Re: (RADIATOR) static ip customers
In message [EMAIL PROTECTED], "Mike McCauley" [EMAIL PROTECTED] writes: | Yes, its pretty easy, but the way to do it depends on what type of databse yo |u | have. Basically what you need to do is set up a reply item for the user with | eg: | Framed-IP-Address=192.168.1.1 While we're on this, perhaps I could ask something relivant to me. I have a MySQL db with 4,000 users in it and Radiator is happily authing and accounting to it. However, as one of the table fields I have a misc_reply_items and I get a copy Radius Reply packet for each user. However, each user has exactly the same details (with the exception of about 5 records - for people with static IPs). Is it possible to set a default Radius Reply list and have the db add to this default list or to replace entries which may be there? Paul. -- Email pgregg at tibus.net | CLUB24 | Email pgregg at nyx.net| Technical Director| INTERNET | System Administrator | The Internet Business Ltd |Free Access| Nyx Public Access Internet | http://www.tibus.net | www.club24.co.uk | http://www.nyx.net | === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) static ip customers
Hi Paul, Yes, AuthBy SQL (like all AuthBy clauses takes an AddToReply parameter, which is a comma separated list of attribute-value pairs. It will add those attributes to _every_ reply. So if you have a common set of attributes, use AddToReply. There is also DefaultReply, which adds attributes to the reply if and only if there arent some there already. So if you have some attributues that are common to _most_ users, but not all, use DefaultReply. One or the other should allow you to remove all those identical columns. Hope that helps. Cheers. On Jun 7, 10:28am, Paul Gregg wrote: Subject: Re: (RADIATOR) static ip customers In message [EMAIL PROTECTED], "Mike McCauley" [EMAIL PROTECTED] writes: | Yes, its pretty easy, but the way to do it depends on what type of databse yo |u | have. Basically what you need to do is set up a reply item for the user with | eg: | Framed-IP-Address=192.168.1.1 While we're on this, perhaps I could ask something relivant to me. I have a MySQL db with 4,000 users in it and Radiator is happily authing and accounting to it. However, as one of the table fields I have a misc_reply_items and I get a copy Radius Reply packet for each user. However, each user has exactly the same details (with the exception of about 5 records - for people with static IPs). Is it possible to set a default Radius Reply list and have the db add to this default list or to replace entries which may be there? Paul. -- Email pgregg at tibus.net | CLUB24 | Email pgregg at nyx.net| Technical Director| INTERNET | System Administrator | The Internet Business Ltd |Free Access| Nyx Public Access Internet | http://www.tibus.net | www.club24.co.uk | http://www.nyx.net | === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Paul Gregg -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Time check item in Authby UNIX
Does anybody knows if there is a way to configure time based restriction
("Time" check item) for users authenticated via Authby UNIX ou SYSTEM?
Using Radiator v.2.13.1 with latest patches, OS platform is IBM AIX
v.4.1.5.
The user in question has it group set to "admfin". By looking at the log
(debug level of 5) Radiator seems to ignore "Time" check item,
authenticating and authorizing the user any time of day.
TIA,
Here is our radius.cfg file (no secrets and renamed some files, paths):
# radius.cfg
#
# Configuration file for radius server
#
# Author: Mike McCauley ([EMAIL PROTECTED])
# Copyright (C) 1997 Open System Consultants
# $Id: radius2.cfg,v 1.4 1998/03/06 04:43:37 mikem Exp $
#
#Foreground
#LogStdout
#Trace 9
AuthPort1645
AcctPort1646
LogDir **OMITTED**
DbDir **OMITTED**
LogFile %L/**OMITTED**
DictionaryFile %D/dictionary
SessionDatabase DBM
Filename%L/**OMITTED**
/SessionDatabase
Client **OMITTED_NAS_NAME**
Secret **OMITTED**
DefaultRealm **MYREALM**
/Client
Realm DEFAULT
RewriteUsername s/^([^@]+).*/$1/
AuthByPolicy ContinueWhileAccept
AuthBy FILE
Filename %D/MYUSERSFILE
/AuthBy
MaxSessions 1
AcctLogFileName %L/%Y%m/detail-%d
/Realm
Realm SoparatratarUNIXPW
AuthBy UNIX
Identifier System
Filename %D/MYPASSWDFILE
GroupFilename %D/MYGROUPFILE
/AuthBy
/Realm
# EOF radius.cfg
And here the relevant part of MYUSERSFILE:
# BOF MYUSERSFILE
DEFAULT Auth-Type = System, Group = poponly, Auth-Type = "Reject:Essa conta eh somente
para E-mail"
DEFAULT Auth-Type = System, Group = fwdonly, Auth-Type = Reject
Reply-Message = Esse eh POP
DEFAULT Auth-Type = System, Group = ftponly, Auth-Type = Reject
Reply-Message = Esse eh POP
DEFAULT Auth-Type = System, Group = hponly, Auth-Type = Reject
Reply-Message = "Acesso Proibido"
#
# Here is the clase in question
#
DEFAULT Auth-Type = System, Group = admfin, Time = "Al1200-1800"
Service-Type = Login-User,
Reply-Message = "Conectado!"
