Re: (RADIATOR) Simultaneous Access
Hello Mike - On Tue, 24 Aug 1999, Michael Gatti wrote: Sounds Cool Hugh ... But if I limit my Realm to "MaxSessions 1" all my users will have a limit to 1 access per time, I don't know if you taked a look at my config file I have three other types of authentication that can't be limited to "MaxSessions 1", I did have a look at your examples, however my suggestion regarding MaxSessions was incorrect (misunderstanding on my part). You should still set up a SessionDatabase and declare the NasType for each client and configure the appropriate strict checking via SNMP or whatever. cheers Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator cgi script hosting
Jay West schrieb: There's a cgi program included in radiator that can be called from a webbrowser to see who's currently online, etc. etc. Is there any way that this cgi can be run on a different machine than the radiator server? I hate mucking up my nice radius servers with web server software when I have quite a few perfectly good web servers sitting next to them. Is this possible and what (in general terms) is required? Thanks in advance!! Jay West I had the same problem. You have more than one choice: 1.) share the filesystem via nfs between your radius server host and your web server host 2.) use a database as backend to radiator 3.) forward all radius ACCOUNTING records with AuthBy Radius to a second radius server. You have to adjust the AuthByPolicy and the NoForwardAuthentication to get what you want. Read the doku with this hints carefully and afterwards contact me again if there are still problems. 4.) Nr. 3 was my first solution but with Ascend as the NAS you have a nice feature called "Call Logging" and this is just a second path to radius accounting. I configured my Ascend Box as usual for radius authentication and accounting with my radiusd hosts and additionally Call Logging to my web host with an additional radiator as accounting server running. Thats all and works fine for me. Regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration Tel/Fax: ++49 731 50 22499/22471 pgp-key available: http://www.uni-ulm.de/urz/Netzwerk/uuca/keylist.html === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Some problems of using Oracle as an external session database
Hi Mike, I encountered two problems of using Oracle 8. The first one is Oracle core dump and the second one is about the Oracle efficiency. For the first problem, after I use the Oracle as session database, the Oracle server always core dump. From the reply of Oracle support, there is a bug in Oracle 8 that the core dump is due to the existence of null variables inside the SQL statements. However, they don't have a patch for our server. So, we have to avoid null variables. From the logfile, I found that there is always a null variable, servicetype, inside the insert sql statement, i.e. insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,SERVICETYPE) values ('lawkei', '207.176.112.154', 20109, '295908866', 935519065, '208.151.66.123', 'Async', ''). The workaround for this problem is to replace all null variables using a space. Can you do me a favour to tell me how to change the source code for the make it work? The second problem is that, from the DBA of the Oracle, the Radiator is now using hardcored SQL statement to the session database. It would decrease the efficiency of the Oracle. If the frequency of delete and insert statements are very frequent, it would cause memory leak or even ora error: 4031. The dba suggest to use variable binding of the SQL statement. For the variable binding of SQL statements, it would consist of ora_login, ora_open, ora_bind. I checked the source code, SessSQL.pm and SqlDb.pm, that they don't exist. How's your suggestion about it? Is that possible you can provide us with the variable binding SQL statements? Thank you for your attention. -- Cheers, Anthony Chan Sun Professional Services Hong Kong 22/F Shui On Centre, 8 Harbour Road, Wanchai, Hong Kong Phone: (852) 2820-0674 Fax : (852) 2802-8655 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Password Extraction Probs
I'm still completely at a loss as to how to make the plaintext password supplied in the radius packet available to the module I am hacking for LDAP authentication. My perl isnt up to spotting how to get the routines elsewhere in Radiator to work for me and supply this. Please could someone talk me through it? (slowly and with no long words, for preference!) I'm running Radiator-2.14 under FreeBSD 3.2-Release with Perl version 5.005_03 built for i386-freebsd. The relevant part of my config for testing this function is: Realm MaxSessions 2 AuthBy NEWLDAP Hostx.mcc.ac.uk Port389 BaseDN c=UK UsernameAttruid CheckAttr checkitems ReplyAttr replyitems /AuthBy AcctLogFileName %L/LDAP-detail.%m%y PasswordLogFileName %L/LDAP-passwd-log.%m%y ExcludeFromPasswordLog yyy RejectHasReason /Realm The relevant portion of my optimistically-named NEWLDAP module is: sub findUser { my ($self, $name, $p) = @_; return (undef, 1) unless $self-reconnect; return (undef, 1) unless $self-anonbind; my $user; my @attrs; push(@attrs, $self-{CheckAttr}) if defined $self-{CheckAttr}; push(@attrs, $self-{ReplyAttr}) if defined $self-{ReplyAttr}; my $result = $self-{ld}-search (base = $self-{BaseDN}, scope = 'sub', filter = "($self-{UsernameAttr}=$name)", attrs = \@attrs); if (!$result || $result-code() != LDAP_SUCCESS) { my $code = $result ? $result-code() : -1; my $errname = ldap_error_name($code); $self-log($main::LOG_ERR, "ldap search failed with error $errn $self-{ld} = undef; return (undef, 1); } my $entry = $result-entry(0); if ($entry) { $user = new Radius::User; my $dn = $entry-dn; $self-log($main::LOG_DEBUG, "LDAP got result for $dn"); my ($attr); foreach $attr ($entry-attributes()) { my @vals = $entry-get($attr); $self-log($main::LOG_DEBUG, "LDAP got $attr: @vals"); $attr = lc $attr; if ($attr eq lc $self-{CheckAttr}) { $user-get_check-parse(join ',', @vals); } elsif ($attr eq lc $self-{ReplyAttr}) { $user-get_reply-parse(join ',', @vals); } } } else { $self-log($main::LOG_DEBUG, "No entries for $name found in LDAP database"); $self-unbind; return 0; } $self-unbind; # Now we connect and do the login as the user. return (undef, 1) unless $self-reconnect; # THIS NEEDS TO BE FIXED # As you can see, for testing, I've hard-coded a password, because # trying to extract it directly doesnt seem to work... yet! my $password = "monday"; # The commented out line below doesnt work! # my $password = $self-decode_password($self-{Client}-{Secret}); my $result = $self-{ld}-bind ( dn = $entry-dn, password = $password); if (!$result || $result-code() != LDAP_SUCCESS) { $self-log($main::LOG_DEBUG, "USER FAILED TO AUTHENTICATE"); my $code = $result ? $result-code() : -1; my $error = ldap_error_name($code); $self-log($main::LOG_DEBUG, "Error Code: $code\nError Name: $error"); $self-unbind; return 0; } $self-log($main::LOG_DEBUG, "USER AUTHENTICATED!"); return $user; } 1; Advice, please? I want to purchase Radiator (its currently on evaluation), but can't unless what I'm trying to do is at least possible... Thanks, M. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mark O'Leary,| Voice: +44 (0161) 2756110 | Mark O'Leary, Network Support Officer, | Fax: +44 (0161) 2756040 | Deputy Warden, Manchester Computing, UK | Email: [EMAIL PROTECTED] | Moberly Hall, UoM. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Password Extraction Probs
Hi Mark, almost right. The line you commented out: my $password = $self-decode_password($self-{Client}-{Secret}); should be changed to be my $password = $p-decode_password($p-{Client}-{Secret}); and that will work for PAP passwords. ($p is the handle to the incoming request.) Hope that helps. Cheers. On Aug 25, 11:23am, Mark O'Leary wrote: Subject: (RADIATOR) Password Extraction Probs I'm still completely at a loss as to how to make the plaintext password supplied in the radius packet available to the module I am hacking for LDAP authentication. My perl isnt up to spotting how to get the routines elsewhere in Radiator to work for me and supply this. Please could someone talk me through it? (slowly and with no long words, for preference!) I'm running Radiator-2.14 under FreeBSD 3.2-Release with Perl version 5.005_03 built for i386-freebsd. The relevant part of my config for testing this function is: Realm MaxSessions 2 AuthBy NEWLDAP Hostx.mcc.ac.uk Port389 BaseDN c=UK UsernameAttruid CheckAttr checkitems ReplyAttr replyitems /AuthBy AcctLogFileName %L/LDAP-detail.%m%y PasswordLogFileName %L/LDAP-passwd-log.%m%y ExcludeFromPasswordLog yyy RejectHasReason /Realm The relevant portion of my optimistically-named NEWLDAP module is: sub findUser { my ($self, $name, $p) = @_; return (undef, 1) unless $self-reconnect; return (undef, 1) unless $self-anonbind; my $user; my @attrs; push(@attrs, $self-{CheckAttr}) if defined $self-{CheckAttr}; push(@attrs, $self-{ReplyAttr}) if defined $self-{ReplyAttr}; my $result = $self-{ld}-search (base = $self-{BaseDN}, scope = 'sub', filter = "($self-{UsernameAttr}=$name)", attrs = \@attrs); if (!$result || $result-code() != LDAP_SUCCESS) { my $code = $result ? $result-code() : -1; my $errname = ldap_error_name($code); $self-log($main::LOG_ERR, "ldap search failed with error $errn $self-{ld} = undef; return (undef, 1); } my $entry = $result-entry(0); if ($entry) { $user = new Radius::User; my $dn = $entry-dn; $self-log($main::LOG_DEBUG, "LDAP got result for $dn"); my ($attr); foreach $attr ($entry-attributes()) { my @vals = $entry-get($attr); $self-log($main::LOG_DEBUG, "LDAP got $attr: @vals"); $attr = lc $attr; if ($attr eq lc $self-{CheckAttr}) { $user-get_check-parse(join ',', @vals); } elsif ($attr eq lc $self-{ReplyAttr}) { $user-get_reply-parse(join ',', @vals); } } } else { $self-log($main::LOG_DEBUG, "No entries for $name found in LDAP database"); $self-unbind; return 0; } $self-unbind; # Now we connect and do the login as the user. return (undef, 1) unless $self-reconnect; # THIS NEEDS TO BE FIXED # As you can see, for testing, I've hard-coded a password, because # trying to extract it directly doesnt seem to work... yet! my $password = "monday"; # The commented out line below doesnt work! # my $password = $self-decode_password($self-{Client}-{Secret}); my $result = $self-{ld}-bind ( dn = $entry-dn, password = $password); if (!$result || $result-code() != LDAP_SUCCESS) { $self-log($main::LOG_DEBUG, "USER FAILED TO AUTHENTICATE"); my $code = $result ? $result-code() : -1; my $error = ldap_error_name($code); $self-log($main::LOG_DEBUG, "Error Code: $code\nError Name: $error"); $self-unbind; return 0; } $self-log($main::LOG_DEBUG, "USER AUTHENTICATED!"); return $user; } 1; Advice, please? I want to purchase Radiator (its currently on evaluation), but can't unless what I'm trying to do is at least possible... Thanks, M. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mark O'Leary,| Voice: +44 (0161) 2756110 | Mark O'Leary, Network Support Officer, | Fax: +44 (0161) 2756040 | Deputy Warden, Manchester Computing, UK | Email: [EMAIL PROTECTED]
(RADIATOR) Accounting log file
Hello I need to add informations into the Accounting log file. I would like to know wich pakages i need to use and where can i found all functions associated please ! Thanks a lot to answer me. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication using FILE and UNIX
Hi, Can't figure out a way to have AuthBy FILE get the names/passwords from the Unix password file. Using AuthBy UNIX works when I specify the location of the shadow password file, but not when I specify 'Auth-Type = UNIX' in the 'users' file. Any pointers? System runs RedHat Linux 6.0 with 2.2.9 kernel and Radiator 2.14.1. Radiator runs as root, testing using radpwtst on on the same host (localhost). --- session log (radiusd already running) --- [root@bmama raddb]# cat /usr/local/etc/users DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Auth-Type = UNIX, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Shiva-User-Attributes = /di, Framed-Compression = Van-Jacobsen-TCP-IP [root@bmama raddb]# cat /etc/radius.cfg # radius.cfg # # Author: Mike McCauley ([EMAIL PROTECTED]) # Copyright (C) 1997 Open System Consultants # $Id: radius.cfg,v 1.3 1999/01/28 05:13:52 mikem Exp $ LogDir /var/log/radius DbDir /usr/local/etc/raddb # Proxy Radius Client xxx.xxx.xxx.xxx Secret /Client # For testing: this allows us to honour requests from radpwtst # on the same host. Client localhost Secret mysecret DupInterval 0 /Client # This clause handles all users from all realms by looking them up # in the users file at /usr/local/etc/raddb/users Realm DEFAULT AuthBy FILE /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName %L/detail /Realm [root@bmama raddb]# radpwtst -user test -password test sending Access-Request... Rejected sending Accounting-Request Start... OK sending Accounting-Request Stop... OK --- end --- Any ideas? Where should I look in the manual if it is in there? Thnx, Jonathan -- UR Communications - Solutions for a wired world Who, what where @ http://www.ur.nl/ === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ascend MAX and PPP
Hello! Quoting Hugh Irvine [EMAIL PROTECTED]: Hello Chen - On Wed, 25 Aug 1999, Chen Shiyuan wrote: Hello! I am very new to Radiator and encountered this funny problem and is wondering if anyone can help me with it. I am using Radiator-2.14.1 . Basically, I have an Ascend MAX 4060 which allows users to dialin in and access the Internet via PPP. Windows95 users have no problem dialing in via the dialup networking BUT users who manually dialin and then type PPP at the ascend% prompt after they have logined are given this message :- Requested Service is Not Authorized! I used to have no problems when using Radius-2.x . Which Radius is this? Radius-2.0.1 from Livingston. Here is my corresponding /etc/raddb/defuser file which I included from my radius.cfg :- DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP I notice in your DEFAULT user above that the only Check item is Service-Type = Framed-User This will never match a command line request from the NAS. Also note that many Hmm... if I am making use of the authentication to a MySQL database, what should I put in my "defuser" file for the DEFAULT entry? Auth-Type=SQL ? What should be the "normal" and necessary stuff that I should put in my defuser file? NAS's (Cisco's notably) also require a Reply item of Service-Type = Framed-User in addition to the rest of the Reply items. And here is my radius.cfg :- Foreground LogStdout DbDir /etc/raddb ClientListSQL DBSourcexx DBUsername xx DBAuth xx /ClientListSQL Log SQL DBSourcexx DBUsername xx DBAuth xx /Log Realm DEFAULT MaxSessions 1 AuthBy SQL # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcexx DBUsername xx DBAuth xx AuthColumnDef 0, Encrypted-Password, check # You may want to tailor these for your ACCOUNTING table AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-Address /AuthBy AuthBy FILE Filename /etc/raddb/defuser /AuthBy /Realm I also notice in your Realm DEFAULT that you do not have an AuthByPolicy declaration - this means that you will never execute the AuthBy FILE. I added in AuthByPolicy ContinueWhileAccept in Realm DEFAULT but I still cannot get to start ppp from the ascend% prompt. "Auto login" under Win95 works just as fine but this time round, I cannot even get to the ascend% prompt with me being prompted Access Denied after I keyed in my username and password. The same goes for when I added in "Identifier System" into my Authby SQL and then used Auth-Type=System in my defuser file. The above situation occurs with the user not being able to login manually. Any clues? Thanks alot! ___ ___ _ _ / __)/ __)( \/ ) Chen ShiyuanH/P : 96802564 ( (__ \__ \ \ / [EMAIL PROTECTED] P/G : 92231871 \___)(___/ (__) Network Administrator Hwa Chong Junior College === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication using FILE and UNIX
Hi, Can't figure out a way to have AuthBy FILE get the names/passwords from the Unix password file. Using AuthBy UNIX works when I specify the location of the shadow password file, but not when I specify 'Auth-Type = UNIX' in the 'users' file. Any pointers? System runs RedHat Linux 6.0 with 2.2.9 kernel and Radiator 2.14.1. Radiator runs as root, testing using radpwtst on on the same host (localhost). I solved it already :) Thnx Jonathan -- UR Communications - Solutions for a wired world Who, what where @ http://www.ur.nl/ === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Unix based SQL selection request......which one should I use?
We're using FreeBSD 3.2Release for our radius servers. I've decided I have to switch to using SQL rather than dbm files to get some other functionality that we want. My question is, does anyone have any suggestions as to which SQL server to use? I have a strong preference for it to run on FreeBSD, and be free of charge :) Must work well with radiator, and take a minimum of cpu/disk/memory, etc The SQL server we pick will only be used for radius, not website databases, etc. etc. based on those requirements, should I be looking at msql or mysql or other? Thanks in advance for everyone's input! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Unix based SQL selection request......which one should I use?
Hi Jay, I've recently put in MySql on Linux with Radiator/Radmin. It s working very nicely. Regards. Paul Jay West wrote: We're using FreeBSD 3.2Release for our radius servers. I've decided I have to switch to using SQL rather than dbm files to get some other functionality that we want. My question is, does anyone have any suggestions as to which SQL server to use? I have a strong preference for it to run on FreeBSD, and be free of charge :) Must work well with radiator, and take a minimum of cpu/disk/memory, etc The SQL server we pick will only be used for radius, not website databases, etc. etc. based on those requirements, should I be looking at msql or mysql or other? Thanks in advance for everyone's input! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple stop accounting requests
Oh, the reason why Radiator doesn't pick up the two Stops as duplicates? The Acct-Delay-Time value is different in both packets (0 and 5), Radiator does a comparison of the whole packet and they must be identical to be determined to be duplicates. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Multiple stop accounting requests
On Thu, Aug 26, 1999 at 10:24:42AM +1200, John Vorstermans wrote: Hi. I cannot get to the bottom of this problem. On occasions we are seeing multiple stop accounting records being added to the records of a session. Looking at the logs I can confirm that multiple stop records are actually send and received. I have attached radius.cfg and a section of the logfile incase anyone can help me sort this out. The user concerned in this case is "shi" We are running Radiator 2.14.0 and the packets are coming to us from a Ascend TNT via a proxy radiator server. What should I look for to sort this problem out? Currently your Ascend is resending every 5 secounds, which means if the server that Radiator is on is temporarily loaded, or there's a flurry of RADIUS traffic on the server, it might not be completed in time and acknowledged within 5 secounds. Try setting the retransmit time on your NAS to 10 or 15 seconds. [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AccountingLogFile
Hello Requiem - On Wed, 25 Aug 1999, Requiem Aurelien (Ext/NTC) wrote: Hello I need to add informations into the Accounting log file. I would like to know wich pakages i need to use and where can i found all functions associated please ! There are a variety of ways to deal with Accounting, the most flexible and powerful is with an SQL database. If you use an SQL database you have complete control over all aspects of Accounting through the parameters described in Section 6.24 in the Radiator 2.14.1 reference manual. These include the ability to specify the Accounting table name, the Accounting SQL statement to execute and the column definitions for your particular database schema. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Some problems of using Oracle as an external session database
Hello Anthony - On Wed, 25 Aug 1999, Anthony Chan wrote: Hi Mike, I encountered two problems of using Oracle 8. The first one is Oracle core dump and the second one is about the Oracle efficiency. For the first problem, after I use the Oracle as session database, the Oracle server always core dump. From the reply of Oracle support, there is a bug in Oracle 8 that the core dump is due to the existence of null variables inside the SQL statements. However, they don't have a patch for our server. So, we have to avoid null variables. From the logfile, I found that there is always a null variable, servicetype, inside the insert sql statement, i.e. insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,SERVICETYPE) values ('lawkei', '207.176.112.154', 20109, '295908866', 935519065, '208.151.66.123', 'Async', ''). The workaround for this problem is to replace all null variables using a space. Can you do me a favour to tell me how to change the source code for the make it work? You don't need to change the source code - all you need to do is change the AddQuery definition in the SessionDatabase declaration: SessionDatabase SQL DBSource DBUsername DBAuth AddQuery ... . /SessionDatabase See Section 6.6 in the Radiator 2.14.1 reference manual for further details. The second problem is that, from the DBA of the Oracle, the Radiator is now using hardcored SQL statement to the session database. It would decrease the efficiency of the Oracle. If the frequency of delete and insert statements are very frequent, it would cause memory leak or even ora error: 4031. The dba suggest to use variable binding of the SQL statement. For the variable binding of SQL statements, it would consist of ora_login, ora_open, ora_bind. I checked the source code, SessSQL.pm and SqlDb.pm, that they don't exist. How's your suggestion about it? Is that possible you can provide us with the variable binding SQL statements? Because we use the DBI/DBD libraries, you will not see the Oracle-specific routines in the Radiator source code. For the above problem you might be better served with a Stored-Procedure inside Oracle, and use the SessionDatabase AddQuery statement above to call it. Thank you for your attention. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Ascend MAX and PPP
