(RADIATOR) DNIS and NASID based IP address pool
Hi,
I've implemented DNIS based IP address allocation with AuthBy DYNADDRESS as
shown below. How can I extend the criteria so that IP pool is based on DNIS
and NASID?
AddressAllocator SQL
Identifier SQLAllocator
DBSourcedbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx
DBUsername radmin
DBAuth radmin
DefaultLeasePeriod 86400
AddressPool 207500370
Subnetmask 255.255.255.255
DNSServer xxx.xxx.xxx.xxx
Range 213.35.224.1 213.35.224.100
/AddressPool
/AddressAllocator
AuthBy DYNADDRESS
Identifier AllocateIPAddress
Allocator SQLAllocator
PoolHint %{Called-Station-Id}
/AuthBy
Thanks,
Lisa
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Accounting log problem
Hello,
I've problem with accounting logs, I can't get any accounting log at all,
not in plain detail-file nor in our database. Authentication works just fine
from users-file or database.
I've Solaris 8 (5.8) and Oracle8i Release 2 (8.1.6). I've installed timeout
patch.
This is my current radius.cfg with database support:
As I said, I've also tried for example with "AcctLogFileName
/opt/radius/log/detail" and authentication from users file, no help.
Foreground
LogStdout
LogDir /opt/radius/log
DbDir /opt/radius/raddb
LogFile %L/radiusd.log
Trace 4
Client DEFAULT
Secret
DupInterval 5
NasType Cisco
StatusServerShowClientDetails
/Client
Realm DEFAULT
MaxSessions 1
AuthBy SQL
DBSourcedbi:Oracle:X
DBUsername X
DBAuth X
AuthSelect select accesspw from kpy_customers where
accesslogin='%n'
AccountingTable kpy_radaccount
# AcctColumnDef aika,Timestamp,formatted-date,to_date\
# ('%e %m %Y %H:%M:%S', 'DD MM HH24:MI:SS')
AcctColumnDef user_name,User-Name
AcctColumnDef nas_ip_address,NAS-IP-Address
AcctColumnDef nas_port,NAS-Port,integer
AcctColumnDef framed_ip_address,Framed-IP-Address
AcctColumnDef called_station_id,Called-Station-Id
AcctColumnDef nas_port_type,NAS-Port-Type
AcctColumnDef acct_input_octets,Acct-Input-Octets,integer
AcctColumnDef
acct_output_octets,Acct-Output-Octets,integer
AcctColumnDef acct_session_id,Acct-Session-Id
AcctColumnDef acct_session_time,Acct-Session-Time,integer
AcctColumnDef acct_terminate_cause,Acct-Terminate-Cause
Timeout 15
AddToReply Service-Type=Framed-User,
Framed-Protocol=PPP, Framed-Routing = None, Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
/AuthBy
/Realm
--
With tracelevel 4, I get this:
--
Mon Nov 13 16:10:22 2000: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.xxx port 1645
Code: Access-Request
Identifier: 43
Authentic: k145515209T$250150'223zN167189217
Attributes:
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 30001
NAS-Port-Type = ISDN
User-Name = "testi1"
Called-Station-Id = "173636057"
Calling-Station-Id = "0173643572"
CHAP-Password = "X"
Service-Type = Framed-User
Framed-Protocol = PPP
Mon Nov 13 16:10:22 2000: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 13 16:10:22 2000: DEBUG: Deleting session for testi1,
xxx.xxx.xxx.xxx, 30001
Mon Nov 13 16:10:22 2000: DEBUG: Handling with Radius::AuthSQL
Mon Nov 13 16:10:26 2000: DEBUG: Handling with Radius::AuthSQL
Mon Nov 13 16:10:26 2000: DEBUG: Query is: select accesspw from
kpy_customers where accesslogin='testi1'
Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL looks for match with testi1
Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL ACCEPT:
Mon Nov 13 16:10:26 2000: DEBUG: Access accepted for testi1
Mon Nov 13 16:10:26 2000: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1645
Code: Access-Accept
Identifier: 43
Authentic: k145515209T$250150'223zN167189217
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
--
What I have configured wrong? I believe I should see atleast some
AcctColumnDef information at debug, but there is nothing?
Also I'd like to get BOTH accounting logging methods work at same time, to
database and into detail-file. Though even another of those would be nice
for start... :)
++Toni
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Disabling SessionDatabase on a per client level
How can I disable the SessionDatabase on a per Client level? === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting log problem
Hello Toni -
I think your NAS is not correctly configured. The reason you don't see an
accounting log is because you are not receiving any accounting packets from the
NAS.
hth
Hugh
On Tue, 14 Nov 2000, Toni Riekkinen wrote:
Hello,
I've problem with accounting logs, I can't get any accounting log at all,
not in plain detail-file nor in our database. Authentication works just fine
from users-file or database.
I've Solaris 8 (5.8) and Oracle8i Release 2 (8.1.6). I've installed timeout
patch.
This is my current radius.cfg with database support:
As I said, I've also tried for example with "AcctLogFileName
/opt/radius/log/detail" and authentication from users file, no help.
Foreground
LogStdout
LogDir /opt/radius/log
DbDir /opt/radius/raddb
LogFile %L/radiusd.log
Trace 4
Client DEFAULT
Secret
DupInterval 5
NasType Cisco
StatusServerShowClientDetails
/Client
Realm DEFAULT
MaxSessions 1
AuthBy SQL
DBSourcedbi:Oracle:X
DBUsername X
DBAuth X
AuthSelect select accesspw from kpy_customers where
accesslogin='%n'
AccountingTable kpy_radaccount
# AcctColumnDef aika,Timestamp,formatted-date,to_date\
# ('%e %m %Y %H:%M:%S', 'DD MM HH24:MI:SS')
AcctColumnDef user_name,User-Name
AcctColumnDef nas_ip_address,NAS-IP-Address
AcctColumnDef nas_port,NAS-Port,integer
AcctColumnDef framed_ip_address,Framed-IP-Address
AcctColumnDef called_station_id,Called-Station-Id
AcctColumnDef nas_port_type,NAS-Port-Type
AcctColumnDef acct_input_octets,Acct-Input-Octets,integer
AcctColumnDef
acct_output_octets,Acct-Output-Octets,integer
AcctColumnDef acct_session_id,Acct-Session-Id
AcctColumnDef acct_session_time,Acct-Session-Time,integer
AcctColumnDef acct_terminate_cause,Acct-Terminate-Cause
Timeout 15
AddToReply Service-Type=Framed-User,
Framed-Protocol=PPP, Framed-Routing = None, Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
/AuthBy
/Realm
--
With tracelevel 4, I get this:
--
Mon Nov 13 16:10:22 2000: DEBUG: Packet dump:
*** Received from xxx.xxx.xxx.xxx port 1645
Code: Access-Request
Identifier: 43
Authentic: k145515209T$250150'223zN167189217
Attributes:
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 30001
NAS-Port-Type = ISDN
User-Name = "testi1"
Called-Station-Id = "173636057"
Calling-Station-Id = "0173643572"
CHAP-Password = "X"
Service-Type = Framed-User
Framed-Protocol = PPP
Mon Nov 13 16:10:22 2000: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 13 16:10:22 2000: DEBUG: Deleting session for testi1,
xxx.xxx.xxx.xxx, 30001
Mon Nov 13 16:10:22 2000: DEBUG: Handling with Radius::AuthSQL
Mon Nov 13 16:10:26 2000: DEBUG: Handling with Radius::AuthSQL
Mon Nov 13 16:10:26 2000: DEBUG: Query is: select accesspw from
kpy_customers where accesslogin='testi1'
Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL looks for match with testi1
Mon Nov 13 16:10:26 2000: DEBUG: Radius::AuthSQL ACCEPT:
Mon Nov 13 16:10:26 2000: DEBUG: Access accepted for testi1
Mon Nov 13 16:10:26 2000: DEBUG: Packet dump:
*** Sending to xxx.xxx.xxx.xxx port 1645
Code: Access-Accept
Identifier: 43
Authentic: k145515209T$250150'223zN167189217
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Routing = None
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
--
What I have configured wrong? I believe I should see atleast some
AcctColumnDef information at debug, but there is nothing?
