Re: (RADIATOR) suitable accounting package
Hi John. Radiator is not tested here against any of those packages. However, a billing package that uses mSQL should be amenable to interfacing with AuthBy SQL. There is a list a ISP billing packages that Radiator works with available on the Radiator web site. Cheers. --- Mike McCauley [EMAIL PROTECTED] Open System Consultants +61 3 9598 0985 Mike is travelling right now, and there may be delays in our correspondence. -Original Message- From: John Gray [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, October 28, 1999 7:10 AM Subject: (RADIATOR) suitable accounting package Hi, I am trying to select a suitable accounting package to use with Radiator . Three I am considering are Optigold Plus, ISP Easy amd NT Paymaster. The first two use Filemaker Pro as the database and the last one uses mSQL. Does any one know if they will work with Radiator and/or which one works well? Thanks, John Gray === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) TimeLeft
Hi Hugh. Yes, thanks for that, the TimeBanking option helps and I can confirm that the customer now does get cut off when their time goes into the negative. However they can then dial-in again and get connected without a problem and stay on-line for as long as they like. That is, if the Timeleft is a negative number. Is this the correct action for Radiator? That is, to accept authentication when Timeleft is a negative number or are you not concerned with this and only use this as a method of when to disconnect a user? It seems to me that it would be useful to not allow authentication when the number is a minus/negative and return an error message to that effect but perhaps I have missed a point? I'd be keen to here your point of view Hugh? Cheers and thanks for your help so far. John At 14:00 28/10/99 +1000, you wrote: Hi John - On Tue, 26 Oct 1999, John Vorstermans wrote: We have "Block User" set to Y in Platypus and the time gets subtracted just fine from the users total after a disconnect. However we are using AuthBy EMERALD rather then AuthBy Platypus which may be the problem? A - of course, that changes things. AuthBy Emerald is what Platypus recommend when running Radiator as this allows us to manage the User Attributed easily from within Platypus. Does this mean I should look at a change in Emerald.pm? I've checked the code, and as you say, AuthEMERALD decrements the time left correctly. The code also respects the "TimeBanking" parameter to restrict user time limits - have you tried that? Handler ... AuthBy EMERALD TimeBanking /AuthBy /Handler hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody -- John Vorstermans||We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) HOW-TO ??
No joy Hugh... Our setup is basic... can you see the problem ? I test ring in from the office with a proper setup in the normal users file, and it does not act on the rejectusers, and continues to authenticate on the normal users file. -- Trace 3 DbDir /usr/local/raddb/ LogFile /var/log/radius/%Y%mradiator.log AuthPort 1645 AcctPort 1646 include /usr/local/raddb/clients # You will probably want to change this to suit your site. Realm DEFAULT AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename/usr/local/raddb/rejectusers Nocache /AuthBy AuthBy FILE Filename/usr/local/raddb/users Nocache /AuthBy AcctLogFileName /var/log/radius/%Y%mdetail.log PasswordLogFileName /var/log/radius/%Y%mpassword.log /Realm -- On Wed, 27 Oct 1999 08:40:05 +1000, Hugh Irvine wrote: Hello Gary - On Tue, 26 Oct 1999, Gary wrote: Is there some way to put users in the user file which only has a Caller-Id as a check item ... No username, no password etc Basically we want to trap certain numbers, assign them to a non-connected partition, give them 10 minute timers (or even just ten seconds) and basically just cost them money for their telephone calls never provide any type of service to them. Yes, you could do this with chained AuthBy's: # Configure an AuthBy FILE to reject calling-station-id's Handler AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename %D/reject-calling-station-id /AuthBy AuthBy /AuthBy /Handler And then in the file "reject-calling-station-id": # Users file to reject calling-station-id's DEFAULTCalling-Station-Id = 12345..., Auth-Type = Reject DEFAULTCalling-Station-Id = 7890..., Auth-Type = Reject Of course, instead of Auth-Type = Reject, you could return anything you like including an IP address from a locked-in pool such as you describe. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) HOW-TO ??
