(RADIATOR) Re: SessSQL errors, was: No Subject
Hi James, thanks for telling us about this, and the proposed fix. Trouble is that Im not sure that fix will work for _all_ SQL servers. Does it work for yours? What type of SQL are you using? Cheers. On Jun 8, 8:24pm, James H. Thompson wrote: > Subject: > I just downloaded the latest Radiator and > setup the session sql db with mysql. > We have a Nortel Aptis terminal server. > It all works great except for the admin user that is telneting > into the box has no port ID and I get the following errors in > the radiator log whenever this user logs into the box: > > Tue Jun 8 01:10:02 1999: ERR: do failed for 'insert into RADONLINE > (USERNAME, N > ASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, > NASPORTTYPE, > SERVICETYPE) values ('admin', '209.144.212.11', , '08002DEA', 928829402, > '', '', > 'Administrative-User')': parse error near ' '08002DEA', 928829402, '', > '', 'Adm > inistrative-User')' at line 1 > DBD::mysql::db do failed: parse error near '' at line 1 at > /usr/lib/perl5/site_p > erl/5.005/Radius/SqlDb.pm line 189. > Tue Jun 8 01:10:02 1999: ERR: do failed for 'delete from RADONLINE where > NASIDE > NTIFIER='209.144.212.11' and NASPORT=': parse error near '' at line 1 > > > I think these errors are caused because in: > > SessSQL.pm > > in sub initialize { > The SQL statements that get defined do not have enclosing > single quotes around: %{NAS-Port} > i.e. > > %{NAS-Port} needs to be '%{NAS-Port}' > > in the insert and delete statements. > > > While this is easily worked around by updating the source > or definations in the radius.cfg file. It seems like > it should be fixed in the distribution. > > Thanks. > > Jim > [EMAIL PROTECTED] > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from James H. Thompson -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AddToReply working?
Hi John, On Jun 8, 8:40pm, [EMAIL PROTECTED] wrote: > Subject: (RADIATOR) AddToReply working? > Thanks Tom for the answer earlier, that did the trick. > > On another topic, I'm not sure if all my AddToReply messages are > going out to the remote client. Here is what I have setup: > > AddToReply Idle-Timeout = "1200" > AddToReply Session-Timeout = "28800" > AddToReply Framed-Compression = "Van-Jacobson-TCP-IP" > AddToReply Framed-MTU = 1500 > AddToReply Framed-Routing = None > AddToReply Framed-Netmask = 255.255.255.255 If you do it that way, the only last one will get in (as you can see in your trace). You want to do this: AddToReply Idle-Timeout = "1200",Session-Timeout = "28800",\ Framed-Compression = "Van-Jacobson-TCP-IP",Framed-MTU = 1500,\ Framed-Routing = None,Framed-Netmask = 255.255.255.255 So its a bunch of comma-separated attribute-value pairs. You can put it all on one line, or spread it over several lines with line continuation characters as I have shown above. Hope that helps. Cheers. > > And here is what the trace output shows: > > *** Sending to xxx.xxx.xxx.xxx port 50218 > Code: Access-Accept > Identifier: 143 > Authentic: <252><217>l]-<230><254><217><132><3> > Attributes: > User-Service = 2 > Framed-Protocol = 1 > Framed-Netmask = 255.255.255.255 > > Do you think they are going out, but not showing up or are they not > being sent? I can't see them on the remote end since that is not > my server. > > The logins are working, but these are the attributes that were > requested by the remote end. They run a managed modem pool > for us. > > Thanks, > John Kicklighter > Internet 2xtreme > > Date sent:Wed, 9 Jun 1999 13:14:36 +1000 > From: tom minchin <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Copies to:[EMAIL PROTECTED] > Subject: Re: (RADIATOR) RewriteUserName help needed > > > On Tue, Jun 08, 1999 at 07:37:36PM -0700, [EMAIL PROTECTED] wrote: > > > Another issue with adding realm names at the end of each > > > username with the clause, multiple logins cannot be > > > enforced between POPs since each POP has it's own realm name. > > > If the same username logs attempts to login to the same POP > > > twice, that should work though. If I could strip off the realm name > > > before any clauses in the realm, this would solve both > > > problems I believe. Since I'm not very good at regular expressions > > > in perl, can someone show me how to truncate a username based > > > on the '@' ? > > > > > > > There's an example in the manual: RewriteUsername s/^([^@]+).*/$1/ > > > > [EMAIL PROTECTED] > > > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply working?
