(RADIATOR) Post-Error and Host-Request
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [radiator [EMAIL PROTECTED]] Date: Mon, 7 Jan 2002 01:24:09 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Mon Jan 7 01:24:09 2002 Received: from kartero.hiwire.net.ph ([64.94.99.167]) by server1.open.com.au (8.11.0/8.11.0) with SMTP id g077Nw328084 for [EMAIL PROTECTED]; Mon, 7 Jan 2002 01:24:00 -0600 Received: (qmail 16547 invoked by uid 89); 7 Jan 2002 09:05:49 - Message-ID: [EMAIL PROTECTED] From: radiator [EMAIL PROTECTED] To: Radiator-List [EMAIL PROTECTED] Subject: Post-Error and Host-Request Date: Mon, 07 Jan 2002 09:05:49 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=utf16 Content-Transfer-Encoding: 7bit Hi! This may not be a radiator specific question but just want to know what are the possible reasons of 'Port-Error' and 'Host-Request' terminate-cause. We are using L2TP on Cisco 3640. Some of our clients got disconnected with these terminate-cause, and we dont know how to correct the problem. regards. --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Linux MS-SQL
Hello Andrew - Thanks for your comment. Connectivity to MS-SQL is becoming rather painful, as MS has dropped support for Sybase interoperation. There is also a problem with Freetds if you require more than one connection to the database. In general, the easiest methods these days seem to be to use ODBC-Proxy, or just run a copy of Radiator on the MS host and proxy the relevant radius requests to it. regards Hugh On Mon, 7 Jan 2002 18:59, Andrew Blanche wrote: I have setup my Red Hat 6.2 box to authenticate from Rodopi on MS SQL. The hardest thing was to get the Sybase interface to work. I did find some good info on this in the goodies section. I used freetds-0.53 for the sybase libs. Andrew Blanche System Administrator Fox All Services Pty Ltd Ph - +61 3 9739 5262 Fax - +61 3 9735 1861 http://www.foxall.com.au - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, January 07, 2002 3:17 PM Subject: Re: (RADIATOR) Linux MS-SQL Hello Hakim - You can either use a commercial ODBC driver, or use the ODBC-Proxy, or run a copy of Radiator on the Windows box and proxy the radius requests to it. This topic has been discussed many times on the Radiator mailing list, so have a look at the archive site and do a search. http://www.open.com.au/archives/radiator regards Hugh On Sun, 6 Jan 2002 22:13, hakim wrote: hi all!!! I have my radius installed on Linux Red Hat. And my database is on MS-SQL server. I need to know how can i connect to this SQL server from Linux. (Free tools will be appreciate). I am going to be installing in Perl DBI,DBD modules. In this case i need to know how can i create a DSN on the Linux machine. Best Regards Hakim === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Post-Error and Host-Request
Hello - I think you will need to check with Cisco ( or look at the Cisco web site). Does anyone else on the list happen to know the answer? cheers Hugh Hi! This may not be a radiator specific question but just want to know what are the possible reasons of 'Port-Error' and 'Host-Request' terminate-cause. We are using L2TP on Cisco 3640. Some of our clients got disconnected with these terminate-cause, and we dont know how to correct the problem. regards. --- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Some Problems with Encrypted Password
I need guidelines on Password encryption. We are running SQL Server based customer system on Windows 2000. We desire to encrypt the password on the SQL platform to ensure that our Customer database is not hijacked. Going through your manual, there is ONLY a reference to Unix encrypted password. How do we successfully interface RADIUS with our external SQL server based Database with encrypted password? We need to obtain a Windows based SNMPget software to enable us query the Netservers directly to check customer simultaneous logins. Can you pls help with any reference? 'Tunde Ogedengbe Linkserve Limited Plot 308, Adeola Odeku Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Sam Silvester [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 9:42 PM Subject: Re: (RADIATOR) Error message on startup Hello Sam - It sounds like you have a problem with your dictionary file. You should always start with the standard Radiator dictionary (in the file called dictionary in the distribution and add or delete entries from it with your favourite text editor. BTW - the latest version is Radiator 2.19 and you should really upgrade. regards Hugh At 12:58 +1030 01/11/26, Sam Silvester wrote: Hi everyone. I'm getting the following when I start Radiator: (I've turned trace up to 4) Use of uninitialized value in concatenation (.) at Radius/Rdict.pm line 167, FILE line 730. ... big snip - repeated multiple times ... Use of uninitialized value in concatenation (.) at Radius/Rdict.pm line 167, FILE line 770. Use of uninitialized value in length at radiusd line 312. Use of uninitialized value in numeric eq (==) at radiusd line 329. Use of uninitialized value in numeric eq (==) at radiusd line 365. Use of uninitialized value in numberic ne (!=) at radiusd line 175. Use of uninitialized value in subtraction (-) at radiusd line 177. Now the server seems to start fine apart from that. In the log file I get INFO: Server started: Radiator 2.17.1 on radiusserver.network.big but using radpwtst I get No Reply for everything! Any help much appreciated! -Sam. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Problems
I am having problems authenticating with Radiator. I am running NT 4 with MySQL as the database. My config script is set to first check the NT user database and then the SQL database. When I use radpwtst I get a bad authenticator reply and then 2 no reply's which I assume are because the first request failed. I am using the default user to test. Included is the trace file (first) and my config file (second). Thanks for your help. Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Access-Request Identifier: 4 Authentic: 1234567890123456 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 159249:201175\424618889160216}x153 Mon Jan 7 10:07:34 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jan 7 10:07:34 2002: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Mon Jan 7 10:07:34 2002: DEBUG: Handling with NT Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL: CheckSQL Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='mikem' Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL looks for match with mikem Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='DEFAULT' Mon Jan 7 10:07:34 2002: INFO: Access rejected for mikem: Bad Password Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 3577 Code: Access-Reject Identifier: 4 Authentic: 1234567890123456 Attributes: Reply-Message = Request Denied Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Accounting-Request Identifier: 5 Authentic: 141245j6145242213\;218x^^=22) Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Mon Jan 7 10:07:34 2002: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Mon Jan 7 10:07:39 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Accounting-Request Identifier: 6 Authentic: d6B159200u138152FI216154190S230G Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Mon Jan 7 10:07:39 2002: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Foreground LogStdout LogDir /Radiator/log #Dictionary File is in current dir DictionaryFile ./dictionary Trace 4 Client 127.0.0.1 Secret dogcat DupInterval 0 /Client AuthBy SQL Identifier CheckSQL DBSourcedbi:mysql:ISP DBUsername admin DBAuth lifter AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer /AuthBy AuthBy NT Identifier CheckNT # You must set the domain name here to suit your site Domain ETHERNET1 # ON NT, optionally specify the name of the # Primary Domain Controller, including the leading # \\ slashes, to override the default domain controller # for the domain you specified above DomainController \\FEZZIK # On Unix, you MUST specify the Domain Controller # name as the NT host name of the domain controller # its not optional. This needs to be set to the NT # name of the Primary Domain Controller, and further # the NT
(RADIATOR) AuthbyRADIUS with DYNADDRESS
Hugh We have had some confusion regarding issuing dynamic ip's when using AuthbyRADIUS in a proxy situation. We understand that once an AuthbyRADIUS clause is processed, it returns immediatly to the nas without waiting for a reply from the proxy server. In order to issue a dynamic ip in this situation, either Synchronous mode or a ReplyHook must be used according to the manual. Synchronous mode can severely impact performance, even when specifying Fork. Our setup includes well over a 100 handlers which are used based on called-station-id and/or realm. We setup our handlers to use a ReplyHook instead of Synchronous mode to assign a dynamic ip back to the nas. However, when using a ReplyHook, an ip never gets sent back to the nas successfully. The attached debug file (replyhook_example.log) shows that as soon as AuthbyRADIUS sends the Access-Request to the proxy server, an Access-Accept is sent back to our nas containing no attributes, even with the ReplyHook. The nas then authenticates the user but assigns them an IP of 0.0.0.0 and kicks him a few seconds later. As soon as the proxy server responds, another response is sent to the nas with the correct attributes, including the IP taken from our SQLAllocator, but is dismissed by the nas because it already