No joy Hugh... Our setup is basic... can you see the problem ? I test ring in from the office with a proper setup in the normal users file, and it does not act on the rejectusers, and continues to authenticate on the normal users file. -- Trace 3 DbDir /usr/local/raddb/ LogFile /var/log/radius/%Y%mradiator.log AuthPort 1645 AcctPort 1646 include /usr/local/raddb/clients # You will probably want to change this to suit your site. Realm DEFAULT AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename/usr/local/raddb/rejectusers Nocache /AuthBy AuthBy FILE Filename/usr/local/raddb/users Nocache /AuthBy AcctLogFileName /var/log/radius/%Y%mdetail.log PasswordLogFileName /var/log/radius/%Y%mpassword.log /Realm -- On Wed, 27 Oct 1999 08:40:05 +1000, Hugh Irvine wrote: Hello Gary - On Tue, 26 Oct 1999, Gary wrote: Is there some way to put users in the user file which only has a Caller-Id as a check item ... No username, no password etc Basically we want to trap certain numbers, assign them to a non-connected partition, give them 10 minute timers (or even just ten seconds) and basically just cost them money for their telephone calls never provide any type of service to them. Yes, you could do this with chained AuthBy's: # Configure an AuthBy FILE to reject calling-station-id's Handler AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename %D/reject-calling-station-id /AuthBy AuthBy /AuthBy /Handler And then in the file "reject-calling-station-id": # Users file to reject calling-station-id's DEFAULTCalling-Station-Id = 12345..., Auth-Type = Reject DEFAULTCalling-Station-Id = 7890..., Auth-Type = Reject Of course, instead of Auth-Type = Reject, you could return anything you like including an IP address from a locked-in pool such as you describe. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) HOW-TO ??
No joy Hugh... Our setup is basic... can you see the problem ? I test ring in from the office with a proper setup in the normal users file, and it does not act on the rejectusers, and continues to authenticate on the normal users file. -- Trace 3 DbDir /usr/local/raddb/ LogFile /var/log/radius/%Y%mradiator.log AuthPort 1645 AcctPort 1646 include /usr/local/raddb/clients # You will probably want to change this to suit your site. Realm DEFAULT AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename/usr/local/raddb/rejectusers Nocache /AuthBy AuthBy FILE Filename/usr/local/raddb/users Nocache /AuthBy AcctLogFileName /var/log/radius/%Y%mdetail.log PasswordLogFileName /var/log/radius/%Y%mpassword.log /Realm -- On Wed, 27 Oct 1999 08:40:05 +1000, Hugh Irvine wrote: Hello Gary - On Tue, 26 Oct 1999, Gary wrote: Is there some way to put users in the user file which only has a Caller-Id as a check item ... No username, no password etc Basically we want to trap certain numbers, assign them to a non-connected partition, give them 10 minute timers (or even just ten seconds) and basically just cost them money for their telephone calls never provide any type of service to them. Yes, you could do this with chained AuthBy's: # Configure an AuthBy FILE to reject calling-station-id's Handler AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename %D/reject-calling-station-id /AuthBy AuthBy /AuthBy /Handler And then in the file "reject-calling-station-id": # Users file to reject calling-station-id's DEFAULTCalling-Station-Id = 12345..., Auth-Type = Reject DEFAULTCalling-Station-Id = 7890..., Auth-Type = Reject Of course, instead of Auth-Type = Reject, you could return anything you like including an IP address from a locked-in pool such as you describe. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) HOW-TO ??