Thanks Tom for the answer earlier, that did the trick. On another topic, I'm not sure if all my AddToReply messages are going out to the remote client. Here is what I have setup: AddToReply Idle-Timeout = "1200" AddToReply Session-Timeout = "28800" AddToReply Framed-Compression = "Van-Jacobson-TCP-IP" AddToReply Framed-MTU = 1500 AddToReply Framed-Routing = None AddToReply Framed-Netmask = 255.255.255.255 And here is what the trace output shows: *** Sending to xxx.xxx.xxx.xxx port 50218 Code: Access-Accept Identifier: 143 Authentic: <252><217>l]-<230><254><217><132><3> Attributes: User-Service = 2 Framed-Protocol = 1 Framed-Netmask = 255.255.255.255 Do you think they are going out, but not showing up or are they not being sent? I can't see them on the remote end since that is not my server. The logins are working, but these are the attributes that were requested by the remote end. They run a managed modem pool for us. Thanks, John Kicklighter Internet 2xtreme Date sent: Wed, 9 Jun 1999 13:14:36 +1000 From: tom minchin <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED] Subject:Re: (RADIATOR) RewriteUserName help needed > On Tue, Jun 08, 1999 at 07:37:36PM -0700, [EMAIL PROTECTED] wrote: > > Another issue with adding realm names at the end of each > > username with the clause, multiple logins cannot be > > enforced between POPs since each POP has it's own realm name. > > If the same username logs attempts to login to the same POP > > twice, that should work though. If I could strip off the realm name > > before any clauses in the realm, this would solve both > > problems I believe. Since I'm not very good at regular expressions > > in perl, can someone show me how to truncate a username based > > on the '@' ? > > > > There's an example in the manual: RewriteUsername s/^([^@]+).*/$1/ > > [EMAIL PROTECTED] > === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RewriteUserName help needed
On Jun 8, 7:37pm, [EMAIL PROTECTED] wrote: > Subject: (RADIATOR) RewriteUserName help needed > At the advice of Mike, I have started to put a realm name on the > end of some of my usernames. This is being done in the > clause. I have this working correctly where it puts > "@host.2xtreme.net" on the end of any usename appearing from > that client. The problem I'm having now is that when this username > gets recognized by the clause, it send the whole > '[EMAIL PROTECTED]' in to my platypus SQL looking for a > match. Naturally, I have not entered the realm name into my > customers user fields in platypus and it does not find a match. I'm > thinking that I need to do another RewriteUsername that will strip > off the whole realm name once it is received by the > clause before it sends it to my platypus SQL for authentication. Yes, thats the right answer. You want something like: RewriteUsername s/^([^@]+).*/$1/ > > Another issue with adding realm names at the end of each > username with the clause, multiple logins cannot be > enforced between POPs since each POP has it's own realm name. > If the same username logs attempts to login to the same POP > twice, that should work though. If I could strip off the realm name > before any clauses in the realm, this would solve both > problems I believe. Correct. > Since I'm not very good at regular expressions > in perl, can someone show me how to truncate a username based > on the '@' ? See above. Hope that helps. Cheers. > > Thanks, > John Kicklighter > Internet 2xtreme > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RewriteUserName help needed
On Tue, Jun 08, 1999 at 07:37:36PM -0700, [EMAIL PROTECTED] wrote: > Another issue with adding realm names at the end of each > username with the clause, multiple logins cannot be > enforced between POPs since each POP has it's own realm name. > If the same username logs attempts to login to the same POP > twice, that should work though. If I could strip off the realm name > before any clauses in the realm, this would solve both > problems I believe. Since I'm not very good at regular expressions > in perl, can someone show me how to truncate a username based > on the '@' ? > There's an example in the manual: RewriteUsername s/^([^@]+).*/$1/ [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
No Subject