DEFAULT Auth-Type = System, Service-Type = Framed-User
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Auth-Type = System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
# EOF MYUSERSFILE
--
Jose Roberto Bulcao - RioLink Internet
Tel: (021) 577-8899
e-mail : [EMAIL PROTECTED]
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting dictionary for netserver card
IgnoreAcctSignature seems to have rectified the accting interference. Thanks, Oliver On Mon, 7 Jun 1999, Mike McCauley wrote: Hi Oliver, On Jun 4, 4:57pm, O Stockhammer wrote: Subject: Re: (RADIATOR) Accounting dictionary for netserver card These are from the logfile: Fri Jun 4 16:44:12 1999: ERR: Attribute number 0 (vendor ) is not defined in your dictionary That is quite bizarre, there is no such attribute Fri Jun 4 16:45:18 1999: ERR: Attribute number 73 (vendor ) is not defined in your dictionary So is that. Fri Jun 4 16:45:18 1999: ERR: Attribute number 116 (vendor ) is not defined in your dictionary That is supposedly Ascend-Appletalk-Route Fri Jun 4 16:46:24 1999: ERR: Attribute number 240 (vendor ) is not defined in your dictionary That is supposedly Ascend-Add-Seconds Thu Jun 3 20:31:37 1999: ERR: Attribute number 144 (vendor ) is not defined in your dictionary That is Ascend-Assign-IP-Client That all looks very strange, almost as if the incoming packet is corrupted in being incorrectly interpreted. Can you send a hex packet dump of one of these requests? You can get het packet dumps at trace level 5. These are the logs from the SQL log: 928528731 4 Rewrote user name to kaligula 928528731 4 Handling with Radius::AuthSQL 928528731 4Handling with Radius::AuthUNIX 928528731 4Radius::AuthUNIX looks for match with kaligula 928528731 4 Radius::AuthUNIX ACCEPT: 928528731 4 Access accepted for kaligula 928528736 1 Bad authenticator in request from 207.240.140.6 (207.240.140.6) This is what I get at trace level 5. I am logging both to a logfile and MySQL and accounting is going to both a detail file and MySQL. Accounting works for my other chassies using Hyperarc cards. It seems lime auth is working, but accounting is complaining about "Bad authenticator". This is usually an indication that you need IgnoreAcctSignature set for that NAS. But in the light of the very strange results above, it may be something else. The packet dump will help. Im sorry you are having this trouble. I hope we get you on the air soon. Cheers. Thanks, Oliver On Fri, 4 Jun 1999, Mike McCauley wrote: Hi Oliver, can you send us a fragment of your radiator log file at trace level 4, showing what happens when you receive accounting packets from your Netserver. I would exepct to see Radiator complaining about missing dictionary entries. That will help us track down the missing attributes. Cheers. On Jun 3, 8:49pm, O Stockhammer wrote: Subject: (RADIATOR) Accounting dictionary for netserver card Hello, We are using both Netserver and Hyperarc TotalControl Cards. Radiator is authenticating fine off of both but the Netserver Cards are missing entries for the dictionary file and therefore no accounting happens for them. For some reason I am missing entries in the dictionary file for the netserver card. I am using your dictionary.usr file that you provided. What entries do I need for accounting to work? I think it has to do with the vendor specific entries like USR-Chassis-Call-Slot = 0 rather than Chassis-Call-Slot = 0 which is in the dictionary file Thank you, Oliver Stockhammer Systems The Internet Channel === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from O Stockhammer -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from O Stockhammer -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
(RADIATOR) Converting mysql to Platypus
In my ongoing struggle to setup radiator to authenticate off a SQL Server and Platypus, I have the following questions: I'm using the Authby EMERALD because we do have the Radius package add-on for platypus. However, I was looking at AuthbyEMERALD.pm. Can I not specify a custom select statement like the one used by AuthbySQL.pm? Must I use the default table structure that emerald uses? I tried setting the AuthSelect varilable but I am getting an error message in the logs. See below: BTW, I got the FreeTDS DBD to work. Thanks to Kevin Wormington for all the help. REALM blahblah AuthByPolicy ContinueWhileIgnore RewriteUsername s/^([^@]+).*/$1/ AuthBy EMERALD DBSource dbi:FreeTDS:database=somedb;host=somehostname;port=someport; DBUsernamesomeuser DBAuthsomepw AuthSelect select password, idletime, sessiontime, simuse, \ logontime, staticip from subscribers where username = '%n' \ and status = 'A' AuthColumnDef 0, User-Password, check AuthColumnDef 1, Idle-Timeout, reply AuthColumnDef 2, Session-Timeout, reply AuthColumnDef 3, Simultaneous-Use, check AuthColumnDef 4, Time, check AuthColumnDef 5, Framed-IP-Address, reply In the logs, I get this Mon Jun 7 16:01:55 1999: DEBUG: Query is: select DateAdd(Day, ma.extension, maE xpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft Select password, idletime, sessiont ime, simuse, logontime, staticip from subscribers where username = '%n' and stat us = 'A' from masteraccounts ma, subaccounts sa where (sa.login = 'rhawley' or sa.shell = 'rhawley') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0 Mon Jun 7 16:01:55 1999: ERR: Execute failed for 'select DateAdd(Day, ma.extens ion, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft Select password, idletime, sessiont ime, simuse, logontime, staticip from subscribers where username = '%n' and stat us = 'A' from masteraccounts ma, subaccounts sa where (sa.login = 'rhawley' or sa.shell = 'rhawley') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0': Error processing tds packet. Coulnd't g et column information This is what leads me to believe that I cannot use the AuthSelect config option. :( ..Rich -- Richard W. Hawley - Network Engineer CyberZone Internet Services [EMAIL PROTECTED] 942 Main Street http://www.cyberzone.net Hartford, CT. 06103 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy File Problems- Version Differences between 2.13 and 2.13.1
Hi Rich, I cant explain that at all. Could you send me a sanitized extract from your users file, so I can test it here? Cheers. On Jun 7, 1:38pm, Richard Cameron wrote: Subject: (RADIATOR) AuthBy File Problems- Version Differences between 2.13 Hello Radiator's: I have recently upgraded from version 2.13 to version 2.13.1, with patches for 2.13.1 applied from tar file dated 7 Jun 99. In version 2.13.1 I am now unable to authenticate using AuthBy File but I can authenticate using the same file using version 2.13. Version 2.13.1 seems to be unable to find the name in the file while version 2.13 can. Have I missed something? Can some perhaps explain? Following are to traces from the two versions showing a failed authentication for version 2.13.1 and a successful authentication for version 2.13 using the same file for authentication. Best regards Rich Cameron Network Manager RMC --Traces --- Version: 2.13.1 sultracs3# Mon Jun 7 13:07:25 1999: DEBUG: Packet dump: *** Received from 137.94.1.130 port 1645 Packet length = 75 01 64 00 4b 1e c1 34 bb 6e 62 c8 d5 83 0b 74 d5 fd c2 6f 23 04 06 89 5e 01 82 05 06 00 00 00 02 3d 06 00 00 00 05 01 06 72 69 63 68 1f 0d 31 33 37 2e 39 34 2e 35 2e 33 36 02 12 c2 86 aa 2a e5 15 71 d5 a6 44 cc 09 22 64 3a 3e Code: Access-Request Identifier: 100 Authentic: 301934187nb20021313111t213253194o# Attributes: NAS-IP-Address = 137.94.1.130 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "rich" Calling-Station-Id = "137.94.5.36" User-Password = "194134170*22921q213166D2049"d:" Mon Jun 7 13:07:25 1999: DEBUG: Handling request with Handler 'Realm=ROUTER' Mon Jun 7 13:07:25 1999: DEBUG: Handling with Radius::AuthFILE Mon Jun 7 13:07:25 1999: DEBUG: Reading users file /export/home/Radiator/Radiator-2.13/router_users Mon Jun 7 13:07:25 1999: DEBUG: Radius::AuthFILE looks for match with rich Mon Jun 7 13:07:25 1999: DEBUG: Reading users file /export/home/Radiator/Radiator-2.13/router_users Mon Jun 7 13:07:25 1999: INFO: Access rejected for rich: No such user Mon Jun 7 13:07:25 1999: DEBUG: Packet dump: *** Sending to 137.94.1.130 port 1645 Code: Access-Reject Identifier: 100 Authentic: 301934187nb20021313111t213253194o# Attributes: Reply-Message = "Request Denied" ___ Version: 2.13 sultracs3# Mon Jun 7 13:10:33 1999: DEBUG: Packet dump: *** Received from 137.94.1.130 port 1645 Packet length = 75 01 65 00 4b 56 6b a6 6c b4 bb 59 4a 0e 0c e9 cd cf 27 ad 12 04 06 89 5e 01 82 05 06 00 00 00 02 3d 06 00 00 00 05 01 06 72 69 63 68 1f 0d 31 33 37 2e 39 34 2e 35 2e 33 36 02 12 b0 56 58 8d a6 89 c9 9b 55 99 46 da 5e 67 83 27 Code: Access-Request Identifier: 101 Authentic: Vk166l180187YJ1412233205207'17318 Attributes: NAS-IP-Address = 137.94.1.130 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "rich" Calling-Station-Id = "137.94.5.36" User-Password = "176VX141166137201155U153F218^g131'" Mon Jun 7 13:10:33 1999: DEBUG: Handling request with Handler 'Realm=ROUTER' Mon Jun 7 13:10:33 1999: DEBUG: Handling with Radius::AuthFILE Mon Jun 7 13:10:33 1999: DEBUG: Reading users file /export/home/Radiator/Radiator-2.13/router_users Mon Jun 7 13:10:33 1999: DEBUG: Radius::AuthFILE looks for match with rich Mon Jun 7 13:10:33 1999: DEBUG: Radius::AuthFILE ACCEPT: Mon Jun 7 13:10:33 1999: DEBUG: Access accepted for rich Mon Jun 7 13:10:33 1999: DEBUG: Packet dump: *** Sending to 137.94.1.130 port 1645 Code: Access-Accept Identifier: 101 Authentic: Vk166l180187YJ1412233205207'17318 Attributes: Mon Jun 7 13:10:33 1999: DEBUG: Packet dump: *** Received from 137.94.1.130 port 1646 Packet length = 91 04 66 00 5b 32 40 b8 46 32 ca d2 48 06 f9 f5 08 aa 3f a7 a3 04 06 89 5e 01 82 05 06 00 00 00 02 3d 06 00 00 00 05 01 06 72 69 63 68 1f 0d 31 33 37 2e 39 34 2e 35 2e 33 36 28 06 00 00 00 01 2d 06 00 00 00 01 06 06 00 00 00 07 2c 0a 30 30 30 30 30 30 31 37 29 06 00 00 00 00 Code: Accounting-Request Identifier: 102 Authentic: 2@184F2202210H62492458170?167163 Attributes: NAS-IP-Address = 137.94.1.130 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "rich" Calling-Station-Id = "137.94.5.36" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = NAS-Prompt-User Acct-Session-Id = "0017" Acct-Delay-Time = 0 Mon Jun 7 13:10:33 1999: DEBUG: Handling request with Handler 'Realm=ROUTER' Mon Jun 7 13:10:33 1999: DEBUG: Handling with Radius::AuthFILE Mon Jun 7 13:10:33 1999: DEBUG: SDB1 Adding session for rich, 137.94.1.130, 2 Mon Jun 7 13:10:33 1999: DEBUG: Accounting accepted Mon Jun 7 13:10:33 1999: DEBUG: Packet dump: *** Sending to 137.94.1.130 port 1646 Code:
Re: (RADIATOR) Converting mysql to Platypus
Hi Richard, In both EMERALD and PLATYPUS, the select statment is mostly hard-wired, but you do get the chance to tweak it. The theory is that you can add extra columns to the Emerald or Platypus tables if you wish. In both of those modules, if you specify AuthSelect, its added to the select statment _after_ the list of column names. You can see that in your logfile. Your AuthSelect has been inserted after sa.TimeLeft: select DateAdd(Day, ma.extension, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft Select password, idletime, sessiontime, simuse, logontime, staticip from subscribers where username = '%n' and status = 'A' from masteraccounts ma, subaccounts sa where (sa.login = 'rhawley' or sa.shell = 'rhawley') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0 So, if you have some extra columns that you want to use as check or reply items, you can do this. Imagine you have a new reply item column called CLASS that you want to send back in the Class attribute: AuthSelect ,CLASS AuthColumnDef 0,Class,reply will make this happen in adition to all the usual stuff the EMERALD does. BTW, we also got FreeTDS to work here, but we had to use the latest snapshot. version 0.02 gave us core dumps. I hope you are able to get on the air soon. Cheers. On Jun 7, 4:50pm, Richard Hawley wrote: Subject: (RADIATOR) Converting mysql to Platypus In my ongoing struggle to setup radiator to authenticate off a SQL Server and Platypus, I have the following questions: I'm using the Authby EMERALD because we do have the Radius package add-on for platypus. However, I was looking at AuthbyEMERALD.pm. Can I not specify a custom select statement like the one used by AuthbySQL.pm? Must I use the default table structure that emerald uses? I tried setting the AuthSelect varilable but I am getting an error message in the logs. See below: BTW, I got the FreeTDS DBD to work. Thanks to Kevin Wormington for all the help. REALM blahblah AuthByPolicy ContinueWhileIgnore RewriteUsername s/^([^@]+).*/$1/ AuthBy EMERALD DBSource dbi:FreeTDS:database=somedb;host=somehostname;port=someport; DBUsernamesomeuser DBAuthsomepw AuthSelect select password, idletime, sessiontime, simuse, \ logontime, staticip from subscribers where username = '%n' \ and status = 'A' AuthColumnDef 0, User-Password, check AuthColumnDef 1, Idle-Timeout, reply AuthColumnDef 2, Session-Timeout, reply AuthColumnDef 3, Simultaneous-Use, check AuthColumnDef 4, Time, check AuthColumnDef 5, Framed-IP-Address, reply In the logs, I get this Mon Jun 7 16:01:55 1999: DEBUG: Query is: select DateAdd(Day, ma.extension, maE xpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft Select password, idletime, sessiont ime, simuse, logontime, staticip from subscribers where username = '%n' and stat us = 'A' from masteraccounts ma, subaccounts sa where (sa.login = 'rhawley' or sa.shell = 'rhawley') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0 Mon Jun 7 16:01:55 1999: ERR: Execute failed for 'select DateAdd(Day, ma.extens ion, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft Select password, idletime, sessiont ime, simuse, logontime, staticip from subscribers where username = '%n' and stat us = 'A' from masteraccounts ma, subaccounts sa where (sa.login = 'rhawley' or sa.shell = 'rhawley') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0': Error processing tds packet. Coulnd't g et column information This is what leads me to believe that I cannot use the AuthSelect config option. :( ..Rich -- Richard W. Hawley - Network Engineer CyberZone Internet Services [EMAIL PROTECTED] 942 Main Street http://www.cyberzone.net Hartford, CT. 06103 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Richard Hawley -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Re: (RADIATOR) Time check item in Authby UNIX
Hi Mike, It seems the the specific clause is working ok, but the auth packet is being catched by the last DEFAULT clause. Here you are (debug level 4): Tks, Mon Jun 7 20:57:11 1999: DEBUG: Packet dump: *** Received from 200.240.25.3 port 1645 Code: Access-Request Identifier: 160 Authentic: l22622118411U#229181~B2171467# Attributes: NAS-IP-Address = 200.240.25.3 NAS-Port = 18 NAS-Port-Type = Virtual User-Name = "carmem" Calling-Station-Id = "200.240.25.17" User-Password = "191D/|113b312719153211220P175135" Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group poponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group poponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group fwdonly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group fwdonly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT2 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group ftponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group ftponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT3 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group hponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group hponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT4 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an allowable Time range Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an allowable Time range Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT5 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Check item Service-Type value 'Framed-User' does not match '' in request Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Check item Service-Type value 'Framed-User' does not match '' in request Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT6 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX ACCEPT: Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE ACCEPT: Mon Jun 7 20:57:11 1999: DEBUG: Access accepted for carmem Mon Jun 7 20:57:12 1999: DEBUG: Packet dump: *** Sending to 200.240.25.3 port 1645 Code: Access-Accept Identifier: 160 Authentic: l22622118411U#229181~B2171467# Attributes: Framed-IP-Address = 255.255.255.254 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP On Tue, 8 Jun 1999, Mike McCauley wrote: Date: Tue, 8 Jun 1999 08:53:24 -0500 From: Mike McCauley [EMAIL PROTECTED] To: Jose Roberto Bulcao [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: (RADIATOR) Time check item in Authby UNIX Hello Jose, I have just tested your configuration and Time check item. Your configuration and users file looks fine, and it worked OK for me, allowing access only betweeen the times given. Can you send your log file, showing what happens when it should be applying the Time restriction? Cheers. On Jun 7, 9:42am, Jose Roberto Bulcao wrote: Subject: (RADIATOR) Time check item in Authby UNIX Does anybody knows if there is a way to configure time
Re: (RADIATOR) Time check item in Authby UNIX
On Jun 7, 9:03pm, Jose Roberto Bulcao wrote: Subject: Re: (RADIATOR) Time check item in Authby UNIX Hi Mike, It seems the the specific clause is working ok, but the auth packet is being catched by the last DEFAULT clause. Here you are (debug level 4): Yes, its clear that your clause is correctly rejecting based on the Time, but they are being accepted by a more liberal DEFAULT that follows it. So this is not a problem with the Time check item, but rather with the design of the users file. What do you really want to have happen? If you want users in group admfin to be rejected unless they are within the time band, you should add this after your existing admfin DEFAULT user: DEFAULT Auth-Type = System, Group = admfin, Auth-Type=Reject Hope that helps. Cheers. Tks, Mon Jun 7 20:57:11 1999: DEBUG: Packet dump: *** Received from 200.240.25.3 port 1645 Code: Access-Request Identifier: 160 Authentic: l22622118411U#229181~B2171467# Attributes: NAS-IP-Address = 200.240.25.3 NAS-Port = 18 NAS-Port-Type = Virtual User-Name = "carmem" Calling-Station-Id = "200.240.25.17" User-Password = "191D/|113b312719153211220P175135" Mon Jun 7 20:57:11 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jun 7 20:57:11 1999: DEBUG: Rewrote user name to carmem Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthFILE Mon Jun 7 20:57:11 1999: DEBUG: Reading users file /etc/radiator/users Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group poponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group poponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group fwdonly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group fwdonly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT2 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group ftponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group ftponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT3 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: User carmem is not in Group hponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: User carmem is not in Group hponly Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT4 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Time: not within an allowable Time range Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Time: not within an allowable Time range Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT5 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX REJECT: Check item Service-Type value 'Framed-User' does not match '' in request Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE REJECT: Check item Service-Type value 'Framed-User' does not match '' in request Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT6 Mon Jun 7 20:57:11 1999: DEBUG: Handling with Radius::AuthUNIX Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX looks for match with carmem Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthUNIX ACCEPT: Mon Jun 7 20:57:11 1999: DEBUG: Radius::AuthFILE ACCEPT: Mon Jun 7 20:57:11 1999: DEBUG: Access accepted for carmem Mon Jun 7 20:57:12 1999: DEBUG: Packet dump: *** Sending to 200.240.25.3 port 1645 Code: Access-Accept Identifier: 160 Authentic: l22622118411U#229181~B2171467# Attributes: Framed-IP-Address = 255.255.255.254 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP On Tue, 8 Jun 1999, Mike McCauley wrote: Date:
