(RADIATOR) DNIS and NASID based IP address pool
Hi, I've implemented DNIS based IP address allocation with AuthBy DYNADDRESS as shown below. How can I extend the criteria so that IP pool is based on DNIS and NASID? AddressAllocator SQL Identifier SQLAllocator DBSourcedbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx DBUsername radmin DBAuth radmin DefaultLeasePeriod 86400 AddressPool 207500370 Subnetmask 255.255.255.255 DNSServer xxx.xxx.xxx.xxx Range 213.35.224.1 213.35.224.100 /AddressPool /AddressAllocator AuthBy DYNADDRESS Identifier AllocateIPAddress Allocator SQLAllocator PoolHint %{Called-Station-Id} /AuthBy Thanks, Lisa === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Accounting log problem
Hello, I've problem with accounting logs, I can't get any accounting log at all, not in plain detail-file nor in our database. Authentication works just fine from users-file or database. I've Solaris 8 (5.8) and Oracle8i Release 2 (8.1.6). I've installed timeout patch. This is my current radius.cfg with database support: As I said, I've also tried for example with "AcctLogFileName /opt/radius/log/detail" and authentication from users file, no help. Foreground LogStdout LogDir /opt/radius/log DbDir /opt/radius/raddb LogFile %L/radiusd.log Trace 4 Client DEFAULT Secret DupInterval 5 NasType Cisco StatusServerShowClientDetails /Client Realm DEFAULT MaxSessions 1 AuthBy SQL DBSourcedbi:Oracle:X DBUsername X DBAuth X AuthSelect select accesspw from kpy_customers where accesslogin='%n' AccountingTable kpy_radaccount # AcctColumnDef aika,Timestamp,formatted-date,to_date\ # ('%e %m %Y %H:%M:%S', 'DD MM HH24:MI:SS') AcctColumnDef user_name,User-Name AcctColumnDef nas_ip_address,NAS-IP-Address AcctColumnDef nas_port,NAS-Port,integer AcctColumnDef framed_ip_address,Framed-IP-Address AcctColumnDef called_station_id,Called-Station-Id AcctColumnDef nas_port_type,NAS-Port-Type AcctColumnDef acct_input_octets,Acct-Input-Octets,integer AcctColumnDef acct_output_octets,Acct-Output-Octets,integer AcctColumnDef acct_session_id,Acct-Session-Id AcctColumnDef acct_session_time,Acct-Session-Time,integer AcctColumnDef acct_terminate_cause,Acct-Terminate-Cause Timeout 15 AddToReply Service-Type=Framed-User, Framed-Protocol=PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP /AuthBy /Realm -- With tracelevel 4, I get this: -- Mon Nov 13 16:10:22 2000: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 1645 Code: Access-Request Identifier: 43 Authentic: k145515209T$250150'223zN167189217 Attributes: NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 30001 NAS-Port-Type = ISDN User-Name = "testi1" Called-Station-Id = "173636057" Calling-Station-Id = "0173643572" CHAP-Password = "X" Service-Type = Framed-User Framed-Protocol = PPP Mon Nov 13 16:10:22 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Nov 13 16:10:22 2000: DEBUG: Deleting session for testi1, xxx.xxx.xxx.xxx, 30001 Mon Nov 13 16:10:22 2000: DEBUG: Handling with Radius::AuthSQL Mon Nov 13 16:10:26 2000: DEBUG: Handling with Radius::AuthSQL Mon Nov 13 16:10:26 2000: DEBUG: Query is: select accesspw from kpy_customers where accesslogin='testi1' Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL looks for match with testi1 Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL ACCEPT: Mon Nov 13 16:10:26 2000: DEBUG: Access accepted for testi1 Mon Nov 13 16:10:26 2000: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1645 Code: Access-Accept Identifier: 43 Authentic: k145515209T$250150'223zN167189217 Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP -- What I have configured wrong? I believe I should see atleast some AcctColumnDef information at debug, but there is nothing? Also I'd like to get BOTH accounting logging methods work at same time, to database and into detail-file. Though even another of those would be nice for start... :) ++Toni === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Disabling SessionDatabase on a per client level
How can I disable the SessionDatabase on a per Client level? === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting log problem
Hello Toni - I think your NAS is not correctly configured. The reason you don't see an accounting log is because you are not receiving any accounting packets from the NAS. hth Hugh On Tue, 14 Nov 2000, Toni Riekkinen wrote: Hello, I've problem with accounting logs, I can't get any accounting log at all, not in plain detail-file nor in our database. Authentication works just fine from users-file or database. I've Solaris 8 (5.8) and Oracle8i Release 2 (8.1.6). I've installed timeout patch. This is my current radius.cfg with database support: As I said, I've also tried for example with "AcctLogFileName /opt/radius/log/detail" and authentication from users file, no help. Foreground LogStdout LogDir /opt/radius/log DbDir /opt/radius/raddb LogFile %L/radiusd.log Trace 4 Client DEFAULT Secret DupInterval 5 NasType Cisco StatusServerShowClientDetails /Client Realm DEFAULT MaxSessions 1 AuthBy SQL DBSourcedbi:Oracle:X DBUsername X DBAuth X AuthSelect select accesspw from kpy_customers where accesslogin='%n' AccountingTable kpy_radaccount # AcctColumnDef aika,Timestamp,formatted-date,to_date\ # ('%e %m %Y %H:%M:%S', 'DD MM HH24:MI:SS') AcctColumnDef user_name,User-Name AcctColumnDef nas_ip_address,NAS-IP-Address AcctColumnDef nas_port,NAS-Port,integer AcctColumnDef framed_ip_address,Framed-IP-Address AcctColumnDef called_station_id,Called-Station-Id AcctColumnDef nas_port_type,NAS-Port-Type AcctColumnDef acct_input_octets,Acct-Input-Octets,integer AcctColumnDef acct_output_octets,Acct-Output-Octets,integer AcctColumnDef acct_session_id,Acct-Session-Id AcctColumnDef acct_session_time,Acct-Session-Time,integer AcctColumnDef acct_terminate_cause,Acct-Terminate-Cause Timeout 15 AddToReply Service-Type=Framed-User, Framed-Protocol=PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP /AuthBy /Realm -- With tracelevel 4, I get this: -- Mon Nov 13 16:10:22 2000: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 1645 Code: Access-Request Identifier: 43 Authentic: k145515209T$250150'223zN167189217 Attributes: NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 30001 NAS-Port-Type = ISDN User-Name = "testi1" Called-Station-Id = "173636057" Calling-Station-Id = "0173643572" CHAP-Password = "X" Service-Type = Framed-User Framed-Protocol = PPP Mon Nov 13 16:10:22 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Nov 13 16:10:22 2000: DEBUG: Deleting session for testi1, xxx.xxx.xxx.xxx, 30001 Mon Nov 13 16:10:22 2000: DEBUG: Handling with Radius::AuthSQL Mon Nov 13 16:10:26 2000: DEBUG: Handling with Radius::AuthSQL Mon Nov 13 16:10:26 2000: DEBUG: Query is: select accesspw from kpy_customers where accesslogin='testi1' Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL looks for match with testi1 Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL ACCEPT: Mon Nov 13 16:10:26 2000: DEBUG: Access accepted for testi1 Mon Nov 13 16:10:26 2000: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1645 Code: Access-Accept Identifier: 43 Authentic: k145515209T$250150'223zN167189217 Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP -- What I have configured wrong? I believe I should see atleast some AcctColumnDef information at debug, but there is nothing? Also I'd like to get BOTH accounting logging methods work at same time, to database and into detail-file. Though even another of those would be nice for start... :) ++Toni === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL
Re: (RADIATOR) Disabling SessionDatabase on a per client level
Hello Chris - On Tue, 14 Nov 2000, Chris Given wrote: How can I disable the SessionDatabase on a per Client level? You can't disable the SessionDatabase in the Client clause, however you can do it on a per-Handler basis. # configuration with multiple session databases SessionDatabase SQL Identifier SQL-SDB . /SessionDatabase SessionDatabase NULL Identifier NULL-SDB /SessionDatabase Handler .. SessionDatabase SQL-SDB . /Handler Handler . SessionDatabase NULL-SDB /Handler hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vs new session?
Hello Mark - On Mon, 13 Nov 2000, Mark - Orcon Support wrote: Had a problem where a start session of a customer was ignored because a stop packet using the same identifier 25 minutes earlier. Thus I was wondering what time has to elapse between session packets before it's classed as a new session? And is there any way to control this? Could you give me a bit more detail please? A new session should never be ignored - the only thing that can happen is a rejection due to simultaneous use limits being incorrectly enforced because a stop record was missed. The way to control this is with the NasType parameter in the Client clause to have Radiator query the NAS to verify the existence of suspect sessions. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) DNIS and NASID based IP address pool
Hello Lisa - Could you explain what the requirement is please? thanks Hugh On Mon, 13 Nov 2000, Lisa Goulet wrote: Hi, I've implemented DNIS based IP address allocation with AuthBy DYNADDRESS as shown below. How can I extend the criteria so that IP pool is based on DNIS and NASID? AddressAllocator SQL Identifier SQLAllocator DBSourcedbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx DBUsername radmin DBAuth radmin DefaultLeasePeriod 86400 AddressPool 207500370 Subnetmask 255.255.255.255 DNSServer xxx.xxx.xxx.xxx Range 213.35.224.1 213.35.224.100 /AddressPool /AddressAllocator AuthBy DYNADDRESS Identifier AllocateIPAddress Allocator SQLAllocator PoolHint %{Called-Station-Id} /AuthBy Thanks, Lisa === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vsnew session?