received a repsonse regarding that session. Isn't the ReplyHook supposed to allow a dynamic IP to be sent back to the nas even though the AuthbyRADIUS clause returns immediately? How is it supposed to work? We then enabled Synchronous mode and everything worked fine. Radiator waited for a response from the proxy server before sending a dynamic IP with the reply back to the nas as shown in the attached debug file (sync_example.log). However, using a ReplyHook is supposed to circumvent the need to use Synchronous mode and still maintain the ability to assign dynamic ip's. Also attached is our radius.cfg. Are we implementing the ReplyHook (AllocateIPAddressOnReplyFromProxy taken from goodies/hooks.txt) incorrectly? Can our needs be met without using Synchronous/Fork mode? Thanks Matt Foreground #LogStdout LogDir /var/log/radius LogFile /var/log/radius/%Y%m%d-radius.log AuthPort1812 AcctPort1813 # User a lower trace level in production systems: Trace 5 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with ClientListSQL DBSourcedbi:mysql:radius DBUsername DBAuth GetClientQuery select NASIDENTIFIER, SECRET from RADCLIENTLIST /ClientListSQL # Setup the address allocator AddressAllocator SQL Identifier SQLAllocator DBSourcedbi:mysql:radius DBUsername DBAuth DefaultLeasePeriod 604800 FindQuery select TIME_STAMP, YIADDR from RADPOOL where POOL='%0' and STATE=0 order by TIME_STAMP limit 1 #include /usr/local/radiator/configs/ippools.cfg AddressPool GLOBAL Range xxx x /AddressPool /AddressAllocator AuthBy SQL Identifier CheckBlacklist DBSourcedbi:mysql:radius DBUsername x DBAuth x AuthSelect select ATTRIBUTE from BLACKLIST \ where VALUE = '%{Calling-Station-Id}' AuthColumnDef 0, GENERIC, check NoDefaultIfFound AccountingTable /AuthBy # dynamic address allocation tables #include /usr/local/radiator/configs/dynaddress.cfg AuthBy DYNADDRESS Identifier AllocateIPAddressGLOBAL Allocator SQLAllocator PoolHintGLOBAL /AuthBy # Get configs from specified directory #include /usr/local/radiator/configs/dnislist.cfg Handler Called-Station-Id = /1155$/ AuthByPolicy ContinueWhileAccept Identifier AllocateIPAddressGLOBAL # # FORWARD AUTHENTICATION INFORMATION # AuthBy RADIUS Identifier CheckRemoteRadius #NoForwardAuthentication NoForwardAccounting Synchronous Host xx.xx.xx.xx Secret xxx AuthPort11155 Retries 3 RetryTimeout10 /Host ReplyHook file:/usr/local/radiator/hooks/AllocateIPAddressOnReplyFromProxy # FILTER NAME: STATIC-ALLOW AllowInReply Framed-IP-Address,Session-Timeout,Ascend-Data-Filter,Idle-Timeout,Ascend-Idle-Limit,Ascend-Maximum-Call-Duration AddToReply Framed-Netmask=255.255.255.255 /AuthBy # # FORWARD ACCOUNTING INFORMATION TO NECESSARY RADIUS SERVERS # AuthBy RADIUS NoForwardAuthentication # NoForwardAccounting
Re: (RADIATOR) Login OK Loop
Hello William - I can't recall seeing this sort of problem before. I will need to see a trace 4 debug together with a copy of your configuration file (no secrets) to be able to say any more. BTW - the latest version of Radiator is 2.19. regards Hugh On Tue, 8 Jan 2002 06:17, William Hernandez wrote: Hello everyone, We had a strange occurrence on Dec 29 in which user auser was continually authenticated from 11:22:17 AM up until 11:35:55 AM when we had to stop the radiusd process. Radiator basically went into a loop and the only way out of it was to stop/start radius. Accounting start records were not generated. We're using Radiator 2.18 and Total Control NASes. Has anyone seen this type of behavior before? Thanks in advance, William Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:17 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:22:18 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:54 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) Sat Dec 29 11:35:55 2001: Login OK: [auser] (tc1) === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) migration to radiator with cisco-equipment
Hello Alexander - On Tue, 8 Jan 2002 00:09, Alexander Wallnöfer wrote: I´m evaluating the radiotor and I'm thinking to migrate from x-Tacacs based on an Informix-DB to the Radiator based on LINUX/MySQL or LINUX/Informix. We are an ISP with about 10.000 Customers in the Dial-Up-Sector. As NAS we exclusively use Cisco-Equipment (some 3660, AS5300 and two AS5200 ; the later one will be eliminated in the near future). In the new environment we will use a multi-chassis configuration. This sounds like a fairly standard setup. So I have some questions, if anyone can help: 1. Has someone of you experiences in such a migration? What should I care about? I have done similar migrations in the past and it has been fairly straightforward. We provide a utility called buildsql in the distribution that you may find useful (you can modify the source if you need to). 2. Are there any known problems with ppp multilink for Dial-Up-Users (ISDN and Modem) There are no problems with multilink. 3. Has the change from Tacacs to Radius any disadvantages? There are a few things that Tacacs can do that Radius cannot. Specifically logging of command lines entered on the NAS, as this requires a TCP connection (Tacacs) rather than UDP (Radius). 4. Is the combination Linux/MySQL a good choice? How scalable is this choice? We have a great many customers using this combination with excellent results. We provide some indicative performance numbers in section 24 of the Radiator 2.19 reference manual (included in the distribution in the file doc/ref.html). There are also some descriptions of real customer installations on the web site (http://www.open.com.au/radiator/examples.html). regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthbyRADIUS with DYNADDRESS
At 03:17 PM 1/7/2002 -0800, Matt Scifo wrote: The attached debug file (replyhook_example.log) shows that as soon as AuthbyRADIUS sends the Access-Request to the proxy server, an Access-Accept is sent back to our nas containing no attributes, even with the ReplyHook. The nas then authenticates the user but assigns them an IP of 0.0.0.0 and kicks him a few seconds later. As soon as the proxy server responds, another response is sent to the nas with the correct attributes, including the IP taken from our SQLAllocator, but is dismissed by the nas because it already received a repsonse regarding that session. This sounds like incorrect behavior. There should only be one response to the NAS and it should come only after the response is received from the proxy. Steve --- Stephen Roderick Universal Telecom, Inc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthbyRADIUS with DYNADDRESS
At 03:17 PM 1/7/2002 -0800, Matt Scifo wrote: Our setup includes well over a 100 handlers which are used based on called-station-id and/or realm. There is an SQL based module that would eliminate these 100 handlers. Look for AuthSQLRadius. Steve --- Stephen Roderick Universal Telecom, Inc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthbyRADIUS with DYNADDRESS
Hello Matt, Hello Steve - Thanks for sending the files. The problem you have with the two Access-Accepts is because you have specified NoForwardAuthentication in the second AuthBy RADIUS clause. This will cause this AuthBy to always Accept any authentication request. This is not what you need - you should use IgnoreAuthentication instead (see section 6.29.11 in the manual). I apologise for not seeing this sooner. BTW - as has been mentioned in another posting you should consider using the AuthBy SQLRADIUS clause to manage large numbers of Called-Station-Id's. BTW2 - you should also consider running two instances of Radiator - one for authentication and the other for accounting - it will make your configuration files much simpler. regards Hugh On Tue, 8 Jan 2002 10:17, Matt Scifo wrote: Hugh We have had some confusion regarding issuing dynamic ip's when using AuthbyRADIUS in a proxy situation. We understand that once an AuthbyRADIUS clause is processed, it returns immediatly to the nas without waiting for a reply from the proxy server. In order to issue a dynamic ip in this situation, either Synchronous mode or a ReplyHook must be used according to the manual. Synchronous mode can severely impact performance, even when specifying Fork. Our setup includes well over a 100 handlers which are used based on called-station-id and/or realm. We setup our handlers to use a ReplyHook instead of Synchronous mode to assign a dynamic ip back to the nas. However, when using a ReplyHook, an ip never gets sent back to the nas successfully. The attached debug file (replyhook_example.log) shows that as soon as AuthbyRADIUS sends the Access-Request to the proxy server, an Access-Accept is sent back to our nas containing no attributes, even with the ReplyHook. The nas then authenticates the user but assigns them an IP of 0.0.0.0 and kicks him a few seconds later. As soon as the proxy server responds, another response is sent to the nas with the correct attributes, including the IP taken from our SQLAllocator, but is dismissed by the nas because it already received a repsonse regarding that session. Isn't the ReplyHook supposed to allow a dynamic IP to be sent back to the nas even though the AuthbyRADIUS clause returns immediately? How is it supposed to work? We then enabled Synchronous mode and everything worked fine. Radiator waited for a response from the proxy server before sending a dynamic IP with the reply back to the nas as shown in the attached debug file (sync_example.log). However, using a ReplyHook is supposed to circumvent the need to use Synchronous mode and still maintain the ability to assign dynamic ip's. Also attached is our radius.cfg. Are we implementing the ReplyHook (AllocateIPAddressOnReplyFromProxy taken from goodies/hooks.txt) incorrectly? Can our needs be met without using Synchronous/Fork mode? Thanks Matt -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy SQL problem