Also I'd like to get BOTH accounting logging methods work at same time, to
database and into detail-file. Though even another of those would be nice
for start... :)
++Toni
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL
Re: (RADIATOR) Disabling SessionDatabase on a per client level
Hello Chris - On Tue, 14 Nov 2000, Chris Given wrote: How can I disable the SessionDatabase on a per Client level? You can't disable the SessionDatabase in the Client clause, however you can do it on a per-Handler basis. # configuration with multiple session databases SessionDatabase SQL Identifier SQL-SDB . /SessionDatabase SessionDatabase NULL Identifier NULL-SDB /SessionDatabase Handler .. SessionDatabase SQL-SDB . /Handler Handler . SessionDatabase NULL-SDB /Handler hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vs new session?
Hello Mark - On Mon, 13 Nov 2000, Mark - Orcon Support wrote: Had a problem where a start session of a customer was ignored because a stop packet using the same identifier 25 minutes earlier. Thus I was wondering what time has to elapse between session packets before it's classed as a new session? And is there any way to control this? Could you give me a bit more detail please? A new session should never be ignored - the only thing that can happen is a rejection due to simultaneous use limits being incorrectly enforced because a stop record was missed. The way to control this is with the NasType parameter in the Client clause to have Radiator query the NAS to verify the existence of suspect sessions. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) DNIS and NASID based IP address pool
Hello Lisa -
Could you explain what the requirement is please?
thanks
Hugh
On Mon, 13 Nov 2000, Lisa Goulet wrote:
Hi,
I've implemented DNIS based IP address allocation with AuthBy DYNADDRESS as
shown below. How can I extend the criteria so that IP pool is based on DNIS
and NASID?
AddressAllocator SQL
Identifier SQLAllocator
DBSourcedbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx
DBUsername radmin
DBAuth radmin
DefaultLeasePeriod 86400
AddressPool 207500370
Subnetmask 255.255.255.255
DNSServer xxx.xxx.xxx.xxx
Range 213.35.224.1 213.35.224.100
/AddressPool
/AddressAllocator
AuthBy DYNADDRESS
Identifier AllocateIPAddress
Allocator SQLAllocator
PoolHint %{Called-Station-Id}
/AuthBy
Thanks,
Lisa
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vsnew session?
Thanks Hugh - We're not enforcing any simultaneous use limits -- I couldn't think of a better word to describe sessions for 'packets'. The following seemed to happen: 16:37:13 - Auth-request (Identifier 225) 16:37:13 - Access-Accept (Identifier 225) 16:37:13 - Accounting-Request [start] (Identifier 218) LOG ENTRY: "INFO: Duplicate request id 218 received from xx.xxx.xxx.xx: ignored . Only entry in the log prior to this was at 16:01:23 - an Accounting Request (Identifier 218) for a stop packet for a different user. . Mark Mackay, Network Coordinator, Orcon Internet. On Mon, 13 Nov 2000, Mark - Orcon Support wrote: Had a problem where a start session of a customer was ignored because a stop packet using the same identifier 25 minutes earlier. Thus I was wondering what time has to elapse between session packets before it's classed as a new session? And is there any way to control this? Could you give me a bit more detail please? A new session should never be ignored - the only thing that can happen is a rejection due to simultaneous use limits being incorrectly enforced because a stop record was missed. The way to control this is with the NasType parameter in the Client clause to have Radiator query the NAS to verify the existence of suspect sessions. hth Hugh === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Stats'n'Graphs
Dear all, I'm currently working on an extention for Orca ( http://www.gps.caltech.edu/~blair/orca ) called Orcaservices which is intended to graph usage of services for several purposes. It includes code to gather some info from SQL Accounting from Radiator Accounting tables. I would like to know if there is anyone that wants to help enhancing it or commenting over it and over what and how things should be presented and all the rest :-)... the URL is: http://o-s.KPNQwest.pt kind regards, /canau P.S.: In principle, the code will be part (or will be distributed with) of ORCA in some future version. -- -- === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vsnew session?
Well, in this case what is the DupInterval for the Client set to? It should be
set to a reasonable (smallish) number of seconds (defaults to 2). Note - this
should *not* be set to 0, which may be the source of your problem.
Thanks - forgot about this setting. But looking at my config - i had it set
to 300, and have now changed it to 120. I'm assuming the value is seconds
(not minutes...).
We initially had it high as during testing of proxy auths with people there
was all sorts of retries coming through - and it was one of those things we
never turned back down to production settings.
Having said that -- 300 seconds = 5 minutes. The time difference was about
30 minutes. is there anything else that I should be looking at?
{I should note that I'm still running 2.16.1 -- not .3 -- if it was part of
a bugfix that I missed}
/Mark
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Time =
Hi Hugh, I included a field in my MySQL table which indicates the time when a client is only allowed access. What is the value of my Time Field so that I can tell radiator that a client is allowed to login DAILY but only from 00:00:00 to 23:59:59 (allows user to login anytime of the day) , or from 00:00:00 to 10:00:00 Thanks --- Edgar R Gutierrez Head of Technical Operations Impact Information Systems Corp. Mobile: +63917 9802340 Telephone:+632 7296826 Fax: +632 8167179 Email: [EMAIL PROTECTED] URL: www.impactnet.com are you on the internet yet? - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Dean Brandt [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 23, 2000 1:06 PM Subject: Re: (RADIATOR) Time = Hello Dean - On Fri, 23 Jun 2000, Dean Brandt wrote: Hi Guys In my /etc/raddb/users file I have this: timer User-Password = "xx" Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Time = Mo1800-0600 So I am allowing this user to only log in on Mondays from 6pm till 6am When I test this using radpwtst outside these times, it still allows the login. Is there some other config I need to do? Your users file above is returning a Reply attribute of "Time = Mo1800-0600". If you want to use it as a check item, do this: timer Time = Mo1800-0600, User-Password = "xx" Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) duplicate sessions -- what defines a duplicate vs new session?
Hello Mark -
On Tue, 14 Nov 2000, Mark - Orcon Support wrote:
Well, in this case what is the DupInterval for the Client set to? It should be
set to a reasonable (smallish) number of seconds (defaults to 2). Note - this
should *not* be set to 0, which may be the source of your problem.
Thanks - forgot about this setting. But looking at my config - i had it set
to 300, and have now changed it to 120. I'm assuming the value is seconds
(not minutes...).
We initially had it high as during testing of proxy auths with people there
was all sorts of retries coming through - and it was one of those things we
never turned back down to production settings.
Having said that -- 300 seconds = 5 minutes. The time difference was about
30 minutes. is there anything else that I should be looking at?
{I should note that I'm still running 2.16.1 -- not .3 -- if it was part of
a bugfix that I missed}
H - this sounds a bit suspicious. Can you send me a more complete trace 4?
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Time =
Hello Edgar - On Tue, 14 Nov 2000, Edgar R Gutierrez wrote: Hi Hugh, I included a field in my MySQL table which indicates the time when a client is only allowed access. What is the value of my Time Field so that I can tell radiator that a client is allowed to login DAILY but only from 00:00:00 to 23:59:59 (allows user to login anytime of the day) , or from 00:00:00 to 10:00:00 In your database field you would have this: Time = "Al-2359" or Time = "Al-1000" and in your configuration file: AuthBy SQL .. AuthSelect select .. . AuthColumnDef n, GENERIC, check . /AuthBy Have a look at section 13.1.11 in the Radiator 2.16.3 manual. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