I just downloaded the latest Radiator and setup the session sql db with mysql. We have a Nortel Aptis terminal server. It all works great except for the admin user that is telneting into the box has no port ID and I get the following errors in the radiator log whenever this user logs into the box: Tue Jun 8 01:10:02 1999: ERR: do failed for 'insert into RADONLINE (USERNAME, N ASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('admin', '209.144.212.11', , '08002DEA', 928829402, '', '', 'Administrative-User')': parse error near ' '08002DEA', 928829402, '', '', 'Adm inistrative-User')' at line 1 DBD::mysql::db do failed: parse error near '' at line 1 at /usr/lib/perl5/site_p erl/5.005/Radius/SqlDb.pm line 189. Tue Jun 8 01:10:02 1999: ERR: do failed for 'delete from RADONLINE where NASIDE NTIFIER='209.144.212.11' and NASPORT=': parse error near '' at line 1 I think these errors are caused because in: SessSQL.pm in sub initialize { The SQL statements that get defined do not have enclosing single quotes around: %{NAS-Port} i.e. %{NAS-Port} needs to be '%{NAS-Port}' in the insert and delete statements. While this is easily worked around by updating the source or definations in the radius.cfg file. It seems like it should be fixed in the distribution. Thanks. Jim [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RewriteUserName help needed
At the advice of Mike, I have started to put a realm name on the end of some of my usernames. This is being done in the clause. I have this working correctly where it puts "@host.2xtreme.net" on the end of any usename appearing from that client. The problem I'm having now is that when this username gets recognized by the clause, it send the whole '[EMAIL PROTECTED]' in to my platypus SQL looking for a match. Naturally, I have not entered the realm name into my customers user fields in platypus and it does not find a match. I'm thinking that I need to do another RewriteUsername that will strip off the whole realm name once it is received by the clause before it sends it to my platypus SQL for authentication. Another issue with adding realm names at the end of each username with the clause, multiple logins cannot be enforced between POPs since each POP has it's own realm name. If the same username logs attempts to login to the same POP twice, that should work though. If I could strip off the realm name before any clauses in the realm, this would solve both problems I believe. Since I'm not very good at regular expressions in perl, can someone show me how to truncate a username based on the '@' ? Thanks, John Kicklighter Internet 2xtreme === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Configuration for Unix group users
Hello Anthony. Radiator will allow you to regular expressions as well as exact matches in many check items. Therefore, you can match many NAS-IP-Address with one line: Auth-Type=System,Group=g2,NAS-IP-Address=/^206\.161\.55\./,Simultaneous-Use=1 will match all the NASs in the class C starting 206.161.55 Another possibility is to use Handler clauses to discriminate between different NAS's or groups of NASs, and then have a different user file for each one, knowing that by the time you get to teh users file, the NAS has already been checked. Hope that helps. Cheers. On Jun 9, 1:37am, Anthony Chan wrote: > Subject: (RADIATOR) Configuration for Unix group users > Hello Radiators, > > My system is Solaris 2.6 with NIS+. I am trying to configure the > Radiator to authenticate Unix users by groups. I have a workable > configuration as follow: > > > > Filename ./config > > AcctLogFileName %L/detail > > > > UseGetspnam > Identifier System > > > > Inside the file ./config, I have the following lines for the Unix group, > g2, with two NAS: > > DEFAULT > Auth-Type=System,Group=g2,NAS-IP-Address=206.161.55.24,Simultaneous-Use=1 > > DEFAULT > Auth-Type=System,Group=g2,NAS-IP-Address=207.176.112.152,Simultaneous-Use=1 > > Then, if I have many Unix groups and NAS, I must have to define many > lines inside the file ./config. For example, if I have ten Unix groups > with a hundred NAS, I have to define a thousand lines. The number of > such lines would be increased significantly with more Unix groups and > NAS. It would be unmanageable and very difficult to maintain. > > Is there other methods to do the same thing and ease to support? > > > Cheers, > > Anthony Chan > Sun Professional Services Hong Kong > 22/F Shui On Centre, > 8 Harbour Road, Wanchai, > Hong Kong > > Phone: (852) 2820-0674 > Fax : (852) 2802-8655 > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Anthony Chan -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authenticates user from /etc/shadow
