starport.net/~radiator/ >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. --- Matthew Nichols - Network/Systems Engineer CCNA HunterLink Pty Ltd Newcastle NSW Australia Phone: +61 2 4969 0122 Fax: +61 2 4969 0133 PGP Public Key: http://moonah.hunterlink.net.au/~matt/pgp/pgpkey.html HunterLink Web Site: http://www.hunterlink.net.au === Archive at http://www.starport.net/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.