RE: (RADIATOR) CHAP

[Ingvar Berg (EIP)]

Or rather: you have to be able to decrypt them in Radiator, before using them. I'm not 
sure if you can do this with a hook, or if you need to hack the basic code in Radiator 
(i.e. persuade Mike or Hugh to do some fun coding...)

-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: den 15 maj 2001 02:54
To: Anton Krall; [EMAIL PROTECTED]
Subject: Re: (RADIATOR) CHAP



Hello Anton -

You cannot use CHAP authentication with with encrypted passwords in your 
database. If you want to use encrypted passwords in the database, you will 
have to use PAP authentication. If you want to use CHAP authentication you 
will have to use plaintext passwords in the database.

hth

Hugh

On Tuesday 15 May 2001 08:51, Anton Krall wrote:
> Guys.
>
> Im getting this error when trying to autenticate with CHAP:
>
> Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED]
> Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED]
> Mon May 14 17:47:54 2001: DEBUG: Handling request with Handler
> 'Realm=mx.inter.net' Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to
> akrall
> Mon May 14 17:47:54 2001: DEBUG: SDBSQLdialup Deleting session for
> [EMAIL PROTECTED], 10.0.0.0, 1234 Mon May 14 17:47:54 2001: DEBUG: do
> query is: delete from RADONLINE where NASIDENTIFIER='10.0.0.0' and
> NASPORT=01234
>
> Mon May 14 17:47:54 2001: DEBUG: Handling with Radius::AuthSQL
> Mon May 14 17:47:54 2001: DEBUG: Handling with Radius::AuthDBFILE
> Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE looks for match with
> akrall Mon May 14 17:47:54 2001: WARNING: Cant use encrypted passwords with
> CHAP Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE REJECT: Bad
> Encrypted password Mon May 14 17:47:54 2001: DEBUG: Handling with
> Radius::AuthDBFILE
> Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE looks for match with
> akrall Mon May 14 17:47:54 2001: INFO: Access rejected for akrall: No such
> user Mon May 14 17:47:54 2001: DEBUG: Packet dump:
>
> My password are like this:
>
> user [crypt]HAFJSGFD
>
> Whatst he matter?
>
> Saludos
>
> Anton Krall
> Director de Tecnologia
> Inter.net Mexico
> (www.mx.inter.net)
> Email: [EMAIL PROTECTED]
> Directo: 5-241-7609
> Conmutador: 5-241-7600
> Mobile: 044-5105-5160
>
> Outside Mexico:
> Office: (525)241-7609
> PBX: (525)241-7600
> Mobile: (525)105-5160
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) DSL authentication queuing

[Andy De Petter]

Janet N del Mundo wrote:

> Hi Hugh,
> 
> Can I run multiple instances of "restartWrapper" on the same machine? 
> Because I'm planning to run 2 Radiator processes on the same machine on
> different auth/acct ports to alleviate the DSL problem below.
> 
> Thanks!
> Janet
> 
> Hugh Irvine wrote:
> 
>>Hello Janet -
>>
>>I would run a seperate machine and/or instance of Radiator to run the DSL.
>>
>>hth
>>
>>Hugh
>>
>>On Monday 14 May 2001 18:09, Janet N del Mundo wrote:
>>
>>>Hello everyone,
>>>
>>>Anyone out there having problems with authenticating customers AFTER a
>>>Nortel Shasta (DSL) reboots?
>>>
>>>The problem that I am having is that when the Shasta reboots, DSL
>>>customers that are trying to re-login are over populating the
>>>authentication/accounting ports on the server.  When I do a 'netstat
>>>-na', the ports are overwhelmed with queued processes.  Thus affecting
>>>our regular dialup customers.  To alleviate the queued process, I
>>>comment out the 'client clauses' that accept requests from the Shasta
>>>for about 15-30 mins and restart radiator.   When I do this, our dialup
>>>customers can login.  After 15-30 mins, I put back the client clauses
>>>and restart radiator.  The queue builds up and authentication is still a
>>>bit slow, but it's authenticating both DSL and regular dialup
>>>customers.  Is there a better way to solve this 'congestion' with DSL
>>>customers?
>>>
>>>BTW, we're re-selling DSL so I don't know when the Shasta re-boots or
>>>goes down.
>>>
>>>I'd appreciate any comments or suggestions!
>>>TIA,
>>>Janet
>>>
>>--
>>Radiator: the most portable, flexible and configurable RADIUS server
>>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>>-
>>Nets: internetwork inventory and management - graphical, extensible,
>>flexible with hardware, software, platform and database independence.
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on [EMAIL PROTECTED]
>>To unsubscribe, email '[EMAIL PROTECTED]' with
>>'unsubscribe radiator' in the body of the message.
>>
> 

Yes, you can run as much as you like. :)

-a

-- 

  Andy De Petter _,'|_.-''``-...___..--';
Skynet  Operations  /, \'.  _..-' ,  ,--...--'''
   < \   .`--'''  ` /|
   Tel +32 (0)2 7061311 `-,;'  ;   ; ;
   Fax +32 (0)2 7061312__...--'' __...--_..'  .;.'
  (,__'''  (,..--''
*** DISCLAIMER ***
This e-mail and any attachments thereto may contain information, which
is confidential and/or protected by intellectual property rights and
are intended for the sole use of the recipient(s) named above. Any use
of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any
form) by persons other than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender
either by telephone or by e-mail and delete the material from any
computer. Thank you for your cooperation.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) DSL authentication queuing

[Janet N del Mundo]

Hi Hugh,

Can I run multiple instances of "restartWrapper" on the same machine? 
Because I'm planning to run 2 Radiator processes on the same machine on
different auth/acct ports to alleviate the DSL problem below.

Thanks!
Janet

Hugh Irvine wrote:
> 
> Hello Janet -
> 
> I would run a seperate machine and/or instance of Radiator to run the DSL.
> 
> hth
> 
> Hugh
> 
> On Monday 14 May 2001 18:09, Janet N del Mundo wrote:
> > Hello everyone,
> >
> > Anyone out there having problems with authenticating customers AFTER a
> > Nortel Shasta (DSL) reboots?
> >
> > The problem that I am having is that when the Shasta reboots, DSL
> > customers that are trying to re-login are over populating the
> > authentication/accounting ports on the server.  When I do a 'netstat
> > -na', the ports are overwhelmed with queued processes.  Thus affecting
> > our regular dialup customers.  To alleviate the queued process, I
> > comment out the 'client clauses' that accept requests from the Shasta
> > for about 15-30 mins and restart radiator.   When I do this, our dialup
> > customers can login.  After 15-30 mins, I put back the client clauses
> > and restart radiator.  The queue builds up and authentication is still a
> > bit slow, but it's authenticating both DSL and regular dialup
> > customers.  Is there a better way to solve this 'congestion' with DSL
> > customers?
> >
> > BTW, we're re-selling DSL so I don't know when the Shasta re-boots or
> > goes down.
> >
> > I'd appreciate any comments or suggestions!
> > TIA,
> > Janet
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
_
Janet del Mundo 
Internet Administrator, Startec Global Communications
135 Chalan Santo Papa   Agana, Guam  96910
Email: [EMAIL PROTECTED]
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Time & Session-Timeout

[Mariano Absatz]

Hi,

I would like to do the following.

Suppose I have a dial-up product that allows a user to connect only in a 
certain block time AND also has a maximum hours per month.

For instance, he can connect Mon-Fri 8-20 and Sat 8-13 but no more than 
20 hours per month.

I would have a TIMEBLOCK column in that user database with the following 
content:

"MoTuWeThFr0800-2000, Sa0800-2000"

(btw, does the weekday support ranges also, like in "Mo-Fr0800-2000, 
Sa0800-2000"?)

The TIMELEFT column would have the seconds remaining for this user.

What I want is to set Session-Timeout to the minimum of "until Time" and 
TIMELEFT.

But... :-) ... I also want to be able to have a value (in the db column) 
to ignore either or both:

Example database:

username,password,timeleft,timeblock
john,secret,7200,"MoTuWeThFr0800-2000, Sa0800-2000"
paul,,-1,"Wk0800-2000, Sa0800-2000"
mary,abcd,-1,"Al-2400"
jane,wxyz,126000,"Al-2400"

being, -1, for instance, an indicator that the user has unlimited monthly 
connection time (but maybe subject to timeblock restrictions).

In this example database john has 2 hours left and can only log on 
weekdays from 8 through 20 and saturdays from 8 through 13.

paul can log in during the same periods but has no total time 
restrictions.

mary has no restrictions at all

jane can log in at any time, but she has only 35 hours left.

Questions: 

1) can I do this weird thing somehow simply? (I already read 
goodies/blocktime.txt, but this is way more complicated, is it?) (note: I 
could, if necessary, use a "very large value" to indicate 
timeleft=infinity, but I'd rather have a more visual and checkable value, 
like -1).

2) is the timeblock "Al-2400" acceptable?

3) are overlapping timeblocks acceptable? (e.g. "Wk0800-1700, 
MoWeFrSa1500-2000")

TIA.


Mariano Absatz
El Baby
--
To define recursion, we must first define recursion. 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthyByPolicy

[Mariano Absatz]

El 15 May 2001, a las 21:54, Chris Cronje - MWeb escribió:

> Hi There
> 
> I was wondering if anyone has done this before ?
> I'm using Radiator to authenticate off another Radiator server, like a
> proxy. If the radius server fails, I want my proxy to mark the server dead
> for 10 minutes and then continue to the next Authby clause, which is AuthBy
> FILE.
> 
> What happens in practise is that if my proxy receives a timeout, it
> retransmits once, marks the server dead for 10 minutes and then says:
> 
> Tue May 15 21:53:41 2001: INFO: AuthRADIUS could not find a working host to
> forward to. Ignoring 
> 
> But, it never goes to the next AuthBy statement.
> 
> Am I doing something wrong in my config here ?
> 
> 
> 
> AuthByPolicy ContinueUntilIgnore
I never did this, but I think the above line should read

AuthByPolicy ContinueWhileIgnore

In fact, I guess that if your other radius server is actually working, 
this server would be trying the  after the  
allways (since it wasn't ignored and that is the condition to stop the 
AuthByPolicy).

>  
>  Host x.x.x.x
>  Retries 1
>  RetryTimeout 3
>  FailureBackoffTime 600
>  Secret M@x$3$$!0n$
>  
> 
>  
>  Filename users 
>  AcceptIfMissing
>  
> 
> 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) AuthyByPolicy

[Chris Cronje - MWeb]

Hi There

I was wondering if anyone has done this before ?
I'm using Radiator to authenticate off another Radiator server, like a
proxy. If the radius server fails, I want my proxy to mark the server dead
for 10 minutes and then continue to the next Authby clause, which is AuthBy
FILE.

What happens in practise is that if my proxy receives a timeout, it
retransmits once, marks the server dead for 10 minutes and then says:

Tue May 15 21:53:41 2001: INFO: AuthRADIUS could not find a working host to
forward to. Ignoring 

But, it never goes to the next AuthBy statement.

Am I doing something wrong in my config here ?



AuthByPolicy ContinueUntilIgnore
 
 Host x.x.x.x
 Retries 1
 RetryTimeout 3
 FailureBackoffTime 600
 Secret M@x$3$$!0n$
 

 
 Filename users 
 AcceptIfMissing
 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Problems with Session Database.

[Shon Stephens]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alright, I know this is a much covered topic, but I'm still having
some difficulty. 
I believe this is how Radiator should be working. I am using
 and . Please tell me if this is
incorrect.

The NAS sends an Auth-Request to Radiator. Radiator will execute the
DeleteQuery "delete from RADONLINE where USERNAME='%n' and
NASIDENITIFIER='%N' and NASPORT='%{Nas-Port}' This is to correct for
dupes. Once this is done, it executes the CountQuery "select
NASIDENTIFIER,NASPORT,ACCTSESSIONID from RADONLINE where USERNAME =
'%n'; If the number of unique sessions doesn't exceed the set limit,
then the AuthSelect query is executed. If the user authenticates
correctly, Radiator will send an Auth-Accept back to the NAS. Which
then (in most cases) will send an Acct-Start request. When this
request is recieved, Radiator will then insert the Acct-Start data
into the Accounting Database. It will also insert the session data
into the SessionDB using the AddQuery "insert into RADONLINE
(USERNAME,NASIDENTIFIER,NASPORT,ACCTSESSIONID,
TIME_STAMP,FRAMEDIPADDRESS,PORTYTPE,SERVICETYPE) values ('%n', '%N',
'%{Nas-Port}', '%{Acct-Session-Id}', '%{Timestamp}', 
'%{Framed-IP-Address}', '%{Port-Type}', '%{Service-Type}')

I may have the order of the insert into Accounting and Session
reversed. I am not sure. Either way, my session database never
updates. Here is my configuration:


Identifier DefaultSDB
DBSource dbi:mysql:radius:mysqlhost
DBUsername mysqluser
DBAuth password
AddQuery insert into sessions (username, time_stamp, session_id,
\
nas_identifier, nas_port, framed_ip_addr) values ('%U', \
'%{GlobalVar:TimestampFormatted}', '%{Acct-Session-Id}', \
'%{NAS-Identifier}', '%{NAS-Port}', '%{Framed-IP-Address}')
DeleteQuery delete from sessions where username='%U' and \
nas_identifier='%{NAS-Identifier}' and nas_port='%{NAS-Port}'
ClearNasQuery delete from sessions where nas_identifier= \
'%{NAS-Identifier}'
CountQuery select nas_identifier,nas_port,session_id from
sessions \
where username='%U'



SessionDatabase DefaultSDB
MaxSessions 1 
  
  DBSource dbi:mysql:radius:mysqlhost
  DBUsername mysqluser
  DBAuth password
  Timeout 120
  FailureBackoffTime  150
  AuthSelect select password, check, reply from users where \
  username='%U'
  AuthColumnDef 0, User-Password, check
  AuthColumnDef 1, GENERIC, check
  AuthColumnDef 2, GENERIC, reply
  AccountingTable accounting
  DateFormat %x-%d%M%Y
  AcctColumnDef username, User-Name, string
  AcctColumnDef time_stamp, Timestamp, integer-date
  AcctColumnDef status_type, Acct-Status-Type, integer
  AcctColumnDef input_octets, Acct-Input-Octets, integer
  AcctColumnDef output_octets, Acct-Output-Octets, integer
  AcctColumnDef session_id, Acct-Session-Id, string
  AcctColumnDef session_time, Acct-Session-Time, integer
  AcctColumnDef terminate_cause, Acct-Terminate-Cause, integer
  AcctColumnDef nas_identifier, NAS-Identifier, string
  AcctColumnDef nas_port, NAS-Port, integer
  AcctColumnDef framed_ip_addr, Framed-IP-Address, string
  


I am using radpwtst to test this. To make sure that the entry is not
deleted from the session database, I do not send an Acct-Stop. I also
change my Nas-Port. However, even on the first attempt, without a
Acct-Stop Request, Radiator never attempts to execute the AddQuery. I
have looked at my Radiator log files. There are no errors reported. I
have looked at the packet dumps. Everything appears good. When
looking at the query logs on my SQL server, there is never an attempt
to perform an insert into sessions. It just doesn't happen, no
errors, no hiccups, just no session tracking. Why isn't this
happening. I have looked at this a dozen times. Yes, my table names
and formats are different from the default, but I compensate for this
by changing the query statements in the radius.cfg file. Thanks for
looking at this novel.

Shon Stephens
[EMAIL PROTECTED]

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBOwFvMUwGLkuD4lDdEQLT6ACfZjzMoDGLmpUqcKVrfOclwhip0kYAn1nt
QbCPt0G7L2F7BXO5FbX59pnL
=L4JK
-END PGP SIGNATURE-

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re[2]: (RADIATOR) CHAP

[Anton Krall]

OK.. :)

Saludos

Anton Krall
Director de Tecnologia
Inter.net Mexico
(www.mx.inter.net)
Email: [EMAIL PROTECTED]
Directo: 5-241-7609
Conmutador: 5-241-7600
Mobile: 044-5105-5160

Outside Mexico:
Office: (525)241-7609
PBX: (525)241-7600
Mobile: (525)105-5160

__

Monday, May 14, 2001, 7:53:36 PM, you wrote:


HI> Hello Anton -

HI> You cannot use CHAP authentication with with encrypted passwords in your 
HI> database. If you want to use encrypted passwords in the database, you will 
HI> have to use PAP authentication. If you want to use CHAP authentication you 
HI> will have to use plaintext passwords in the database.

HI> hth

HI> Hugh

HI> On Tuesday 15 May 2001 08:51, Anton Krall wrote:
>> Guys.
>>
>> Im getting this error when trying to autenticate with CHAP:
>>
>> Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED]
>> Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED]
>> Mon May 14 17:47:54 2001: DEBUG: Handling request with Handler
>> 'Realm=mx.inter.net' Mon May 14 17:47:54 2001: DEBUG: Rewrote user name to
>> akrall
>> Mon May 14 17:47:54 2001: DEBUG: SDBSQLdialup Deleting session for
>> [EMAIL PROTECTED], 10.0.0.0, 1234 Mon May 14 17:47:54 2001: DEBUG: do
>> query is: delete from RADONLINE where NASIDENTIFIER='10.0.0.0' and
>> NASPORT=01234
>>
>> Mon May 14 17:47:54 2001: DEBUG: Handling with Radius::AuthSQL
>> Mon May 14 17:47:54 2001: DEBUG: Handling with Radius::AuthDBFILE
>> Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE looks for match with
>> akrall Mon May 14 17:47:54 2001: WARNING: Cant use encrypted passwords with
>> CHAP Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE REJECT: Bad
>> Encrypted password Mon May 14 17:47:54 2001: DEBUG: Handling with
>> Radius::AuthDBFILE
>> Mon May 14 17:47:54 2001: DEBUG: Radius::AuthDBFILE looks for match with
>> akrall Mon May 14 17:47:54 2001: INFO: Access rejected for akrall: No such
>> user Mon May 14 17:47:54 2001: DEBUG: Packet dump:
>>
>> My password are like this:
>>
>> user [crypt]HAFJSGFD
>>
>> Whatst he matter?
>>
>> Saludos
>>
>> Anton Krall
>> Director de Tecnologia
>> Inter.net Mexico
>> (www.mx.inter.net)
>> Email: [EMAIL PROTECTED]
>> Directo: 5-241-7609
>> Conmutador: 5-241-7600
>> Mobile: 044-5105-5160
>>
>> Outside Mexico:
>> Office: (525)241-7609
>> PBX: (525)241-7600
>> Mobile: (525)105-5160
>>
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on [EMAIL PROTECTED]
>> To unsubscribe, email '[EMAIL PROTECTED]' with
>> 'unsubscribe radiator' in the body of the message.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Duplicate Logins

[Mariano Absatz]

El 15 May 2001, a las 11:29, Ingvar Berg (EIP) escribió:

> [See inserted comment]
> 
> -Original Message-
> From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
> Sent: den 12 maj 2001 10:33
> To: Anton Krall; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Duplicate Logins
> 
> 
> 
> Hello Anton -
> 
> The reason Radiator does a delete when it receives an access request is 
> because an accounting stop may have gone missing. Note that the delete is 
> done on the NAS and NAS=Port combination reported in the request, because by 
> definition there cannot already be a session there.
> 
>   But then again there are clients that don't have physical
> ports, how do you handle that case? I.e. the port number might be
> constant (0) or just some internal ref number used by the client. 
> 
In fact, you should check your NAS documentation or, if not available (as 
is my case), do a bunch of different authentications with radiator in 
trace 4.

For instance, Nortel's Shasta (my dearly behated enemy) didn't have a NAS-
Port... in a recent version they added NAS-Port-Id (it's a string, not a 
number) that, in fact, is unique (so it's no good for the automatic 
deletion of stale sessions), but does the job of not deleting any session 
'cause NAS-Port is 0 or nonexistent.

The Shasta also sends the Acct-Session-Id with the Access-Request packet, 
so you can also use it (in fact, it's the one I'm using). I guess any 
tunnel terminator is probably able to send you the Acct-Session-Id with 
the Access-Request packet besides sending it with every accounting packet.

> 
> Notice that your second request is the same as the first, so the first record 
> is deleted, hence the second request is accepted. If you want to test 
> simultaneous use you will have to use different values in your requests.
> 
> This topic has been discussed *many* times, so don't forget to check the 
> mailing list archive at www.starport.net/~radiator and do a search.
> 
> regards
> 
> Hugh
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR)

[Mariano Absatz]

El 15 May 2001, a las 10:50, Hugh Irvine escribió:

> 
> Hello Mariano -
> 
> Why don't you use this:
> 
>   %d%H%M%S

Right, now it's:
AddQuery INSERT INTO USUARIOS_EN_LINEA \
(USU_CODIGO, VISP_CODIGO, USUA_SESION_ID, \
USUA_IP_NAS, POOL_NAME, USUA_PORT, USUA_BYTES, USUA_TIEMPO, \
USUA_HORA_CONEXION, USUA_CALL_ID, USUA_DNIS, USUA_IP_ASIGNADA) \
VALUES \
('%U', '%R', '%{Acct-Session-Id}', \
'%N', 'nombre del pool', %{NAS-Port}, 0, 0, \
TO_DATE('%Y-%m-%d %H:%M:%S', '-MM-DD HH24:MI:SS'), \
'%{Calling-Station-Id}', '%{Called-Station-Id}', '%{Framed-IP-Address}')
and it works but... where am I supposed to get things from?

Where does the timestamp in this sql statement coming from?

In the manual: 

http://www.open.com.au/radiator/ref.html#25705 (TABLE 2. DateFormat 
special characters)

is giving me characters to format an (arbitrary?) epoch and

http://www.open.com.au/radiator/ref.html#22600 (TABLE 1. Special string 
formatting characters)

is giving me characters to insert either the current time or the current 
packet timestamp (being the later what I wanted, but would settle for the 
other)

As I had it configured before
TO_DATE('%f-%g-%i %j:%k:%p', '-MM-DD HH24:MI:SS')
I understood I was directly taking the current packet timestamp and 
generating '-MM-DD HH:mm:SS' where (from the manual's Table 1)
: The Timestamp year (4 digits)
MM: The Timestamp month number (2 digits)
DD: The Timestamp day of the month (2 digits)
HH: The Timestamp hour (0-23)
mm: The Timestamp minute (0-59)
SS: the Timestamp second (0-59)
^BTW, the lowcase "t" in the manual is inconsistent :-)

The problem here was that at least %p doesn't add a leading "0".

In the current configuration, I am using the fields from Table 2 
formatting an unknown date-time (I guess it's the current one).

TO_DATE('%Y-%m-%d %H:%M:%S', '-MM-DD HH24:MI:SS')

As the info in the manual wasn't all that clear about it, I changed the 
date in the machine and confirmed that %m and %d also use a leading "0" 
(THAT isn't written in the manual).

So now I have it working, now for the "theoretical" part of the question, 
if I had a radius attribute with an arbitrary date-time in it (say, the 
birthday -and time- of the nas manufacturer's mother) and I would like to 
put it in a column in my on-line users database, what would be the idiom 
to do it so?. That is I understand (I think) how to put it in an 
accounting database by means of a

AcctColumnDef   DB_COLUMN,Radius-Attribute-Name,integer-date, \
TO_DATE('%Y-%m-%d %H:%M:%S', '-MM-DD HH24:MI:SS')   

but in the AddQuery (or AnythingQuery) I don't know how to use Radius-
Attribute-Name here.


> 
> regards
> 
> Hugh
> 
> 
> On Tuesday 15 May 2001 07:56, Mariano Absatz wrote:
> > Hi,
> >
> > I'm having problems with a ... I want to use the
> > timestamp in the AddQuery (with Oracle), but '%p' is yelding a 1 digit
> > second if the seconds in the timestamp is <10.
> >
> > Following is the corresponding part in the config file and afterwards, a
> > trace 4.
> >
> > Note, in the trace, that it says
> > TO_DATE('2001-05-14 18:38:2', '-MM-DD HH24:MI:SS')
> > instead of
> > TO_DATE('2001-05-14 18:38:02', '-MM-DD HH24:MI:SS')
> >
> > 
> > Identifier SessDBUsers
> >
> > include %{GlobalVar:ConfigDir}/DBUseData.cfg
> >
> >
> > AddQuery INSERT INTO USUARIOS_EN_LINEA \
> > (USU_CODIGO, VISP_CODIGO, USUA_SESION_ID, \
> > USUA_IP_NAS, POOL_NAME, USUA_PORT, USUA_BYTES,
> > USUA_TIEMPO, \
> > USUA_HORA_CONEXION, USUA_CALL_ID, USUA_DNIS,
> > USUA_IP_ASIGNADA) \
> > VALUES \
> > ('%U', '%R', '%{Acct-Session-Id}', \
> > '%N', 'nombre del pool', %{NAS-Port}, 0, 0, \
> > TO_DATE('%f-%g-%i %j:%k:%p', '-MM-DD HH24:MI:SS'), \
> > '%{Calling-Station-Id}', '%{Called-Station-Id}',
> > '%{Framed-IP-Address}')
> >
> > DeleteQuery DELETE FROM USUARIOS_EN_LINEA \
> > WHERE USU_CODIGO='%U' AND VISP_CODIGO='%R' AND \
> > USUA_IP_NAS='%N' AND USUA_PORT='%{NAS-Port}'
> >
> > ClearNasQuery DELETE FROM USUARIOS_EN_LINEA \
> > WHERE USUA_IP_NAS='%N'
> >
> > CountQuery SELECT USUA_IP_NAS, USUA_PORT, USUA_SESION_ID \
> > FROM USUARIOS_EN_LINEA \
> > WHERE USU_CODIGO='%U' AND VISP_CODIGO='%R'
> >
> >
> > 
> >
> >
> >
> >
> >
> >
> > Mon May 14 18:38:02 2001: INFO: Server started: Radiator 2.18.1 on mr-visp
> > Mon May 14 18:38:02 2001: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 41858 
> > Code:   Accounting-Request
> > Identifier: 198
> > Authentic:  Gr<16><25>3<197>+<215><2><219><223>`eSUK
> > Attributes:
> > User-Name = "yaNi@pert"
> > Service-Type = Framed-User
> > NAS-IP-Address = 200.59.130.83
> > NAS-Port =

Re: (RADIATOR) stupid question ,-)

[Shon Stephens]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I don't know about making Radiator accept connections from your
device. However, I use NOCOL to monitor my Radiator systems. It has a
Radius AAA mechanism built into it. Its free too. Can't remember
where to get it though?

Shon Stephens
[EMAIL PROTECTED]


- - Original Message - 
From: "Andy De Petter" <[EMAIL PROTECTED]>
To: "Radiator Mailing" <[EMAIL PROTECTED]>
Sent: Tuesday, May 15, 2001 7:49 AM
Subject: (RADIATOR) stupid question ,-)


> 
> Hello,
> 
> I don't know if anyone has ever tried this before, but I'm testing
> out a  hardware monitoring tool, that can check ICMP/TCP/UDP
> protocols.
> 
> Now, the problem I'm having here, is that I can't add this device
> in the  client list of Radiator, because it doesn't support any
> "secret" (it  just connects to a port, and sees if it's listening
> or not).
> 
> I noticed that Radiator is rejecting the IP address of the device, 
> because it's an unknown client.  Is there a way, to make Radiator
> accept  connections from this device, even without a shared secret?
>  Or just  stop Radiator from blocking that IP address?
> 
> Thanks,
> 
> -Andy
> 
> -- 
> 
> *** DISCLAIMER ***
> This e-mail and any attachments thereto may contain information,
> which is confidential and/or protected by intellectual property
> rights and are intended for the sole use of the recipient(s) named
> above. Any use of the information contained herein (including, but
> not limited to, total or partial reproduction, communication or
> distribution in any form) by persons other than the designated
> recipient(s) is prohibited. If you have received this e-mail in
> error, please notify the sender either by telephone or by e-mail
> and delete the material from any
> computer. Thank you for your cooperation.
> 
> 
> 
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBOwElqEwGLkuD4lDdEQKJywCgz+W43kkCKGfsV5rYrVK3cXpUXlIAoMix
tGUmu0geb/t0zYKoYwUhQ9EX
=ItBQ
-END PGP SIGNATURE-

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) stupid question ,-)

[Andy De Petter]

Hello,

I don't know if anyone has ever tried this before, but I'm testing out a 
hardware monitoring tool, that can check ICMP/TCP/UDP protocols.

Now, the problem I'm having here, is that I can't add this device in the 
client list of Radiator, because it doesn't support any "secret" (it 
just connects to a port, and sees if it's listening or not).

I noticed that Radiator is rejecting the IP address of the device, 
because it's an unknown client.  Is there a way, to make Radiator accept 
connections from this device, even without a shared secret?  Or just 
stop Radiator from blocking that IP address?

Thanks,

-Andy

-- 

*** DISCLAIMER ***
This e-mail and any attachments thereto may contain information, which
is confidential and/or protected by intellectual property rights and
are intended for the sole use of the recipient(s) named above. Any use
of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any
form) by persons other than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender
either by telephone or by e-mail and delete the material from any
computer. Thank you for your cooperation.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) BindAddress

[Andy De Petter]

Hi,

I have a question, concerning the BindAddress to multiple interfaces, on 
the same machine.  When I don't bind Radiator to a specific interface, 
it listens (by default) on -all- interfaces.

Now, when I have RADIUS requests coming in from NAS, on a virtual 
interface, Radiator will always respond with its primary interface 
(instead of sending the reply through the interface through where it has 
received the initial requests).

My question is: Is it possible, to make Radiator respond to the 
(virtual) interface on where it has received the initial requests from NAS?

It works, if you bind Radiator to the interface, with BindAddress, but 
setting up radiusd daemons, for each (virtual) interface is not an 
option in my situation, so..

TIA,

-Andy

-- 

*** DISCLAIMER ***
This e-mail and any attachments thereto may contain information, which
is confidential and/or protected by intellectual property rights and
are intended for the sole use of the recipient(s) named above. Any use
of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any
form) by persons other than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender
either by telephone or by e-mail and delete the material from any
computer. Thank you for your cooperation.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Duplicate Logins

[Ingvar Berg (EIP)]

[See inserted comment]

-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: den 12 maj 2001 10:33
To: Anton Krall; [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Duplicate Logins



Hello Anton -

The reason Radiator does a delete when it receives an access request is 
because an accounting stop may have gone missing. Note that the delete is 
done on the NAS and NAS=Port combination reported in the request, because by 
definition there cannot already be a session there.

  But then again there are clients that don't have physical ports, how do you 
handle that case? I.e. the port number might be constant (0) or just some internal ref 
number used by the client.


Notice that your second request is the same as the first, so the first record 
is deleted, hence the second request is accepted. If you want to test 
simultaneous use you will have to use different values in your requests.

This topic has been discussed *many* times, so don't forget to check the 
mailing list archive at www.starport.net/~radiator and do a search.

regards

Hugh
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Cisco AS5300 preauthenication for GSM

[Erik Wirring]

Hi!

We use a Cisco AS5300 and a Radius server for connecting costumers on GSM
modems to special software running on a server. Authencicaton is done solely
on the Clid (GSM no.) by preauthensication.
The critical part of the configuration file look something like this:
**
.
ip host LHOTSE01 9001 192.168.34.105
ip host LHOTSE02 9002 192.168.34.105
.
aaa authentication login GPSuser none
aaa authorization exec GPSuser group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa preauth
 group radius
 clid required password *
.
isdn switch-type primary-net5
chat-script offhook "" "ATH1" OK
.
radius-server host 192.168.34.104 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key AS5300
!
line con 0
 transport input none
line 1
 script modem-off-hook offhook
 login authentication GPSuser
 modem InOut
 autocommand  connect LHOTSE01
 transport input all
line 2
..
**
and that works ok.
What I want is to let the connection be controled by the Radius server by
something like this in the userfile:

12345678 Password = "**"
 cisco-avpair = "preauth:service-type=1",
 Login-IP-Host = 192.168.34.105,
 Login-Service = TCP-Clear,
 Login-TCP-Port = 9016,

and I am uncertain is how to configurate the AS5300.
Would somthing like this work:

line 1 60
 script modem-off-hook offhook
 login authentication GPSuser
 modem InOut
 transport input all

instead of the 60 seperate line definitions?


--
Best Regards

Erik Wirring
Chartered surveyor,
Chief software engineer

Email: [EMAIL PROTECTED]
Tel. +45 7733 2257

LE34 TELE A/S
Trimble Center Danmark
Energivej 34
DK-2750 Ballerup
DENMARK

Tel. +45 7733 2233
Fax. +45 7733 2299
Web: www.trimble.dk  -  www.gpsnet.dk




===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.