Hello Abdul: Filename /etc/shadow Radiator will need to run as root in order to be able to read the shadow file Hope that helps. Cheers. On Jun 8, 9:23pm, Abdul Rehman Saeed wrote: > Subject: (RADIATOR) authenticates user from /etc/shadow > Hi, > I am new in user list, > I wants to run radiator on Solaris2.6, and authenticates user from > /etc/shadow file, > pl. mail me sample config file, > > Regards. > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Abdul Rehman Saeed -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (Radiator) Setting up radius.cfg for Groups
Hello Oliver. Its very difficult to distinguish between Unix groups of users using Handlers or Realm. Handler and realm only have the attributes of the incoming request to work with. I think the right answer for you is to set up a users file that authenticates through Unix, and uses check and reply items for each group. Something like this: Filename xyzzy # This one is used by AuthType=System Identifier System Filename /etc/passwd GroupFilename /etc/group And in the users file xyzzy: # Limit of 5 sim-use to anyone in group1 DEFAULT AuthType=System,Group=group1,Simultaneous-Use=5 # Limit of 2 sim-use for anyone in group2 DEFAULT AuthType=System,Group=group2,Simultaneous-Use=2 etc Hope that helps. Cheers. On Jun 8, 10:59am, O Stockhammer wrote: > Subject: (RADIATOR) (Radiator) Setting up radius.cfg for Groups > > > Hello, > With the flexibility of radiator, I wanted to know if you > suggested a method of implementing different session characteristics for > different unix group members. I know we have to use 'check items' but I > am unsure of how to insert them in the cfg file. > For example, we would like to use the 'maxsessions 1' for the > 'nodup' unix group, while everyone else coming in should be set to > 'maxsessions 5'. I am hoping to implement this in the radius.cfg file > using something like a tag. I am just unsure as to where this > info should go in the the actual file. > I have attached part of my current (rudimentary) radius.cfg file. > The way we are setup is to have all accounting go to mySQL and > authentication first goes off of a UNIX master.passwd file and then to a > users file. Ipass will be a future consideration. > Thanks for your help. > > Oliver Stockhammer > Systems > Internet Channel > > [ Attachment (text/plain): "radius.cfg.partial" 6571 bytes > Character set: US-ASCII > Partial radius.cfg > Encoded with "base64" ] >-- End of excerpt from O Stockhammer -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthByPolicy ContinueUntilAccept
Hi Mickey, AuthBy RADIUS is a little different to most other AuthBy clauses. It forwards the request immediately, then does retransmits until it gets a reply, then sends the reply back to the original NAS. If you have 2 AuthBy RADIUS chained together (as you do), then _both_ will transmit immediately, and both will arrange for retransmits in the case of no reply, and both will send their replies back to the original NAS. So I guess this could be described as operating in parallel. In this case, the order is not really important. Hope that helps. Cheers. On Jun 8, 3:20pm, Mickey Coggins wrote: > Subject: (RADIATOR) AuthByPolicy ContinueUntilAccept > Hi, > > I have something like this in my config file: > > >AuthByPolicy ContinueUntilAccept > > DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP > Host 10.1.1.1 > Host 10.1.2.1 > Host 10.1.3.1 > Secret secret > AuthPort 1645 > AcctPort 1646 > LocalAddress mylocal.cooldomain.com > > > DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP > Host auth.coolerdomain.com > Secret moresecret > AuthPort 1812 > AcctPort 1813 > LocalAddress mylocal.cooldomain.com > > > > > What I see is that if the request times out for the first AuthBy and > is accepted by the second, the first AuthBy continues to send requests > for quite some time. > > How does this work? Does radiator try both in parallel? Is order > important? > > Thanks, > Mickey > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Mickey Coggins -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Configuration for Unix group users