Hello Chen - I am very new to Radiator and encountered this funny problem and is wondering if anyone can help me with it. I am using Radiator-2.14.1 . Basically, I have an Ascend MAX 4060 which allows users to dialin in and access the Internet via PPP. Windows95 users have no problem dialing in via the dialup networking BUT users who manually dialin and then type PPP at the ascend% prompt after they have logined are given this message :- Requested Service is Not Authorized! I used to have no problems when using Radius-2.x . Which Radius is this? Radius-2.0.1 from Livingston. Here is my corresponding /etc/raddb/defuser file which I included from my radius.cfg :- DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP I notice in your DEFAULT user above that the only Check item is Service-Type = Framed-User This will never match a command line request from the NAS. Also note that many Hmm... if I am making use of the authentication to a MySQL database, what should I put in my "defuser" file for the DEFAULT entry? Auth-Type=SQL ? What should be the "normal" and necessary stuff that I should put in my defuser file? NAS's (Cisco's notably) also require a Reply item of Service-Type = Framed-User in addition to the rest of the Reply items. And here is my radius.cfg :- Foreground LogStdout DbDir /etc/raddb ClientListSQL DBSourcexx DBUsername xx DBAuth xx /ClientListSQL Log SQL DBSourcexx DBUsername xx DBAuth xx /Log Realm DEFAULT MaxSessions 1 AuthBy SQL # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcexx DBUsername xx DBAuth xx AuthColumnDef 0, Encrypted-Password, check # You may want to tailor these for your ACCOUNTING table AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-Address /AuthBy AuthBy FILE Filename /etc/raddb/defuser /AuthBy /Realm I also notice in your Realm DEFAULT that you do not have an AuthByPolicy declaration - this means that you will never execute the AuthBy FILE. I added in AuthByPolicy ContinueWhileAccept in Realm DEFAULT but I still cannot get to start ppp from the ascend% prompt. "Auto login" under Win95 works just as fine but this time round, I cannot even get to the ascend% prompt with me being prompted Access Denied after I keyed in my username and password. The same goes for when I added in "Identifier System" into my Authby SQL and then used Auth-Type=System in my defuser file. The above situation occurs with the user not being able to login manually. Any clues? I think we should take a look at your problem from the beginning, as I am not clear on how you wish to operate Radiator. Could you tell me what information you wish to keep in your SQL database? And what other information you require? Also what different types of users you have and what they are allowed to do? I will be able to answer your questions much more directly with the above information. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Token-based authentication
We are seeing considerable interest lately in ways of improving security for dial-up network access, beyond that provided by username and fixed, memorised passwords. We have just finished the initial development of a token-based Radius authentication system for Radiator. It works with the iKey 1000 tokens from Rainbow (www.rainbow.com/ikey/index.html) These are cute devices about the size of your thumb that plug into a USB port. They contain an 8k file system and an encryption engine. We have some PC software that talks to these things and a Radiator module that does Access-Challenge with the NAS. The result is that a user cant log in unless they physically have a genuine iKey keyed to their name connected to the PC, and for which they have the PIN. We feel that this is most useful for ISP staff, and for staff of corporates with in-house or VPDN dialup access. Is there anyone on the list interested in this? If so, please contact me directly -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy EXTERNAL using Perl script
Hi Charl - On Wed, 25 Aug 1999, charl wrote: Hi all, When I try and use AuthBy EXTERNAL with the following: AuthBy EXTERNAL Command /usr/bin/perl /usr/local/bin/auth.pl %U %R # Pass password as Plain Text to script DecryptPassword /AuthBy I get the following out put: sending Access-Request... No reply sending Accounting-Request Start... No reply sending Accounting-Request Stop... No reply Here is the source of the perl script: #1/usr/bin/perl -w Try this (replace "1" with "!"): #!/usr/bin/perl -w use strict; use IO::File; # create a new IO::File object my $fh = new IO::File " /tmp/temp_file"; # write the command-line options I have been given to the file if (defined $fh) { my $element = ''; foreach $element (@ARGV) { print $fh "$element\n"; } $fh-close; } # hard code the exit to success for now exit 0; Does anyone have any clues as to why I am not getting a success returned from the script? I have made the correction above and it works for me. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.