Hi Gary - On Thu, 28 Oct 1999, Gary wrote: No joy Hugh... Our setup is basic... can you see the problem ? I test ring in from the office with a proper setup in the normal users file, and it does not act on the rejectusers, and continues to authenticate on the normal users file. -- Trace 3 DbDir /usr/local/raddb/ LogFile /var/log/radius/%Y%mradiator.log AuthPort 1645 AcctPort 1646 include /usr/local/raddb/clients # You will probably want to change this to suit your site. Realm DEFAULT AuthByPolicy ContinueWhileAccept AuthBy FILE AcceptIfMissing Filename/usr/local/raddb/rejectusers Nocache /AuthBy AuthBy FILE Filename/usr/local/raddb/users Nocache /AuthBy AcctLogFileName /var/log/radius/%Y%mdetail.log PasswordLogFileName /var/log/radius/%Y%mpassword.log /Realm Try running Radiator at Trace level 4 and have a look at the Access-Request packets coming in. Do they have Calling-Station-Id present in the packet? And if so, is your rejectusers file set up to match correctly? If you send me both the debug trace and the rejectusers file, I'll have a look. cheers Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radiator and mysql high availability config
Greetings! Just wanted to confirm my line of thinking on this with others. We want to set up redundant radiator servers for our domain. We want to have a primary and secondary, and NAS's will be told to check aaa in that order. If the primary machine goes down, the secondary will still answer. We will be using mySQL for the user database. My thought was to have two machines, with each machine running both radiator and mySQL. The radiator on the primary will use mySQL on the primary, the radiator on the secondary will use mySQL on the secondary. This should accomplish the above. Then we could set up radiator on the first machine to use mySQL on the second machine (in addition) in case it's own mySQL process fails and vice-versa on the secondary. Several questions: 1) Is this a good recommended configuration or is there something I'm missing or a better way to accomplish high availability? Do we need more machines? 2) In the above config, the primary takes the full load and the secondary only comes into play if the primary is down. In general terms, what changes would need to be made to implement load balancing between the two instead (with one machine taking the full load if the other fails)? Thanks! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator and mysql high availability config
Hi Jay - On Thu, 28 Oct 1999, Jay West wrote: Greetings! Just wanted to confirm my line of thinking on this with others. We want to set up redundant radiator servers for our domain. We want to have a primary and secondary, and NAS's will be told to check aaa in that order. If the primary machine goes down, the secondary will still answer. We will be using mySQL for the user database. My thought was to have two machines, with each machine running both radiator and mySQL. The radiator on the primary will use mySQL on the primary, the radiator on the secondary will use mySQL on the secondary. This should accomplish the above. Then we could set up radiator on the first machine to use mySQL on the second machine (in addition) in case it's own mySQL process fails and vice-versa on the secondary. Several questions: 1) Is this a good recommended configuration or is there something I'm missing or a better way to accomplish high availability? Do we need more machines? 2) In the above config, the primary takes the full load and the secondary only comes into play if the primary is down. In general terms, what changes would need to be made to implement load balancing between the two instead (with one machine taking the full load if the other fails)? I think my preference would be for four (4) machines. Two Radiator hosts, configured as you describe for fallback by the NAS's, and two SQL hosts with Radiator configured to switch from one to the other in case of failure. You could even run a multi-port RAID box on the back end between the SQL hosts to mirror all of your SQL data. From a performance point of view it is a good idea to split the Radiator packet processing away from anything else. Isn't it amazing how much horsepower you can buy these days for not much money?! And don't forget your network infrastructure - you would ideally like to have multiple ethernet switches and two NIC's per host. Just my 2 bob's worth. Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql requirements...
I want to install mySQL for use with Radiator on FreeBSD 3.3Release. The instructions say I'll need to install DBI and DBD. I can find DBI easily and have installed it. However, where exactly do I find DBD for mySQL?? Thanks! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql requirements...
On Thu, Oct 28, 1999 at 06:37:34AM -0500, Jay West wrote: I want to install mySQL for use with Radiator on FreeBSD 3.3Release. The instructions say I'll need to install DBI and DBD. I can find DBI easily and have installed it. However, where exactly do I find DBD for mySQL?? You can find all those goodies in CPAN (http://www.cpan.org/) or on the mysql web site (http://www.mysql.com/download_perl.html). CPAN tends to have the newer versions (eg v1.2209). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Platypus Pitfalls?
Hi, I've just got hold of Radiator and I already run Platypus. Over the next few days I intend to attempt to get them to work in unison. Can anyone shed any light on the possible pitfalls and the things I should be looking at before I start? Thanks in advance Dean Brandt +-+ Cain Internet Services Melbourne - Adelaide - Sydney - Brisbane - Bendigo Australia Ph/Fax: 61-3-93810595 Mobile: 0413247188 www.cain.net.au +-+ === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Ye olde perenial ?