Hello Radiators, My system is Solaris 2.6 with NIS+. I am trying to configure the Radiator to authenticate Unix users by groups. I have a workable configuration as follow: Filename ./config AcctLogFileName %L/detail UseGetspnam Identifier System Inside the file ./config, I have the following lines for the Unix group, g2, with two NAS: DEFAULT Auth-Type=System,Group=g2,NAS-IP-Address=206.161.55.24,Simultaneous-Use=1 DEFAULT Auth-Type=System,Group=g2,NAS-IP-Address=207.176.112.152,Simultaneous-Use=1 Then, if I have many Unix groups and NAS, I must have to define many lines inside the file ./config. For example, if I have ten Unix groups with a hundred NAS, I have to define a thousand lines. The number of such lines would be increased significantly with more Unix groups and NAS. It would be unmanageable and very difficult to maintain. Is there other methods to do the same thing and ease to support? Cheers, Anthony Chan Sun Professional Services Hong Kong 22/F Shui On Centre, 8 Harbour Road, Wanchai, Hong Kong Phone: (852) 2820-0674 Fax : (852) 2802-8655 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authenticates user from /etc/shadow
Abdul Rehman Saeed wrote: > > Hi, > I am new in user list, > I wants to run radiator on Solaris2.6, and authenticates user from > /etc/shadow file, > pl. mail me sample config file, > Abdul please, read the archive at http://www.thesite.com.au/~radiator/ and search the threads whith my last messages, because all are in relation with this issue. Félix __ DATAGRAMA SERVICIOS INTERNET C/ Acer 30Tlf: +34 3 223 00 98 08038 BARCELONA ( Spain ) Fax: +34 3 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authenticates user from /etc/shadow
Hi, I am new in user list, I wants to run radiator on Solaris2.6, and authenticates user from /etc/shadow file, pl. mail me sample config file, Regards. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Request for Information - Password Authentication Modules
Greetings Raditors: I am looking for some information. I would like to replace the user authentication in Solaris and NT with Radius - a form of single point of login. Can anyone direct me to products, software, or procedures that implement this form of password authentication. Rich Cameron Network Manager RMC === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) (Radiator) Setting up radius.cfg for Groups
Hello, With the flexibility of radiator, I wanted to know if you suggested a method of implementing different session characteristics for different unix group members. I know we have to use 'check items' but I am unsure of how to insert them in the cfg file. For example, we would like to use the 'maxsessions 1' for the 'nodup' unix group, while everyone else coming in should be set to 'maxsessions 5'. I am hoping to implement this in the radius.cfg file using something like a tag. I am just unsure as to where this info should go in the the actual file. I have attached part of my current (rudimentary) radius.cfg file. The way we are setup is to have all accounting go to mySQL and authentication first goes off of a UNIX master.passwd file and then to a users file. Ipass will be a future consideration. Thanks for your help. Oliver Stockhammer Systems Internet Channel LogStdout PidFile /var/log/radius/radiator.pid LogDir /var/log/radius DbDir /usr/local/etc/radiusDB #SnmpgetProg/usr/bin/snmpget # This clause defines a single client to listen to Secret NasType TotalControl # This is on of the USR racks at oldslip for accting only. Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret IgnoreAcctSignature NasType TotalControl # For testing: this allows us to honour requests from radpwtst # on the same host. Secret mysecret DupInterval 0 RewriteUsername s/^([^@]+).