Thanks Hugh - We're not enforcing any simultaneous use limits -- I couldn't think of a better word to describe sessions for 'packets'. The following seemed to happen: 16:37:13 - Auth-request (Identifier 225) 16:37:13 - Access-Accept (Identifier 225) 16:37:13 - Accounting-Request [start] (Identifier 218) LOG ENTRY: "INFO: Duplicate request id 218 received from xx.xxx.xxx.xx: ignored . Only entry in the log prior to this was at 16:01:23 - an Accounting Request (Identifier 218) for a stop packet for a different user. . Mark Mackay, Network Coordinator, Orcon Internet. On Mon, 13 Nov 2000, Mark - Orcon Support wrote: Had a problem where a start session of a customer was ignored because a stop packet using the same identifier 25 minutes earlier. Thus I was wondering what time has to elapse between session packets before it's classed as a new session? And is there any way to control this? Could you give me a bit more detail please? A new session should never be ignored - the only thing that can happen is a rejection due to simultaneous use limits being incorrectly enforced because a stop record was missed. The way to control this is with the NasType parameter in the Client clause to have Radiator query the NAS to verify the existence of suspect sessions. hth Hugh === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Stats'n'Graphs
Dear all, I'm currently working on an extention for Orca ( http://www.gps.caltech.edu/~blair/orca ) called Orcaservices which is intended to graph usage of services for several purposes. It includes code to gather some info from SQL Accounting from Radiator Accounting tables. I would like to know if there is anyone that wants to help enhancing it or commenting over it and over what and how things should be presented and all the rest :-)... the URL is: http://o-s.KPNQwest.pt kind regards, /canau P.S.: In principle, the code will be part (or will be distributed with) of ORCA in some future version. -- -- === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vsnew session?
Well, in this case what is the DupInterval for the Client set to? It should be set to a reasonable (smallish) number of seconds (defaults to 2). Note - this should *not* be set to 0, which may be the source of your problem. Thanks - forgot about this setting. But looking at my config - i had it set to 300, and have now changed it to 120. I'm assuming the value is seconds (not minutes...). We initially had it high as during testing of proxy auths with people there was all sorts of retries coming through - and it was one of those things we never turned back down to production settings. Having said that -- 300 seconds = 5 minutes. The time difference was about 30 minutes. is there anything else that I should be looking at? {I should note that I'm still running 2.16.1 -- not .3 -- if it was part of a bugfix that I missed} /Mark === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Time =
Hi Hugh, I included a field in my MySQL table which indicates the time when a client is only allowed access. What is the value of my Time Field so that I can tell radiator that a client is allowed to login DAILY but only from 00:00:00 to 23:59:59 (allows user to login anytime of the day) , or from 00:00:00 to 10:00:00 Thanks --- Edgar R Gutierrez Head of Technical Operations Impact Information Systems Corp. Mobile: +63917 9802340 Telephone:+632 7296826 Fax: +632 8167179 Email: [EMAIL PROTECTED] URL: www.impactnet.com are you on the internet yet? - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Dean Brandt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 23, 2000 1:06 PM Subject: Re: (RADIATOR) Time = Hello Dean - On Fri, 23 Jun 2000, Dean Brandt wrote: Hi Guys In my /etc/raddb/users file I have this: timer User-Password = "xx" Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Time = Mo1800-0600 So I am allowing this user to only log in on Mondays from 6pm till 6am When I test this using radpwtst outside these times, it still allows the login. Is there some other config I need to do? Your users file above is returning a Reply attribute of "Time = Mo1800-0600". If you want to use it as a check item, do this: timer Time = Mo1800-0600, User-Password = "xx" Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vs new session?
Hello Mark - On Tue, 14 Nov 2000, Mark - Orcon Support wrote: Well, in this case what is the DupInterval for the Client set to? It should be set to a reasonable (smallish) number of seconds (defaults to 2). Note - this should *not* be set to 0, which may be the source of your problem. Thanks - forgot about this setting. But looking at my config - i had it set to 300, and have now changed it to 120. I'm assuming the value is seconds (not minutes...). We initially had it high as during testing of proxy auths with people there was all sorts of retries coming through - and it was one of those things we never turned back down to production settings. Having said that -- 300 seconds = 5 minutes. The time difference was about 30 minutes. is there anything else that I should be looking at? {I should note that I'm still running 2.16.1 -- not .3 -- if it was part of a bugfix that I missed} H - this sounds a bit suspicious. Can you send me a more complete trace 4? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Time =
Hello Edgar - On Tue, 14 Nov 2000, Edgar R Gutierrez wrote: Hi Hugh, I included a field in my MySQL table which indicates the time when a client is only allowed access. What is the value of my Time Field so that I can tell radiator that a client is allowed to login DAILY but only from 00:00:00 to 23:59:59 (allows user to login anytime of the day) , or from 00:00:00 to 10:00:00 In your database field you would have this: Time = "Al-2359" or Time = "Al-1000" and in your configuration file: AuthBy SQL .. AuthSelect select .. . AuthColumnDef n, GENERIC, check . /AuthBy Have a look at section 13.1.11 in the Radiator 2.16.3 manual. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.