Before switching over to sql authentication I am cleaning up the users file and adding DefaultReply to the various bits . Now the old question... is Service-Type = Framed-User a check or reply item... ?? Page 39 of the manual (hi Hugh :-) indicates its reply item, but I thought it was a check item ? Also I am wondering is there an equivalent DefaultCheck for check items ? (if there is I probably missed it in the manual :-) or should this be a feature request ? Gary --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ye olde perenial ?
On Fri, Oct 29, 1999 at 12:13:45AM +1000, Gary wrote: Before switching over to sql authentication I am cleaning up the users file and adding DefaultReply to the various bits . Now the old question... is Service-Type = Framed-User a check or reply item... ?? Page 39 of the manual (hi Hugh :-) indicates its reply item, but I thought it was a check item ? I always had it as a reply item. Also I am wondering is there an equivalent DefaultCheck for check items ? (if there is I probably missed it in the manual :-) or should this be a feature request ? Don't think so, just chuck a AuthBy FILE in front of the AuthBy SQL which contains a DEFAULT line with the check items you want. Another method is to use a handler which only matches the check items you want. Make sure you have a default handler or realm that'll look at people who don't check out properly and reject them (some NAS's get bitter and twisted if you selectively ignore users - they start trying to use fall back RADIUS servers and you can end up with no RADIUS service at all on that NAS for all users). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator and mysql high availability config
On Thu, 28 Oct 1999, Hugh Irvine wrote: On Thu, 28 Oct 1999, Jay West wrote: Greetings! Just wanted to confirm my line of thinking on this with others. We want to set up redundant radiator servers for our domain. We want to have a primary and secondary, and NAS's will be told to check aaa in that order. If the primary machine goes down, the secondary will still answer. We will be using mySQL for the user database. My thought was to have two machines, with each machine running both radiator and mySQL. The radiator on the primary will use mySQL on the primary, the radiator on the secondary will use mySQL on the secondary. This should accomplish the above. Then we could set up radiator on the first machine to use mySQL on the second machine (in addition) in case it's own mySQL process fails and vice-versa on the secondary. Several questions: 1) Is this a good recommended configuration or is there something I'm missing or a better way to accomplish high availability? Do we need more machines? 2) In the above config, the primary takes the full load and the secondary only comes into play if the primary is down. In general terms, what changes would need to be made to implement load balancing between the two instead (with one machine taking the full load if the other fails)? I think my preference would be for four (4) machines. Two Radiator hosts, configured as you describe for fallback by the NAS's, and two SQL hosts with Radiator configured to switch from one to the other in case of failure. You could even run a multi-port RAID box on the back end between the SQL hosts to mirror all of your SQL data. From a performance point of view it is a good idea to split the Radiator packet processing away from anything else. Isn't it amazing how much horsepower you can buy these days for not much money?! If it helps, we are converting our setup to use 2 RADIUS machines, and one SQL server on a RAID system. This system will hold our session database as well as our user database. The RADIUS machines are arranged as one primary, one backup. I can't think of a good way to load-balance between two machines like that, that is cheap and easy to do. Most NASes I would think would not be able to share between two different addresses. The only way you could do it, is to somehow set the machines up, and have something in between that intelligently (cleverly in fact) routes the packets, like maybe a Radiator acting as a proxy. But then you are adding many potential points of failure, and it's probably not worth the work. After all, the point would be to have a backup if the primary failed, and the primary in this case would be your proxy middleman. Of course you could set up four machines, two proxies (configured identically) and two real servers. Then the proxies could load balance somehow, and if one went down you'd have another. But now we're talking about 4 machines instead of 2 === David M. Lloyd mailto:[EMAIL PROTECTED] Administrator Internet Express, Inc. 802 W. Broadway, Suite 0101 Madison, WI. 53713-1866 Voice: (608) 663- http://www.inxpress.net Fax: (608) 663-5595 mailto:[EMAIL PROTECTED] Data: (608) 663-5551mailto:[EMAIL PROTECTED] === === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP Request
Would it be possible to modify the AuthLDAP modules so that instead of (or in addition to to maintain backward compatibility) having a single attribute that holds all of the reply items we can instead set things up more like the SQL modules? What I mean is under SQL you can do things like: AuthColumnDef 2, Session-Timeout, reply saying that the column 2 attribute is a reply item and should be combined with 'Session-Timeout' to create 'Session-Timeout = X'. Under LDAP the same thing could apply: LDAPAttribute, netmask, Framed-IP-Netmask, reply stating that there is an LDAP attribute called 'netmask' which should be used as the value for the reply string 'Framed-IP-Netmask'. That'd make things so much cleaner in my LDAP databases ditto with check items :) -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP Request
Would it be possible to modify the way that AuthLDAP handles reply attributes? Right now they are all listed in a singly replyattr attribute. This is unwieldy for a lot of our tools and increases the complexity of the parsing. A better mechanism would be to handle them the same way as SQL is handled. Under SQL you can put up a statement such as: AuthColumnDef 2, Session-Timeout, reply which tells the AuthBy module that the second column of results from the SQL query will contain the value for the "Session-Timeout" reply attribute. This lets you name things properly inside your SQL tables. The "Session-Timeout" attribute can reside in a field named "session-timeout". The same should apply to LDAP. I should be able to put a statement into my config file that looks like: LDAPAttribute, Session-Timeout, session-timeout, reply which would put the value of 'session-timeout' from the LDAP database into the reply attribute 'Session-Timeout'. The same methodology should apply to check items. It only makes sense to use the same mechanism for SQL and LDAP. Being different is non-intuitive... having all of the return codes in one LDAP atrribute is very confusing. The current method: ReplyAttrreplyitems should be syntactically equivalent to: LDAPAttribute, GENERIC, replyitems, reply I really, really hope this makes sense... and that it gets implemented :) I already have everything in separate fields and have to run a separate script to look them up and munge them into a single replyitems field. BLECH! Thanks, -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator OVERHEATING
I am running Radiator on a Debian Box. It has stopps running about once every 60 days. It stopped running yesterday and then again today. The restart wrapper is installed. However, when problems arise "ps aux | grep rad" verifies that radius is not running. I was told to send my config file and a trace log. I have enclosed the log. But don't know what is mean by a trace log. Thanks in advance, Andrew P. Kaplan, CNE, MCSE+Internet, MCT, CCNA, CCDA CyberShore, Inc. -- Premium Internet Services -- CyberShore is now offering free Internet Seminars. On Tuesday, November 9th, Ken Richters will show you how to create a great looking Web site in about 15 minutes using Microsoft Frontpage 2000. To register or for more info visit www.cshore.com/seminars radius.cfg
(RADIATOR) Intercepting Passwords
We have a set of users who are currently authenticating from a system, in
which the password is encrypted twice. So, copying the encrypted values
and inserting them into a normal password file, won't work for us. We've
set up a proxy in front of this auth server with Radiator, so that we can
watch the cleartext passwords go by as the users authenticate, and compile
a list of uids and passwords. We are doing this now by uncommenting the
lines in Radius.pm to watch the decoded passwords and dumping them into a
seperate log:
# Uncomment this if you really want to see whats really
# in the password. Useful for finding obscure bugs
my $pwdump = Radius::AttrVal::pclean($pwdout);
main::log($main::LOG_DEBUG, "Decoded password is $pwdump");
open(PWFILE, " /raddb/pwlog");
print PWFILE "$userid:$pwdump\n";
close(PWFILE);
This works fine, except we need to intercept just the ones that pass.
I have walked through some of the code and I think that the only time that
our proxy calls the decode function is from AuthRADIUS.pm, in order to
reencode it with the new secret.
What I'd like to do is this:
my pwtest = $p-decode_password($p-{Client}-{Secret}
open(PWFILE, " /raddb/pwlog1");
print PWFILE "$result:$user:$pwtest\n";
close(PWFILE);
But, where would the best place to do this be? My guess would be in the
function
handle_request in AuthRADIUS.pm, but I kind of lose track around:
$self-forwardToNextHost($fp, $p, $rp, $port);
Where does the result come back?
Any ideas or explanations are welcome.
Thanks,
Kevin Haldeman
Systems Administrator
Midwest Internet
A OneMain.com Company, Your Hometown Internet
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ye olde perenial ?
Hello Gary - On Fri, 29 Oct 1999, Gary wrote: Before switching over to sql authentication I am cleaning up the users file and adding DefaultReply to the various bits . Now the old question... is Service-Type = Framed-User a check or reply item... ?? Page 39 of the manual (hi Hugh :-) indicates its reply item, but I thought it was a check item ? Actually, Service-Type is both a check item and a reply item, although different NAS's do different things. Some NAS's send it as a check item and some don't, and some NAS's require it as a reply (notably Cisco) and others are less fussy. As Tom pointed out in his post, if the Service-Type = Framed-User (or Login-User or whatever) is present in the Access-Request packets you can build Handlers to deal with your different types of users (customers, admin staff, network engineers, etc.). Also I am wondering is there an equivalent DefaultCheck for check items ? (if there is I probably missed it in the manual :-) or should this be a feature request ? Don't forget that the format of a users file entry (including DEFAULT) is to list *all* of the check items on the first line, then all of the reply items on the following lines (remeber the white space in the first column). Again, your Handlers can match on multiple check items as well. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP Request
Thanks for the quick reply Hugh. That works but (IMHO) it defeats the purpose of having a database if you have to put the complete attribute pair into it. I actually just spent an hour or so migrating some code from AuthSQL.pm to AuthLDAP.pm to do exactly what I want. Works great. Is there some reason not to handle LDAP in the same manner as SQL? It seems a bit cleaner. I'll send the new AuthLDAP.pm along to you shortly. Any chance of getting your (or someone...) to look it over and maybe make the changes a permanent feature of RADIATOR? I don't care if the tag names change as long as I can keep the functionality... Otherwise I'm looking at having to redo this everytime AuthLDAP.pm gets updated by you all. -Steve - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Steven Ames [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, October 28, 1999 5:52 PM Subject: Re: (RADIATOR) LDAP Request Hello Steven - On Fri, 29 Oct 1999, Steven Ames wrote: Would it be possible to modify the AuthLDAP modules so that instead of (or in addition to to maintain backward compatibility) having a single attribute that holds all of the reply items we can instead set things up more like the SQL modules? What I mean is under SQL you can do things like: AuthColumnDef 2, Session-Timeout, reply saying that the column 2 attribute is a reply item and should be combined with 'Session-Timeout' to create 'Session-Timeout = X'. Under LDAP the same thing could apply: LDAPAttribute, netmask, Framed-IP-Netmask, reply stating that there is an LDAP attribute called 'netmask' which should be used as the value for the reply string 'Framed-IP-Netmask'. That'd make things so much cleaner in my LDAP databases ditto with check items :) You can already do this simply by putting multiple CheckAttr and ReplyAttr lines in your configuration file. The only caveat is that each LDAP field must contain the complete attribute=value pair. Handler AuthBy LDAP CheckAttr ServiceType # contains Service-Type = Framed-User CheckAttr ReplyAttr ServiceType # contains Service-Type = Framed-User ReplyAttr FramedIPAddress # Framed-IP-Address = x.x.x.x ReplyAttr FramedIPNetmask # Framed-IP-Netmask = y.y.y.y ReplyAttr /AuthBy /Handler See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference manual. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) PreAuthHook - Adding Attribute?
Hi!
I'm trying to add an attribute to my accounting table in MS SQL, with a
PreAuthHook clause, but it's not working right. Am I using the wrong
'Hook' clause?
When a user logs in with a "+ppp", then his session will be billable
(Class = "0"). Somehow the attribute Class = "0" is not being added to
his accounting record.
PreAuthHook sub { \
if (${$_[0]}-get_attr('User-Name') =~ /^+ppp/ ) { \
${$_[1]}-add_attr('Class','"0"'); \
} \
}
TIA,
Janet
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Fw: LDAP Request
Would it be possible to modify the way that AuthLDAP handles reply attributes? Right now they are all listed in a singly replyattr attribute. This is unwieldy for a lot of our tools and increases the complexity of the parsing. A better mechanism would be to handle them the same way as SQL is handled. Under SQL you can put up a statement such as: AuthColumnDef 2, Session-Timeout, reply Following right behind on this topic... What's the best way to set default values for reply attributes and then let a matching user record override these defaults? -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Fw: LDAP Request
Are you authing' by SQL? If so, setup a field in your db that is for reply attributes. Only fill in that field for the users who get something special. Then in your auth clause setup something like: DefaultReply Service-Type=Framed-User,Framed-IP-Address=255.255.255.254,\ Framed-IP-Netmask=255.255.255.255,Framed-MTU=1500,\ Framed-Compression=Van-Jacobson-TCP-IP Change your select statement and column definitions to: AuthSelect select PW, REPLYATTRS from PASSWD where USERNAME='%n' AuthColumnDef 0,Encrypted-Password,check AuthColumnDef 1,GENERIC,reply Now any user with no reply attributes (an empty field in your sql table) will get the DefaultReply items. However, anyone with something in the REPLYATTRS field will get those instead.Sure beats using flat text files as everything is read on the fly There is an example of what that REPLYATTRS field should look like in the radiator docs. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Oct 28, Steven E. Ames molded the electrons to say Would it be possible to modify the way that AuthLDAP handles reply attributes? Right now they are all listed in a singly replyattr attribute. This is unwieldy for a lot of our tools and increases the complexity of the parsing. A better mechanism would be to handle them the same way as SQL is handled. Under SQL you can put up a statement such as: AuthColumnDef 2, Session-Timeout, reply Following right behind on this topic... What's the best way to set default values for reply attributes and then let a matching user record override these defaults? -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Client-Id matching in Handler's not working
Hello Aaron - On Thu, 28 Oct 1999, Aaron Holtz wrote: After making changes to match on Client-Id instead of Nas-IP-Address, I don't seem to be able to make any matches whether I do exact matches or a regex. Trace 4 dump: I have just tested this here with no problems. Note that the Client-Id check item was added to Radiator 2.14.1. From the revision history: Added support for NasType and Client-Id check items (http://www.open.com.au/radiator/history.html) hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql requirements...
Hello Jay - On Thu, 28 Oct 1999, Jay West wrote: I want to install mySQL for use with Radiator on FreeBSD 3.3Release. The instructions say I'll need to install DBI and DBD. I can find DBI easily and have installed it. However, where exactly do I find DBD for mySQL?? The latest one I could find: http://www.perl.com/CPAN-local/modules/by-module/DBD/Msql-Mysql-modules-1.2209.tar.gz hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Fw: LDAP Request
On Fri, 29 Oct 1999 12:37:55 +1000, Hugh Irvine wrote: Hello Steve - On Fri, 29 Oct 1999, Steven E. Ames wrote: Would it be possible to modify the way that AuthLDAP handles reply attributes? Right now they are all listed in a singly replyattr attribute. This is unwieldy for a lot of our tools and increases the complexity of the parsing. A better mechanism would be to handle them the same way as SQL is handled. Under SQL you can put up a statement such as: AuthColumnDef 2, Session-Timeout, reply Following right behind on this topic... What's the best way to set default values for reply attributes and then let a matching user record override these defaults? Mike will have a look at your contribution next week - many thanks! Probably the best way to do this is with the following patch (http://www.open.com.au/radiator/downloads/patches-2.14.1/patches.README) 6/9/99 Rolled the AddToReplyIfNotExist.patch into the base code. This code was contributed by Vincent Gillet [EMAIL PROTECTED], and implemnets the AddToReplyIfNotExist parameter, which will append an attribute to a reply if and only if it the attribute is not already present. Download AuthGeneric.pm and AttrVal.pm from here. Clarification Please ?? I am trying to strip down the reply items in the user file ... IF instead of using DefaultReply I use AddToReplyIfNotExist, will this mean that the reply attributes individually are checked against the users file ?? eg: If say I have one of the AddToReplyIfNotExist items as Idle-Timeout = 900, but in the users there is a Idle-Timeout = 0 the user file attribute will override ? I am trying to have in the users file ONLY those reply attributes which are different from the defaults, rather than have to put ALL the reply attributes if any are different from the default. Gary --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