*/$1/ AcctLogFileName %L/detail AuthByPolicyContinueUntilAccept DBSourcedbi:mysql:Radiator DBUsername root DBAuth # an empty AuthSelect turns off auth AuthSelect AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef CLIENT_ID,Client-Id AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACTUAL_TIME,Timestamp,integer-date AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NAS_IDENTIFIER,Client-Id AcctColumnDef NAS_IP_ADDRESS,NAS-IP-Address AcctColumnDef NAS_PORT,NAS-Port,integer AcctColumnDef NAS_PORT_TYPE,NAS-Port-Type AcctColumnDef ACCTAUTHENTIC,Acct-Authentic AcctColumnDef SERVICE_TYPE,Service-Type AcctColumnDef USR_MODEM_TIME,USR-Modem-Training-Time,integer AcctColumnDef USR_INTERFACE,USR-Interface-Index,integer AcctColumnDef USR_CHASSIS_SLOT,Chassis-Call-Slot,integer AcctColumnDef USR_CHASSIS_SPAN,Chassis-Call-Span,integer AcctColumnDef USR_CHASSIS_CHANNEL,Chassis-Call-Channel,integer AcctColumnDef USR_UNAUTH_TIME,Unauthenticated-Time,integer AcctColumnDef CALLING_STATION_ID,Calling-Station-Id AcctColumnDef CALLED_STATION_ID,Called-Station-Id AcctColumnDef USR_MODULATION_TYPE,Modulation-Type AcctColumnDef USR_SMNP_LEVELS,Simplified-MNP-Levels AcctColumnDef USR_SimplifiedV42BIS_USAGE,Simplified-V42bis-Usage AcctColumnDef USR_CONNECT_SPEED,Connect-Speed AcctColumnDef FRAMED_PROTOCOL,Framed-Protocol AcctColumnDef FRAMED_IP_ADDRESS,Framed-IP-Address AcctColumnDef USR_MP_MRRU,MP-MRRU,integer AcctColumnDef ACCTLINKCOUNT,Acct-Link-Count,integer AcctColumnDef ACCTMULTISESSION_ID,Acct-Multi-Session-Id Identifier System Filename /usr/local/etc/radiusDB/master.passwd Match ^([^:]*):([^:]*) GroupFilename /usr/local/etc/radiusDB/group # The filename defaults to %D/users Filename %D/users Filename %D/users1 # # Debug #
(RADIATOR) AuthByPolicy ContinueUntilAccept
Hi, I have something like this in my config file: AuthByPolicy ContinueUntilAccept DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP Host 10.1.1.1 Host 10.1.2.1 Host 10.1.3.1 Secret secret AuthPort 1645 AcctPort 1646 LocalAddress mylocal.cooldomain.com DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP Host auth.coolerdomain.com Secret moresecret AuthPort 1812 AcctPort 1813 LocalAddress mylocal.cooldomain.com What I see is that if the request times out for the first AuthBy and is accepted by the second, the first AuthBy continues to send requests for quite some time. How does this work? Does radiator try both in parallel? Is order important? Thanks, Mickey === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: question about radiator configuration
Hello Marijke, On Jun 8, 1:05pm, Marijke Vandecappelle wrote: > Subject: Re: question about radiator configuration > Hi Mike, > > Thanks for your help. > > I'm afraid I have more questions. No problem > > --- > > I heard there is a patch for the 'authby ldap', because the current code > does not do the unbind operation which can cause problems with some ldap > servers. My netscape ldap server seems to be resistant to this, but load > is increasing and I'm worried it may affect performance. > Can I get the patch? I'm using Radiatior version 2.13. Its available as a new version of AuthLDAP2.pm at http://www.open.com.au/radiator/downloads/patches-2.13.1/AuthLDAP2.pm > > --- > > I saw that Radiator supports authentication with the ACE securId cards. > We may want to use securId cards for roaming users because Surfnet > requires us to use 'strong' authentication if we do not check on CLI. > Can your radius server directly enquire the ACE server and how do I > configure radiator to do that? Or does it use 'authby radius' to > forward the radius authentication request to the (Livingstone?) radius > server that is packaged with the Ace software? It uses the latter technique: Basically it proxies requests to the ACE radius server (which is a modified but very limited version of Livingston, I think) Radiator does however take care to proxy correctly the challenges and responses that ACE requires to make it work. > > --- > > I have a question about info level logging. It's not very helpfull in my configuration: > I have to check 2 ldap servers for the moment. > > >... >AuthByPolicy ContinueWhileReject > > Host with.ic.uva.nl > Port 389 > ... > NoDefaultIfFound > > > Host blaeu.student.uva.nl > ... > NoDefaultIfFound > > > > If the user is in the first ldap server, but authentication does not > succeed e.g. wrong CLI, then I only get info logging from the second > ldap server with the totally useless information. > > Tue Jun 8 00:56:32 1999: INFO: Access rejected for mdw0011: No such user > > While it would make the life of the support staff a lot easier if I saw > something like: > > Tue Jun 8 00:34:27 1999: INFO: Access rejected for mdw0011: Check item Calling- > Station-Id expression '/204164698/' does not match '204164699' in request > > Is it configurable to get this information from the first and second > authbyldap in stead of just the second one? Hmm, I would have expected to see a DEBUG level message for each chack item that failed, but not an INFO level. Of course you get a lot of other stuff at DEBUG level too. The code that controls this is in AuthGeneric.pm at about line 221: $self->log($main::LOG_DEBUG, "$type $Radius::AuthGeneric::reasons[$checkResult]: $reason"); This line logs a DEBUG mesasge whenever a check item is violated. You may want to change it to LOG_INFO? > > --- > > Searching for DEFAULT: > > [08/Jun/1999:12:49:47 +0200] conn=557 op=1849 SRCH base="o=Universiteit > van Amst > erdam,c=Nl" scope=2 filter="(uid=DEFAULT)" > > If a user is not found then radiator searches for DEFAULT, that's a lot > of extra searches that slow down the proces. > Can I get rid of the searching for "DEFAULT" completely? Not right now. > > --- > > Performance. In the log I see: > > Tue Jun 8 01:48:13 1999: WARNING: Could not find a handler: request > is ignored > > Has that got to do with the fact that ldap connections are done > synchronously? Does it indicate a performance problem? No, it means that Radiator could not find a Realm or Handler clause to match the incoming request. I would have a close look at the request that casued that (if possible) and see whether or not you need to adjust your configuration. The most likely cause is an incorrectly typed realm when someone is trying to log in. > > --- > > I hope you can help me with these questions. I hope that helps. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: question about radiator configuration
Hi Mike, Thanks for your help. I'm afraid I have more questions. --- I heard there is a patch for the 'authby ldap', because the current code does not do the unbind operation which can cause problems with some ldap servers. My netscape ldap server seems to be resistant to this, but load is increasing and I'm worried it may affect performance. Can I get the patch? I'm using Radiatior version 2.13. --- I saw that Radiator supports authentication with the ACE securId cards. We may want to use securId cards for roaming users because Surfnet requires us to use 'strong' authentication if we do not check on CLI. Can your radius server directly enquire the ACE server and how do I configure radiator to do that? Or does it use 'authby radius' to forward the radius authentication request to the (Livingstone?) radius server that is packaged with the Ace software? --- I have a question about info level logging. It's not very helpfull in my configuration: I have to check 2 ldap servers for the moment. ... AuthByPolicy ContinueWhileReject Host with.ic.uva.nl Port 389 ... NoDefaultIfFound Host blaeu.student.uva.nl ... NoDefaultIfFound If the user is in the first ldap server, but authentication does not succeed e.g. wrong CLI, then I only get info logging from the second ldap server with the totally useless information. Tue Jun 8 00:56:32 1999: INFO: Access rejected for mdw0011: No such user While it would make the life of the support staff a lot easier if I saw something like: Tue Jun 8 00:34:27 1999: INFO: Access rejected for mdw0011: Check item Calling- Station-Id expression '/204164698/' does not match '204164699' in request Is it configurable to get this information from the first and second authbyldap in stead of just the second one? --- Searching for DEFAULT: [08/Jun/1999:12:49:47 +0200] conn=557 op=1849 SRCH base="o=Universiteit van Amst erdam,c=Nl" scope=2 filter="(uid=DEFAULT)" If a user is not found then radiator searches for DEFAULT, that's a lot of extra searches that slow down the proces. Can I get rid of the searching for "DEFAULT" completely? --- Performance. In the log I see: Tue Jun 8 01:48:13 1999: WARNING: Could not find a handler: request is ignored Has that got to do with the fact that ldap connections are done synchronously? Does it indicate a performance problem? --- I hope you can help me with these questions. Kind regards, Marijke Marijke Vandecappelle Senior netwerkbeheerder Informatiseringscentrum Universiteit van Amsterdam E-mail [EMAIL PROTECTED] Turfdraagsterpad 9 Telefoon +31 20 5252025 1012 XT Amsterdam Fax +31 20 5252084 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.