Hi genius, I am using AuthBy SQL to authenticate users. However, I would like to verifiy the user's username, password and status=T. So, How, can I rewrite the statement in sq.cfg to make it works. Thanks so much for paying attention. --- Regards, Sam Cheung E-mail: [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy SQL problem
Hello Sam - Just specify a suitable AuthSelect: AuthSelect select PASSWORD where USERNAME = '%n' and STATUS = 'T' AuthColumnDef 0, User-Password, check regards Hugh On Tue, 8 Jan 2002 12:09, Sam Cheung wrote: Hi genius, I am using AuthBy SQL to authenticate users. However, I would like to verifiy the user's username, password and status=T. So, How, can I rewrite the statement in sq.cfg to make it works. Thanks so much for paying attention. --- Regards, Sam Cheung E-mail: [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SNMP problem with PM3..
Hi, This has been discussed on the list before, but I cannot seem to find a resolution ;) One of our clients has Radiator 2.18 with Radmin 1.5 running on Debian Linux 2.2, using PM3 NAS's. Denying Simultaneous use has never worked when clients connect with multilink ISDN connections - I now see that the SNMP query has stopped for some reason - (The following user has max simultaneous logins set to 4) ## Tue Jan 8 11:22:59 2002: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 1026 Code: Access-Request Identifier: 111 Authentic: o224a1362730217t162*141V149134Z5 Attributes: User-Name = amg User-Password = 2395D253l225240H1891413616222Q}* NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 21 NAS-Port-Type = ISDN Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = Calling-Station-Id = Tue Jan 8 11:22:59 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Jan 8 11:22:59 2002: DEBUG: Deleting session for amg, xxx.xxx.xxx.xxx, 21 Tue Jan 8 11:22:59 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=021 Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with Radius::AuthRADMIN') Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with Radius::AuthRADMIN') Tue Jan 8 11:22:59 2002: DEBUG: Query is: select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where USERNAME='amg' and BADLOGINS 5 and VALIDFROM 1010452979 and VALIDTO 1010452979 Tue Jan 8 11:22:59 2002: DEBUG: Radius::AuthRADMIN looks for match with amg Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Radius::AuthRADMIN looks for match with amg') Tue Jan 8 11:22:59 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='amg' Tue Jan 8 11:22:59 2002: DEBUG: Radius::AuthRADMIN ACCEPT: Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Radius::AuthRADMIN ACCEPT: ') Tue Jan 8 11:22:59 2002: DEBUG: do query is: update RADUSERS set BADLOGINS=0 where USERNAME='amg' Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthDYNADDRESS Tue Jan 8 11:22:59 2002: DEBUG: Access accepted for amg Tue Jan 8 11:22:59 2002: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1026 Code: Access-Accept Identifier: 111 Authentic: o224a1362730217t162*141V149134Z5 Attributes: Framed-IP-Address = yyy.yyy.yyy.yyy Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Tue Jan 8 11:22:59 2002: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 1026 Code: Accounting-Request Identifier: 112 Authentic: ~^159185179206~+21921 5O25234W Attributes: Acct-Session-Id = 7700026E User-Name = amg NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 21 NAS-Port-Type = ISDN Acct-Status-Type = Start Acct-Authentic = RADIUS Called-Station-Id = Calling-Station-Id = Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = yyy.yyy.yyy.yyy Acct-Delay-Time = 0 Tue Jan 8 11:22:59 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Jan 8 11:22:59 2002: DEBUG: Adding session for amg, xxx.xxx.xxx.xxx, 21 Tue Jan 8 11:22:59 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=021 Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('amg', 'xxx.xxx.xxx.xxx', 021, '7700026E', 1010452979, 'yyy.yyy.yyy.yyy', 'ISDN', 'Framed-User') Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with Radius::AuthRADMIN') Tue Jan 8 11:22:59 2002: DEBUG: Handling accounting with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling accounting with Radius::AuthRADMIN') Tue Jan 8 11:22:59 2002: DEBUG: do query is: update RADUSERS set TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0, OCTETSOUTLEFT=OCTETSOUTLEFT-0 where USERNAME='amg' Tue Jan 8 11:22:59
Re: (RADIATOR) SNMP problem with PM3..
Hello Michael - The SNMP query is not run for every access request - it is only run if there is a session limit exceeded according to the session database. The problem with simultaneous use checking is that in many cases the information received from the NAS in the radius accounting requests is different from the information for the same session returned by an SNMP query. hth Hugh On Tue, 8 Jan 2002 12:56, Michael Bellears wrote: Hi, This has been discussed on the list before, but I cannot seem to find a resolution ;) One of our clients has Radiator 2.18 with Radmin 1.5 running on Debian Linux 2.2, using PM3 NAS's. Denying Simultaneous use has never worked when clients connect with multilink ISDN connections - I now see that the SNMP query has stopped for some reason - (The following user has max simultaneous logins set to 4) ## Tue Jan 8 11:22:59 2002: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 1026 Code: Access-Request Identifier: 111 Authentic: o224a1362730217t162*141V149134Z5 Attributes: User-Name = amg User-Password = 2395D253l225240H1891413616222Q}* NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 21 NAS-Port-Type = ISDN Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = Calling-Station-Id = Tue Jan 8 11:22:59 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Jan 8 11:22:59 2002: DEBUG: Deleting session for amg, xxx.xxx.xxx.xxx, 21 Tue Jan 8 11:22:59 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=021 Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with Radius::AuthRADMIN') Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with Radius::AuthRADMIN') Tue Jan 8 11:22:59 2002: DEBUG: Query is: select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where USERNAME='amg' and BADLOGINS 5 and VALIDFROM 1010452979 and VALIDTO 1010452979 Tue Jan 8 11:22:59 2002: DEBUG: Radius::AuthRADMIN looks for match with amg Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Radius::AuthRADMIN looks for match with amg') Tue Jan 8 11:22:59 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='amg' Tue Jan 8 11:22:59 2002: DEBUG: Radius::AuthRADMIN ACCEPT: Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Radius::AuthRADMIN ACCEPT: ') Tue Jan 8 11:22:59 2002: DEBUG: do query is: update RADUSERS set BADLOGINS=0 where USERNAME='amg' Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthDYNADDRESS Tue Jan 8 11:22:59 2002: DEBUG: Access accepted for amg Tue Jan 8 11:22:59 2002: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1026 Code: Access-Accept Identifier: 111 Authentic: o224a1362730217t162*141V149134Z5 Attributes: Framed-IP-Address = yyy.yyy.yyy.yyy Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Tue Jan 8 11:22:59 2002: DEBUG: Packet dump: *** Received from xxx.xxx.xxx.xxx port 1026 Code: Accounting-Request Identifier: 112 Authentic: ~^159185179206~+21921 5O25234W Attributes: Acct-Session-Id = 7700026E User-Name = amg NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 21 NAS-Port-Type = ISDN Acct-Status-Type = Start Acct-Authentic = RADIUS Called-Station-Id = Calling-Station-Id = Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = yyy.yyy.yyy.yyy Acct-Delay-Time = 0 Tue Jan 8 11:22:59 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Jan 8 11:22:59 2002: DEBUG: Adding session for amg, xxx.xxx.xxx.xxx, 21 Tue Jan 8 11:22:59 2002: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=021 Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('amg', 'xxx.xxx.xxx.xxx', 021, '7700026E', 1010452979, 'yyy.yyy.yyy.yyy', 'ISDN', 'Framed-User') Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN Tue Jan 8 11:22:59 2002: DEBUG: do query is: