Fw: (RADIATOR) radwho.cgi disconnect routine
Hi Hugh, Hi All, any takers please? I think any implementation using SNMP should work. What do you think Hugh. Regards, Tunde Itayemi. - Original Message - From: Ayotunde Itayemi To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 8:49 PM Subject: (RADIATOR) radwho.cgi disconnect routine Hi Hugh, Hi all, Please does anyone have a session-disconnect program/script that can be "hooked" to the radwho.cgi script that is compatible with Patton RASes? Any ideas, help etc would be appreciated. Please if you are sending me a program include the instructions for installation. Regards, TUnde Itayemi.
(RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password auth not working as in 2.19
Title: Transitioning to 3.5: faking EAP_MESSAGE to avoid password auth not working as in 2.19
I'm currently having some nasty problems going from Radiator 2.19 to 3.5; most things work, but I have a configuration hack that we need that's suddenly stopped working.
Our FRIACO dialup products are locked to a single CLI, so no username and password should be needed. Wherein lies the problem - ensuring they have the correct CLI (which means AcceptIfMissing isn't suitable, so far as I can see) but getting auth to succeed with no password. Previously, I used a PostSearchHook in the AuthBy clause to set the EAP_MESSAGE attribute, which then meant Radiator assumed the password had already been authenticated. However, this doesn't seem to work under 3.5 and I've spent an entire day trwaling through the source trying to figure it out without success. Following is my config files, and an extract from logfile for both versions.
--- Configuration
AuthByPolicy ContinueUntilAccept
AuthBy LDAP2
* elided; simple user search for roaming FRIACO users (internal only, no customers) *
/AuthBy
AuthBy LDAP2
NoDefault
HoldServerConnection
Host **
AuthDN **
AuthPassword **
BaseDN ou=customers, ou=people, dc=bsve.net, o=internet
PasswordAttr friacopassword
AuthAttrDef FRIACO-todr, Time, check
SearchFilter ((objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes)))
PostSearchHook sub { $_[2]-addAttrByNum($Radius::Radius::EAP_MESSAGE,1); }
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Framed-IP-Address = 255.255.255.254, \
Framed-IP-Netmask = 255.255.255.255, \
Framed-Routing = None, \
Framed-Compression = Van-Jacobsen-TCP-IP, \
Framed-MTU = 1500, \
Session-Timeout = 7200
/AuthBy
--- Logfile excerpts (trace 5, command radpwtst -s localhost -user blah -password blah -calling_station_id 1524848611)
With 2.19, I get -
Code: Access-Request
Identifier: 51
Authentic: 1234567890123456
Attributes:
User-Name = blah
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = 123456789
Calling-Station-Id = 1524848611
NAS-Port-Type = Async
User-Password = 155231197175\424618889160216}x153
Wed Jan 15 12:30:51 2003: DEBUG: Check if Handler Client-Identifier = BT-FRIACO-Radius should be used to handle this request
Wed Jan 15 12:30:51 2003: DEBUG: Handling request with Handler 'Client-Identifier = BT-FRIACO-Radius'
Wed Jan 15 12:30:51 2003: DEBUG: FRIACO-SessDB Deleting session for blah, 203.63.154.1, 1234
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *
Wed Jan 15 12:30:51 2003: DEBUG: No entries for blah found in LDAP database
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *
Wed Jan 15 12:30:51 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0, ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve
.net, o=internet
Wed Jan 15 12:30:51 2003: DEBUG: LDAP got FRIACO-todr: Al-2400
Wed Jan 15 12:30:51 2003: ERR: There was no password attribute found for blah. Check your LDAP database.
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 12:30:51 2003: DEBUG: Handling with EAP
Wed Jan 15 12:30:51 2003: DEBUG: EAP code 49, ,
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jan 15 12:30:51 2003: DEBUG: Access accepted for blah
Wed Jan 15 12:30:51 2003: DEBUG: Packet dump:
With 3.5, I get -
Code: Access-Request
Identifier: 31
Authentic: 1234567890123456
Attributes:
User-Name = blah
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = 123456789
Calling-Station-Id = 1524848611
NAS-Port-Type = Async
User-Password = 155231197175\424618889160216}x153
Wed Jan 15 09:40:31 2003: DEBUG: Handling request with Handler 'Client-Identifier = BT-FRIACO-Radius'
Wed Jan 15 09:40:31 2003: DEBUG: FRIACO-SessDB Deleting session for blah, 203.63.154.1, 1234
Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 09:40:31 2003: DEBUG: No entries for blah found in LDAP database
Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 09:40:31 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 09:40:31 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0, ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve
.net, o=internet
Wed Jan 15 09:40:31 2003: DEBUG: LDAP got FRIACO-todr: Al-2400
Wed Jan 15 09:40:31 2003: ERR: There was no password attribute found for blah. Check your LDAP database.
Wed Jan 15 09:40:31 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 09:40:31
(RADIATOR) Alcatel SMC proxy radius --Radiator issue (fwd)
Hi all,
I'm trying to debug the following:
One proxy-radius (Alcatel-SMC) that forwarding radius authentication and
accounting packets to Radiator.
The whole conversation is configured to use 1645/1646 ports.
When Alcatel-SMC's proxy radius send access-request to Radiator
this latter sees the packet coming from 1800 or 4248 port(?); radiator
return this request from 1645 to 1800 or 4248 port.
The SMC side claims that they just are receiving from Radiator the
Proxy-State (33 binary) attribute but they cannot see basic attributes 6 and
7 (Service-Type and Framed-Protocol), and then the ppp connnection drops.
The basic Handler includes DefaultReply too and the rest is very basic
working configuration talking with other systems
AuthBy FILE
Identifier DBcustomer
Filename %D/db/users-customer
DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
RejectEmptyPassword
DefaultSimultaneousUse 1
/AuthBy
Somebody has seen this kind of problems? (I've not found it searching the
list archives )
I'm including a tcpdump extract of the basic conversation
(sorry for the XXs, YYs and ZZs; i'm doing a consulting job to others and
they've not authorized me to show their data)
19:04:46.311731 200.XX.XX.XX.4248 200.YY.YY.YY.1645: rad-access-req 129
[id 11] Attr[ Proxy_state{} NAS_ipaddr{200.ZZ.ZZ.ZZ} NAS_port{65}
NAS_port_type{Sync} User{prueba} [|radius]
19:04:46.381731 200.YY.YY.YY.1645 200.XX.XX.XX.4248: rad-access-accept 26
[id 11] Attr[ Proxy_state{} ] (DF)
19:05:43.641731 200.XX.XX.XX.4248 200.YY.YY.YY.1645: rad-access-req 127
[id 12] Attr[ Proxy_state{} NAS_ipaddr{200.ZZ.ZZ.ZZ} NAS_port{66}
NAS_port_type{Sync} User{prueba} [|radius]
19:05:44.351731 200.YY.YY.YY.1645 200.XX.XX.XX.4248: rad-access-accept 26
[id 12] Attr[ Proxy_state{} ] (DF)
Thanks in advance,
Best regards
Abel Lucano
DECODE SA
Av Independencia 1355 2B
TE/FAX +5411 4383 1161
[EMAIL PROTECTED]
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password auth n ot working as in 2.19
Just don't specify any PasswordAttr, that will give you a warning at startup, but then
it works just fine by checking only according to your SearchFilter.
/Ingvar
-Original Message-
From: Matthew Trout [mailto:[EMAIL PROTECTED]]
Sent: den 16 januari 2003 13:05
To: '[EMAIL PROTECTED]'
Subject: (RADIATOR) Transitioning to 3.5: faking EAP_MESSAGE to avoid password
auth n ot working as in 2.19
I'm currently having some nasty problems going from Radiator 2.19 to 3.5; most
things work, but I have a configuration hack that we need that's suddenly stopped
working.
Our FRIACO dialup products are locked to a single CLI, so no username and password
should be needed. Wherein lies the problem - ensuring they have the correct CLI
(which means AcceptIfMissing isn't suitable, so far as I can see) but getting auth to
succeed with no password. Previously, I used a PostSearchHook in the AuthBy clause to
set the EAP_MESSAGE attribute, which then meant Radiator assumed the password had
already been authenticated. However, this doesn't seem to work under 3.5 and I've
spent an entire day trwaling through the source trying to figure it out without
success. Following is my config files, and an extract from logfile for both versions.
--- Configuration
AuthByPolicy ContinueUntilAccept
AuthBy LDAP2
* elided; simple user search for roaming FRIACO users (internal
only, no customers) *
/AuthBy
AuthBy LDAP2
NoDefault
HoldServerConnection
Host**
AuthDN **
AuthPassword**
BaseDN ou=customers, ou=people, dc=bsve.net, o=internet
PasswordAttrfriacopassword
AuthAttrDef FRIACO-todr, Time, check
SearchFilter
((objectclass=friacouser)(csid=0%{Calling-Station-Id})(!(suspended=yes)))
PostSearchHook sub {
$_[2]-addAttrByNum($Radius::Radius::EAP_MESSAGE,1); }
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Framed-IP-Address = 255.255.255.254, \
Framed-IP-Netmask = 255.255.255.255, \
Framed-Routing = None, \
Framed-Compression = Van-Jacobsen-TCP-IP, \
Framed-MTU = 1500, \
Session-Timeout = 7200
/AuthBy
--- Logfile excerpts (trace 5, command radpwtst -s localhost -user blah -password
blah -calling_station_id 1524848611)
With 2.19, I get -
Code: Access-Request
Identifier: 51
Authentic: 1234567890123456
Attributes:
User-Name = blah
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = 123456789
Calling-Station-Id = 1524848611
NAS-Port-Type = Async
User-Password = 155231197175\424618889160216}x153
Wed Jan 15 12:30:51 2003: DEBUG: Check if Handler Client-Identifier =
BT-FRIACO-Radius should be used to handle this request
Wed Jan 15 12:30:51 2003: DEBUG: Handling request with Handler 'Client-Identifier =
BT-FRIACO-Radius'
Wed Jan 15 12:30:51 2003: DEBUG: FRIACO-SessDB Deleting session for blah,
203.63.154.1, 1234
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthGROUP
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *
Wed Jan 15 12:30:51 2003: DEBUG: No entries for blah found in LDAP database
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 12:30:51 2003: DEBUG: Handling with Radius::AuthLDAP2:
Wed Jan 15 12:30:51 2003: INFO: Attempting to bind with *
Wed Jan 15 12:30:51 2003: DEBUG: LDAP got result for cn=01524848611, ou=11, ou=0,
ou=0, ou=1, ou=1, ou=customers, ou=people, dc=bsve
.net, o=internet
Wed Jan 15 12:30:51 2003: DEBUG: LDAP got FRIACO-todr: Al-2400
Wed Jan 15 12:30:51 2003: ERR: There was no password attribute found for blah. Check
your LDAP database.
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 looks for match with blah
Wed Jan 15 12:30:51 2003: DEBUG: Handling with EAP
Wed Jan 15 12:30:51 2003: DEBUG: EAP code 49, ,
Wed Jan 15 12:30:51 2003: DEBUG: Radius::AuthLDAP2 ACCEPT:
Wed Jan 15 12:30:51 2003: DEBUG: Access accepted for blah
Wed Jan 15 12:30:51 2003: DEBUG: Packet dump:
With 3.5, I get -
Code: Access-Request
Identifier: 31
Authentic: 1234567890123456
Attributes:
User-Name = blah
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = 123456789
Calling-Station-Id = 1524848611
NAS-Port-Type
(RADIATOR) Radius and Wireless APs
Hi, I have two APs one from cisco and other one D-link,APs Configurationhas Radius Server Authentication option, As i am new to Wireless,i am having following questions 1. How can useRadiator or radius server to authenticate like the normal Dialup ?? 2. If the Usermoves from one Access Point i.e from cisco to another one i.e D-Link..is it needed to authenticate again. if not what are the changes need in radiator server or wireless. I thinkthese questions might beirrelevant in this mailing list !!... but could someone guide me links which might help Thanks. Rgds Jai
RE: (RADIATOR) Time check item
Hi Hugh Right now.. I have 2 Authbys: AuthBy SQL Identifier Normal DBSourcedbi:mysql:radius:localhost DBUsername xxx DBAuth xxx AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS \ where USERNAME=%0 and ACTIVE=1 and (PLAN=1 or PLAN=3 or PLAN=4) AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,AscendClient-S econdary-DNS=200.52.66.125 /AuthBy AuthBy SQL Identifier Nocturno DBSourcedbi:mysql:radius:localhost DBUsername xxx DBAuth AuthSelect select PASSWORD \ from SUBSCRIBERS \ where USERNAME=%0 and ACTIVE=1 and PLAN=2 AuthColumnDef 0, User-Password, check Here is where I need the Time = Wk-0800 AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,Ascend-Client-S econdary-DNS=200.52.66.125,Session-timeout=until Time /AuthBy So that if a user has PLAN=2 on the SUBSCRIBERS db, he will be thrown into AuthBy SQL Nocturno and will only be able to login between and 0800. __ Anton Krall CEO Intruder Consulting Email: [EMAIL PROTECTED] Tel: (55)5233-9281 Celular: (044)55-5105-5160 ICQ#: 4979450 MSN: [EMAIL PROTECTED] AIM: antonkrall Web: www.intruder.com.mx Outside Mexico Tel: (+52)555-233-9281 Celular: (+52)555-105-5160 %-Original Message- %From: Hugh Irvine [mailto:[EMAIL PROTECTED]] %Sent: Jueves, 16 de Enero de 2003 01:27 a.m. %To: Anton Krall %Cc: [EMAIL PROTECTED] %Subject: Re: (RADIATOR) Time check item % % % %Hello Anton - % %As mentioned previously, the answer depends on what else you are doing %in your configuration file and how you are going to recognise and %process the radius requests. You can use Handlers or cascaded AuthBy %clauses, it depends on what else is required. % %Please outline your requirements in more detail and I will try to make %a sensible suggestion. % %regards % %Hugh % % %On Thursday, Jan 16, 2003, at 18:18 Australia/Melbourne, Anton Krall %wrote: % % If I needed to hard code the check into the authby so that the user % record (SQL) would only have username and pw? % % __ % Anton Krall % CEO % % % %-Original Message- % %From: [EMAIL PROTECTED] %%[mailto:[EMAIL PROTECTED]] % On Behalf Of Hugh Irvine % %Sent: Jueves, 16 de Enero de 2003 12:09 a.m. % %To: Anton Krall % %Cc: [EMAIL PROTECTED] % %Subject: Re: (RADIATOR) Time check item % % % % % % % %Hello Anton - % % % %A check item usually goes in a user record. % % % %Ie: % % % %someuser Password = xxx, Time = Wk-0800 % %.. % % % %There are other possibilities depending on what else you %are doing in % %your configuration file. % % %regards % % % %Hugh % % % % % %On Thursday, Jan 16, 2003, at 16:19 Australia/Melbourne, Anton Krall % %wrote: % % % % Guys.. I trying to make 2 AuthBy SQL.. one is a standard %one and the % % other is for a dialup plan called Nightly % % % % The 2nd one has to have a check item: Time = Wk-0800 % % % % Thing is... where do I put the check item? I forgot : % % % % Thx for the help. % % % % __ % % Anton Krall % % % % % % === % % Archive at http://www.open.com.au/archives/radiator/ % % Announcements on [EMAIL PROTECTED] % % To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe % % radiator' in the body of the message. % % % % % % % %-- % %Radiator: the most portable, flexible and configurable RADIUS % %server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, % %NT, MacOS X. % %- % %Nets: internetwork inventory and management - graphical, % %extensible, flexible with hardware, software, platform and % %database independence. % % % %=== % %Archive at http://www.open.com.au/archives/radiator/ % %Announcements on [EMAIL PROTECTED] % %To unsubscribe, email '[EMAIL PROTECTED]' with % %'unsubscribe radiator' in the body of the message. % % % % % % % === % Archive at http://www.open.com.au/archives/radiator/ % Announcements on [EMAIL PROTECTED] % To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe % radiator' in the body of the message. % % % %-- %Radiator: the most portable, flexible and configurable RADIUS %server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, %NT, MacOS X. %- %Nets: internetwork inventory and management - graphical, %extensible, flexible with hardware, software, platform and %database independence. % % % === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with
(RADIATOR) Problems with Colubris CN3000
Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): Client 132.210.X.Y Secret oursecret Identifier colubris /Client Handler Client-Identifier=colubris MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log AuthBy DBFILE AutoMPPEKeysYes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/login.jsp?loginurl=%l,\ Colubris-AVPair = session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/session.html,\ Colubris-AVPair = transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/transport.html,\ Colubris-AVPair = fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/fail.html,\ Colubris-AVPair = logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 Filename %D/usersdb RcryptKey our key /AuthBy AuthLog Defaut /Handler This is what I added to dictionary: VENDOR Colubris8744 VENDORATTR8744 Colubris-AVPair 0 string ATTRIBUTEColubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Problems with Colubris CN3000
Hi- As Hugh has said in the past, please send a trace 4 debug showing what's happening during an acess-request so we can see what the problem is. -Original Message- From: Denis Beauchemin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 12:02 PM To: Radiator Subject: (RADIATOR) Problems with Colubris CN3000 Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): Client 132.210.X.Y Secret oursecret Identifier colubris /Client Handler Client-Identifier=colubris MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log AuthBy DBFILE AutoMPPEKeysYes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/login.jsp?log inurl=%l,\ Colubris-AVPair = session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/session.ht ml,\ Colubris-AVPair = transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/transpor t.html,\ Colubris-AVPair = fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/fail.html,\ Colubris-AVPair = logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 Filename %D/usersdb RcryptKey our key /AuthBy AuthLog Defaut /Handler This is what I added to dictionary: VENDOR Colubris8744 VENDORATTR8744 Colubris-AVPair 0 string ATTRIBUTEColubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems with Colubris CN3000
Denis, We are encountering a very similar (if not the same) problem. We are also testing with a Colubris CN3000 and do not see the Colubris-AVPair attributes reaching the CN3000. Our radiator logs do not display the Colubris-AVPair attributes at all. This is for Radiator 3.5. We went back to 3.3.1, and the Colubris-AVPair attributes seem to be getting through. The Radiator logs and the Colubris logs both attest to this. Rodney Ebersole Abbco Inc. phone: (814) 234-9420 eMail: [EMAIL PROTECTED] IM: rebersoleabbcoinc [AIM, MSN, YAHOO] - Original Message - From: Denis Beauchemin [EMAIL PROTECTED] To: Radiator [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 12:01 PM Subject: (RADIATOR) Problems with Colubris CN3000 Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): Client 132.210.X.Y Secret oursecret Identifier colubris /Client Handler Client-Identifier=colubris MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log AuthBy DBFILE AutoMPPEKeysYes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/login.jsp?log inurl=%l,\ Colubris-AVPair = session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/session.ht ml,\ Colubris-AVPair = transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/transpor t.html,\ Colubris-AVPair = fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/fail.html,\ Colubris-AVPair = logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 Filename %D/usersdb RcryptKey our key /AuthBy AuthLog Defaut /Handler This is what I added to dictionary: VENDOR Colubris8744 VENDORATTR8744 Colubris-AVPair 0 string ATTRIBUTEColubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems with Colubris CN3000
Hello Rodney - The problem you are seeing is specifically with the AuthBy SQL clause. I believe the problem below is a simple configuration error. When Mike returns from his travels, we will post an announcement regarding your problem. regards Hugh On Friday, Jan 17, 2003, at 07:49 Australia/Melbourne, engineering wrote: Denis, We are encountering a very similar (if not the same) problem. We are also testing with a Colubris CN3000 and do not see the Colubris-AVPair attributes reaching the CN3000. Our radiator logs do not display the Colubris-AVPair attributes at all. This is for Radiator 3.5. We went back to 3.3.1, and the Colubris-AVPair attributes seem to be getting through. The Radiator logs and the Colubris logs both attest to this. Rodney Ebersole Abbco Inc. phone: (814) 234-9420 eMail: [EMAIL PROTECTED] IM: rebersoleabbcoinc [AIM, MSN, YAHOO] - Original Message - From: Denis Beauchemin [EMAIL PROTECTED] To: Radiator [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 12:01 PM Subject: (RADIATOR) Problems with Colubris CN3000 Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): Client 132.210.X.Y Secret oursecret Identifier colubris /Client Handler Client-Identifier=colubris MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log AuthBy DBFILE AutoMPPEKeysYes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ login.jsp?log inurl=%l,\ Colubris-AVPair = session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ session.ht ml,\ Colubris-AVPair = transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ transpor t.html,\ Colubris-AVPair = fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ fail.html,\ Colubris-AVPair = logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 Filename %D/usersdb RcryptKey our key /AuthBy AuthLog Defaut /Handler This is what I added to dictionary: VENDOR Colubris8744 VENDORATTR8744 Colubris-AVPair 0 string ATTRIBUTEColubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems with Colubris CN3000
Hi Frank - Music to my ears! :-) Just by the way, without a configuration file and a trace 4 debug, it is just like me sending you an email asking what's wrong with my car?. cheers Hugh On Friday, Jan 17, 2003, at 04:42 Australia/Melbourne, Frank Danielson wrote: Hi- As Hugh has said in the past, please send a trace 4 debug showing what's happening during an acess-request so we can see what the problem is. -Original Message- From: Denis Beauchemin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 12:02 PM To: Radiator Subject: (RADIATOR) Problems with Colubris CN3000 Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): Client 132.210.X.Y Secret oursecret Identifier colubris /Client Handler Client-Identifier=colubris MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log AuthBy DBFILE AutoMPPEKeysYes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ login.jsp?log inurl=%l,\ Colubris-AVPair = session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ session.ht ml,\ Colubris-AVPair = transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ transpor t.html,\ Colubris-AVPair = fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ fail.html,\ Colubris-AVPair = logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 Filename %D/usersdb RcryptKey our key /AuthBy AuthLog Defaut /Handler This is what I added to dictionary: VENDOR Colubris8744 VENDORATTR8744 Colubris-AVPair 0 string ATTRIBUTEColubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems with Colubris CN3000
Salut Denis - Ca va la vie? Et Bonne Annee! I suspect the problem below is due to your additions to the dictionary. Radiator 3.5 already has Colubris-AVPAIR defined, so you do not have to add anything to the dictionary. What is happening below is that you have specified Colubris-AVPair twice, with the second one over-riding the first one, and the second one is incorrect (you have specified it as attribute 0 in the RFC space). If you look at a trace 4 debug from Radiator you will see exactly what is happening. I suggest you remove your definitions from the dictionary and just use Colubris-AVPAIR. A+ Hugues On Friday, Jan 17, 2003, at 04:01 Australia/Melbourne, Denis Beauchemin wrote: Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): Client 132.210.X.Y Secret oursecret Identifier colubris /Client Handler Client-Identifier=colubris MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log AuthBy DBFILE AutoMPPEKeysYes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ login.jsp?loginurl=%l,\ Colubris-AVPair = session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ session.html,\ Colubris-AVPair = transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ transport.html,\ Colubris-AVPair = fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ fail.html,\ Colubris-AVPair = logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ Colubris-AVPair = access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 Filename %D/usersdb RcryptKey our key /AuthBy AuthLog Defaut /Handler This is what I added to dictionary: VENDOR Colubris8744 VENDORATTR8744 Colubris-AVPair 0 string ATTRIBUTEColubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Time check item
Hello Anton - I would suggest you do something like this: # define AuthBy clauses AuthBy SQL Identifier Normal DBSourcedbi:mysql:radius:localhost DBUsername xxx DBAuth xxx AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS \ where USERNAME=%0 and ACTIVE=1 and (PLAN=1 or PLAN=3 or PLAN=4) AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,AscendClient-S econdary-DNS=200.52.66.125 /AuthBy AuthBy SQL Identifier Nocturno DBSourcedbi:mysql:radius:localhost DBUsername xxx DBAuth AuthSelect select PASSWORD \ from SUBSCRIBERS \ where USERNAME=%0 and ACTIVE=1 and PLAN=2 AuthColumnDef 0, User-Password, check AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,Ascend-Client-S econdary-DNS=200.52.66.125,Session-timeout=until Time /AuthBy AuthBy FILE Identifier CheckUsers Filename %D/users.defaults /AuthBy . # define Realms or Handlers Handler AuthBy CheckUsers . /Handler . Then the file users.defaults would look like this: # file users.defaults DEFAULT Time = Wk-0800, Auth-Type = Nocturno DEFAULT Auth-Type = Normal Please let me know how you get on. regards Hugh On Friday, Jan 17, 2003, at 02:30 Australia/Melbourne, Anton Krall wrote: Hi Hugh Right now.. I have 2 Authbys: AuthBy SQL Identifier Normal DBSourcedbi:mysql:radius:localhost DBUsername xxx DBAuth xxx AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ from SUBSCRIBERS \ where USERNAME=%0 and ACTIVE=1 and (PLAN=1 or PLAN=3 or PLAN=4) AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,AscendClient-S econdary-DNS=200.52.66.125 /AuthBy AuthBy SQL Identifier Nocturno DBSourcedbi:mysql:radius:localhost DBUsername xxx DBAuth AuthSelect select PASSWORD \ from SUBSCRIBERS \ where USERNAME=%0 and ACTIVE=1 and PLAN=2 AuthColumnDef 0, User-Password, check Here is where I need the Time = Wk-0800 AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,Ascend-Client-S econdary-DNS=200.52.66.125,Session-timeout=until Time /AuthBy So that if a user has PLAN=2 on the SUBSCRIBERS db, he will be thrown into AuthBy SQL Nocturno and will only be able to login between and 0800. __ Anton Krall CEO Intruder Consulting Email: [EMAIL PROTECTED] Tel: (55)5233-9281 Celular: (044)55-5105-5160 ICQ#: 4979450 MSN: [EMAIL PROTECTED] AIM: antonkrall Web: www.intruder.com.mx Outside Mexico Tel: (+52)555-233-9281 Celular: (+52)555-105-5160 %-Original Message- %From: Hugh Irvine [mailto:[EMAIL PROTECTED]] %Sent: Jueves, 16 de Enero de 2003 01:27 a.m. %To: Anton Krall %Cc: [EMAIL PROTECTED] %Subject: Re: (RADIATOR) Time check item % % % %Hello Anton - % %As mentioned previously, the answer depends on what else you are doing %in your configuration file and how you are going to recognise and %process the radius requests. You can use Handlers or cascaded AuthBy %clauses, it depends on what else is required. % %Please outline your requirements in more detail and I will try to make %a sensible suggestion. % %regards % %Hugh % % %On Thursday, Jan 16, 2003, at 18:18 Australia/Melbourne, Anton Krall %wrote: % % If I needed to hard code the check into the authby so that the user % record (SQL) would only have username and pw? % % __ % Anton Krall % CEO % % % %-Original Message- % %From: [EMAIL PROTECTED] %%[mailto:[EMAIL PROTECTED]] % On Behalf Of Hugh Irvine % %Sent: Jueves, 16 de Enero de 2003 12:09 a.m. % %To: Anton Krall % %Cc: [EMAIL PROTECTED] % %Subject: Re: (RADIATOR) Time check item % % % % % % % %Hello Anton - % % % %A check item usually goes in a user record. % % % %Ie: % % % %someuser Password = xxx, Time = Wk-0800 % % .. % % % %There are other possibilities depending on what else you %are doing in % %your configuration file. % % %regards % % % %Hugh % % % % % %On Thursday, Jan 16, 2003, at 16:19 Australia/Melbourne, Anton Krall % %wrote: % % % % Guys.. I trying to make 2 AuthBy SQL.. one is a standard %one and the % % other is for a dialup plan called Nightly % % % % The 2nd one has to have a
RE: (RADIATOR) Problems with Colubris CN3000
Guys.. Im about to test a colubris cn3000 in about 1 week... Can you send me your comments on the unit and how it handles? Thx __ Anton Krall CEO Intruder Consulting Email: [EMAIL PROTECTED] Tel: (55)5233-9281 Celular: (044)55-5105-5160 ICQ#: 4979450 MSN: [EMAIL PROTECTED] AIM: antonkrall Web: www.intruder.com.mx Outside Mexico Tel: (+52)555-233-9281 Celular: (+52)555-105-5160 %-Original Message- %From: [EMAIL PROTECTED] %[mailto:[EMAIL PROTECTED]] On Behalf Of engineering %Sent: Jueves, 16 de Enero de 2003 02:50 p.m. %To: [EMAIL PROTECTED] %Subject: Re: (RADIATOR) Problems with Colubris CN3000 % % %Denis, % %We are encountering a very similar (if not the same) problem. %We are also testing with a Colubris CN3000 and do not see the %Colubris-AVPair attributes reaching the CN3000. Our radiator %logs do not display the Colubris-AVPair attributes at all. % %This is for Radiator 3.5. % %We went back to 3.3.1, and the Colubris-AVPair attributes %seem to be getting through. The Radiator logs and the %Colubris logs both attest to this. % % %Rodney Ebersole %Abbco Inc. %phone: (814) 234-9420 %eMail: [EMAIL PROTECTED] %IM: rebersoleabbcoinc [AIM, MSN, YAHOO] % % % %- Original Message - %From: Denis Beauchemin [EMAIL PROTECTED] %To: Radiator [EMAIL PROTECTED] %Sent: Thursday, January 16, 2003 12:01 PM %Subject: (RADIATOR) Problems with Colubris CN3000 % % %Hello, % %We are testing a Colubris CN3000 802.1x wireless access point %and are having some problems with it. (see %http://www.colubris.com/en/products/public_access/CN3000/ for %more info). % %The biggest one is the HTTP URLs that don't seem to be sent to %(or accepted by) the unit. % %Here is what I have in radius.cfg (I am using Radiator 3.5): %Client 132.210.X.Y %Secret oursecret %Identifier colubris %/Client %Handler Client-Identifier=colubris %MaxSessions 1 %WtmpFileName %L/wtmp %AcctLogFileName %L/accounting %# PasswordLogFileName %L/password.log %AuthBy DBFILE %AutoMPPEKeysYes %AddToReply Service-Type = Framed-User,\ %MS-MPPE-Encryption-Policy = Encryption-Allowed,\ %MS-MPPE-Encryption-Types = Encryption-Any,\ %Framed-Protocol = PPP,\ %Framed-IP-Netmask = 255.255.255.255,\ %Framed-Routing = None,\ %Framed-MTU = 1500,\ %Colubris-AVPair = %login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ %login.jsp?log %inurl=%l,\ %Colubris-AVPair = %session-page=https://somewhere.USherbrooke.ca:8443/java/colubr %is/session.ht %ml,\ %Colubris-AVPair = %transport-page=https://somewhere.USherbrooke.ca:8443/java/colu %bris/transpor %t.html,\ %Colubris-AVPair = %fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ %fail.html,\ %Colubris-AVPair = %logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ %Colubris-AVPair = %access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ %Colubris-AVPair = %access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 %Filename %D/usersdb %RcryptKey our key %/AuthBy %AuthLog Defaut %/Handler % %This is what I added to dictionary: %VENDOR Colubris8744 %VENDORATTR8744 Colubris-AVPair 0 string %ATTRIBUTEColubris-AVPair 0 string % %The Colubris-AVPair don't seem to get to the CN3000 when it logs on. % %Any ideas? I'm pretty sure I made a mistake in one of %Radiator's conf files. % %Thanks! %-- %Denis Beauchemin, analyste %Université de Sherbrooke, S.T.I. %T: 819.821.8000x2252 F: 819.821.8045 % %=== %Archive at http://www.open.com.au/archives/radiator/ %Announcements on [EMAIL PROTECTED] %To unsubscribe, email '[EMAIL PROTECTED]' with %'unsubscribe radiator' in the body of the message. % % %=== %Archive at http://www.open.com.au/archives/radiator/ %Announcements on [EMAIL PROTECTED] %To unsubscribe, email '[EMAIL PROTECTED]' with %'unsubscribe radiator' in the body of the message. % % === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radius and Wireless APs
Hello Jai - A Wireless AP looks to Radiator the same as any other NAS, therefore you will need to configure a Client ... clause for each one. You may also need to configure additional Handlers or Realms, depending on what else you are doing in your configuration file. When a user moves from one access point to another, there will be a new authentication, just like if the user had hung up a modem call and dialled again. You should configure the AP's for radius authentication and then watch a trace 4 debug from Radiator to see what is contained in the authentication and acounting requests, then configure Radiator accordingly. You should probably read the AP vendors' documentation first of all to see what radius support is implemented in the AP software. There has also been quite a lot of discussion on this topic on the mailing list, so you should check teh archive site too. www.open.com.au/archives/radiator regards Hugh On Thursday, Jan 16, 2003, at 22:56 Australia/Melbourne, jai wrote: Hi, I have two APs one from cisco and other one D-link, APs Configuration has Radius Server Authentication option, As i am new to Wireless, i am having following questions 1. How can use Radiator or radius server to authenticate like the normal Dialup ?? 2. If the User moves from one Access Point i.e from cisco to another one i.e D-Link ..is it needed to authenticate again. if not what are the changes need in radiator server or wireless. I think these questions might be irrelevant in this mailing list !!... but could someone guide me links which might help Thanks. Rgds Jai -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Time check item
This is another way ... Nice.. That's what I like about radiator... It lets you do the sme thing using many methods. I decided to go with the DB one I sent you because it will let the tech support guys modify the plan attribs via the db.. Thx Hugh for the help.. As always! __ Anton Krall CEO Intruder Consulting Email: [EMAIL PROTECTED] Tel: (55)5233-9281 Celular: (044)55-5105-5160 ICQ#: 4979450 MSN: [EMAIL PROTECTED] AIM: antonkrall Web: www.intruder.com.mx Outside Mexico Tel: (+52)555-233-9281 Celular: (+52)555-105-5160 %-Original Message- %From: Hugh Irvine [mailto:[EMAIL PROTECTED]] %Sent: Jueves, 16 de Enero de 2003 04:19 p.m. %To: Anton Krall %Cc: [EMAIL PROTECTED] %Subject: Re: (RADIATOR) Time check item % % % %Hello Anton - % %I would suggest you do something like this: % % %# define AuthBy clauses % %AuthBy SQL % Identifier Normal % DBSourcedbi:mysql:radius:localhost % DBUsername xxx % DBAuth xxx % % AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ %from SUBSCRIBERS \ % where USERNAME=%0 and ACTIVE=1 and (PLAN=1 or PLAN=3 or PLAN=4) % % AuthColumnDef 0, User-Password, check % AuthColumnDef 1, GENERIC, check % AuthColumnDef 2, GENERIC, reply % % AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = %255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,AscendClient-S %econdary-DNS=200.52.66.125 %/AuthBy % %AuthBy SQL % Identifier Nocturno % DBSourcedbi:mysql:radius:localhost % DBUsername xxx % DBAuth % % AuthSelect select PASSWORD \ %from SUBSCRIBERS \ % where USERNAME=%0 and ACTIVE=1 and PLAN=2 % % AuthColumnDef 0, User-Password, check % % AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = %255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,Ascend-Client-S %econdary-DNS=200.52.66.125,Session-timeout=until Time /AuthBy % %AuthBy FILE % Identifier CheckUsers % Filename %D/users.defaults %/AuthBy % %. % %# define Realms or Handlers % %Handler % AuthBy CheckUsers % . %/Handler % %. % % %Then the file users.defaults would look like this: % %# file users.defaults % %DEFAULTTime = Wk-0800, Auth-Type = Nocturno % %DEFAULTAuth-Type = Normal % % %Please let me know how you get on. % %regards % %Hugh % % %On Friday, Jan 17, 2003, at 02:30 Australia/Melbourne, Anton Krall %wrote: % % Hi Hugh % % Right now.. I have 2 Authbys: % % AuthBy SQL % Identifier Normal % DBSourcedbi:mysql:radius:localhost % DBUsername xxx % DBAuth xxx % % AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \ %from SUBSCRIBERS \ % where USERNAME=%0 and ACTIVE=1 and (PLAN=1 or PLAN=3 or PLAN=4) % % AuthColumnDef 0, User-Password, check % AuthColumnDef 1, GENERIC, check % AuthColumnDef 2, GENERIC, reply % % AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = % %255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,AscendClient-S % econdary-DNS=200.52.66.125 % /AuthBy % % AuthBy SQL % Identifier Nocturno % DBSourcedbi:mysql:radius:localhost % DBUsername xxx % DBAuth % % AuthSelect select PASSWORD \ %from SUBSCRIBERS \ % where USERNAME=%0 and ACTIVE=1 and PLAN=2 % % AuthColumnDef 0, User-Password, check % % Here is where I need the Time = Wk-0800 % % AddToReply Framed-Protocol = PPP,Framed-IP-Netmask = % %255.255.255.0,Ascend-Client-Primary-DNS=216.110.167.160,Ascend-Client- % S % econdary-DNS=200.52.66.125,Session-timeout=until Time % /AuthBy % % So that if a user has PLAN=2 on the SUBSCRIBERS db, he will %be thrown % into AuthBy SQL Nocturno and will only be able to login between % and 0800. % % __ % Anton Krall % CEO % Intruder Consulting % % Email: [EMAIL PROTECTED] % Tel: (55)5233-9281 % Celular: (044)55-5105-5160 % ICQ#: 4979450 % MSN: [EMAIL PROTECTED] % AIM: antonkrall % Web: www.intruder.com.mx % % Outside Mexico % Tel: (+52)555-233-9281 % Celular: (+52)555-105-5160 % % % %-Original Message- % %From: Hugh Irvine [mailto:[EMAIL PROTECTED]] % %Sent: Jueves, 16 de Enero de 2003 01:27 a.m. % %To: Anton Krall % %Cc: [EMAIL PROTECTED] % %Subject: Re: (RADIATOR) Time check item % % % % % % % %Hello Anton - % % % %As mentioned previously, the answer depends on what else you are % doing %in your configuration file and how you are going to recognise % and %process the radius requests. You can use Handlers or cascaded % AuthBy %clauses, it depends on what else is required. % % %Please outline your requirements in more detail and I will %try to make
Re: (RADIATOR) Alcatel SMC proxy radius --Radiator issue (fwd)
Hello Abel -
Your problem is due to your use of DefaultReply which only adds the
attributes if there are *none* there already.
You should use AddToReply instead.
AuthBy FILE
Identifier DBcustomer
Filename %D/db/users-customer
AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
RejectEmptyPassword
DefaultSimultaneousUse 1
/AuthBy
regards
Hugh
On Thursday, Jan 16, 2003, at 23:37 Australia/Melbourne, Abel Lucano
wrote:
Hi all,
I'm trying to debug the following:
One proxy-radius (Alcatel-SMC) that forwarding radius authentication
and
accounting packets to Radiator.
The whole conversation is configured to use 1645/1646 ports.
When Alcatel-SMC's proxy radius send access-request to Radiator
this latter sees the packet coming from 1800 or 4248 port(?); radiator
return this request from 1645 to 1800 or 4248 port.
The SMC side claims that they just are receiving from Radiator the
Proxy-State (33 binary) attribute but they cannot see basic attributes
6 and
7 (Service-Type and Framed-Protocol), and then the ppp connnection
drops.
The basic Handler includes DefaultReply too and the rest is very
basic
working configuration talking with other systems
AuthBy FILE
Identifier DBcustomer
Filename %D/db/users-customer
DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
RejectEmptyPassword
DefaultSimultaneousUse 1
/AuthBy
Somebody has seen this kind of problems? (I've not found it searching
the
list archives )
I'm including a tcpdump extract of the basic conversation
(sorry for the XXs, YYs and ZZs; i'm doing a consulting job to others
and
they've not authorized me to show their data)
19:04:46.311731 200.XX.XX.XX.4248 200.YY.YY.YY.1645: rad-access-req
129
[id 11] Attr[ Proxy_state{} NAS_ipaddr{200.ZZ.ZZ.ZZ} NAS_port{65}
NAS_port_type{Sync} User{prueba} [|radius]
19:04:46.381731 200.YY.YY.YY.1645 200.XX.XX.XX.4248:
rad-access-accept 26
[id 11] Attr[ Proxy_state{} ] (DF)
19:05:43.641731 200.XX.XX.XX.4248 200.YY.YY.YY.1645: rad-access-req
127
[id 12] Attr[ Proxy_state{} NAS_ipaddr{200.ZZ.ZZ.ZZ} NAS_port{66}
NAS_port_type{Sync} User{prueba} [|radius]
19:05:44.351731 200.YY.YY.YY.1645 200.XX.XX.XX.4248:
rad-access-accept 26
[id 12] Attr[ Proxy_state{} ] (DF)
Thanks in advance,
Best regards
---
-
Abel Lucano
DECODE SA
Av Independencia 1355 2B
TE/FAX +5411 4383 1161
[EMAIL PROTECTED]
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: Fw: (RADIATOR) radwho.cgi disconnect routine
Hello Tunde - I'm sorry but I don't have such a thing (and there doesn't appear to be anything in the goodies). Can anyone on the list help? regards Hugh On Thursday, Jan 16, 2003, at 21:57 Australia/Melbourne, Ayotunde Itayemi wrote: Hi Hugh, Hi All, any takers please? I think any implementation using SNMP should work. What do you think Hugh. Regards, Tunde Itayemi. - Original Message - From: Ayotunde Itayemi To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 8:49 PM Subject: (RADIATOR) radwho.cgi disconnect routine Hi Hugh, Hi all, Please does anyone have a session-disconnect program/script that can be hooked to the radwho.cgi script that is compatible with Patton RASes? Any ideas, help etc would be appreciated. Please if you are sending me a program include the instructions for installation. Regards, TUnde Itayemi. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems with Colubris CN3000
Hello Anton - We have not tested the Colubris equipement here, but I see quite a bit of email on the list from people doing testing. Does anyone have any comments for or against? regards Hugh On Friday, Jan 17, 2003, at 09:20 Australia/Melbourne, Anton Krall wrote: Guys.. Im about to test a colubris cn3000 in about 1 week... Can you send me your comments on the unit and how it handles? Thx __ Anton Krall CEO Intruder Consulting Email: [EMAIL PROTECTED] Tel: (55)5233-9281 Celular: (044)55-5105-5160 ICQ#: 4979450 MSN: [EMAIL PROTECTED] AIM: antonkrall Web: www.intruder.com.mx Outside Mexico Tel: (+52)555-233-9281 Celular: (+52)555-105-5160 %-Original Message- %From: [EMAIL PROTECTED] %[mailto:[EMAIL PROTECTED]] On Behalf Of engineering %Sent: Jueves, 16 de Enero de 2003 02:50 p.m. %To: [EMAIL PROTECTED] %Subject: Re: (RADIATOR) Problems with Colubris CN3000 % % %Denis, % %We are encountering a very similar (if not the same) problem. %We are also testing with a Colubris CN3000 and do not see the %Colubris-AVPair attributes reaching the CN3000. Our radiator %logs do not display the Colubris-AVPair attributes at all. % %This is for Radiator 3.5. % %We went back to 3.3.1, and the Colubris-AVPair attributes %seem to be getting through. The Radiator logs and the %Colubris logs both attest to this. % % %Rodney Ebersole %Abbco Inc. %phone: (814) 234-9420 %eMail: [EMAIL PROTECTED] %IM: rebersoleabbcoinc [AIM, MSN, YAHOO] % % % %- Original Message - %From: Denis Beauchemin [EMAIL PROTECTED] %To: Radiator [EMAIL PROTECTED] %Sent: Thursday, January 16, 2003 12:01 PM %Subject: (RADIATOR) Problems with Colubris CN3000 % % %Hello, % %We are testing a Colubris CN3000 802.1x wireless access point %and are having some problems with it. (see %http://www.colubris.com/en/products/public_access/CN3000/ for %more info). % %The biggest one is the HTTP URLs that don't seem to be sent to %(or accepted by) the unit. % %Here is what I have in radius.cfg (I am using Radiator 3.5): %Client 132.210.X.Y %Secret oursecret %Identifier colubris %/Client %Handler Client-Identifier=colubris %MaxSessions 1 %WtmpFileName %L/wtmp %AcctLogFileName %L/accounting %# PasswordLogFileName %L/password.log %AuthBy DBFILE %AutoMPPEKeysYes %AddToReply Service-Type = Framed-User,\ %MS-MPPE-Encryption-Policy = Encryption-Allowed,\ %MS-MPPE-Encryption-Types = Encryption-Any,\ %Framed-Protocol = PPP,\ %Framed-IP-Netmask = 255.255.255.255,\ %Framed-Routing = None,\ %Framed-MTU = 1500,\ %Colubris-AVPair = %login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ %login.jsp?log %inurl=%l,\ %Colubris-AVPair = %session-page=https://somewhere.USherbrooke.ca:8443/java/colubr %is/session.ht %ml,\ %Colubris-AVPair = %transport-page=https://somewhere.USherbrooke.ca:8443/java/colu %bris/transpor %t.html,\ %Colubris-AVPair = %fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ %fail.html,\ %Colubris-AVPair = %logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif,\ %Colubris-AVPair = %access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443,\ %Colubris-AVPair = %access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80 %Filename %D/usersdb %RcryptKey our key %/AuthBy %AuthLog Defaut %/Handler % %This is what I added to dictionary: %VENDOR Colubris8744 %VENDORATTR8744 Colubris-AVPair 0 string %ATTRIBUTEColubris-AVPair 0 string % %The Colubris-AVPair don't seem to get to the CN3000 when it logs on. % %Any ideas? I'm pretty sure I made a mistake in one of %Radiator's conf files. % %Thanks! %-- %Denis Beauchemin, analyste %Université de Sherbrooke, S.T.I. %T: 819.821.8000x2252 F: 819.821.8045 % %=== %Archive at http://www.open.com.au/archives/radiator/ %Announcements on [EMAIL PROTECTED] %To unsubscribe, email '[EMAIL PROTECTED]' with %'unsubscribe radiator' in the body of the message. % % %=== %Archive at http://www.open.com.au/archives/radiator/ %Announcements on [EMAIL PROTECTED] %To unsubscribe, email '[EMAIL PROTECTED]' with %'unsubscribe radiator' in the body of the message. % % === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Problems with Colubris CN3000
Hi, there,
I'm assuming all of you are using EAP-MD5 for authentication. We identified
the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking out
the source code, there was problems with the EAP_4.pm source code. Maybe the
programming team can tell us whether this is a blind spot in the design or a
failure in architect ?
I have the fix here for your reference here. Other auth methods seem to be
fine.
Good luck!
==
Vincent Hua
Vice President Operations
Power2Roam Technologies Inc.
ISG InfoTech Systems Group Inc.
13988 Cambie Road, Suite 313 (2/F)
Richmond, BC, V6V 2K4
V: +1 (604) 303 6881 ext. 101
F: +1 (604) 303 6854
W: www.Power2Roam.com www.ISGGroup.com
ICQ: 196980 http://wwp.icq.com/196980
===
# EAP_4.pm
#
# Module for handling Authentication via EAP type 4 (MD5-Challenge) # # See
RFCs 2869 2284 1994 # # Author: Mike McCauley ([EMAIL PROTECTED]) #
Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9 2002/11/07
04:10:47 mikem Exp $
package Radius::EAP_4;
use strict;
#
# request
# Called by EAP.pm when a request is received for this protocol type sub
request {
my ($classname, $self, $context, $p, $data) = @_;
return ($main::ACCEPT);
}
#
# Called by EAP.pm when an EAP Response/Identity is received sub
response_identity {
my ($classname, $self, $context, $p) = @_;
$context-{md5_challenge} = Radius::Util::random_string(16);
my $message = pack('C a16 a*',
16, # MD5 challenge length
$context-{md5_challenge},
$main::hostname);
$self-eap_request($p-{rp}, $context,
$Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
return ($main::CHALLENGE, 'EAP MD5-Challenge');
}
#
# Called by EAP.pm when an EAP Response (other than Identity)
# is received
# $id is the id of the received EAP response
sub response
{
my ($classname, $self, $context, $p, $type, $typedata) = @_;
# This should be a response to a challenge
# we sent previously. The challenge is cached
# in the challenges array, indexed by
# challenge_id. The response should be the MD5 hash
# the challenge_id, the password, the challenge
my ($length, $response, $username) = unpack('C a16 a*', $typedata);
# OK, now we need the user details to check the password
my ($user, $result, $reason) = $self-get_user($context-{identity},
$p);
if ($user $result == $main::ACCEPT)
{
my $correct_password = $user-get_check-get_attr('User-Password')
|| $user-get_check-get_attr('Password') ;
my $correct_response = Digest::MD5::md5
(chr($context-{this_id}) .
$correct_password . $context-{md5_challenge});
if ($correct_response eq $response)
{
$self-eap_success($p-{rp}, $context);
# add extra reply attributes for user == NEXT
LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
$self-authoriseUser($user, $p);
$self-adjustReply($p);
return ($main::ACCEPT);
}
}
$self-eap_failure($p-{rp}, $context);
return ($main::REJECT, 'EAP MD5-Challenge failed');
}
1;
=
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of engineering
Sent: January 16, 2003 12:50 PM
To: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Problems with Colubris CN3000
Denis,
We are encountering a very similar (if not the same) problem. We are also
testing with a Colubris CN3000 and do not see the Colubris-AVPair attributes
reaching the CN3000. Our radiator logs do not display the Colubris-AVPair
attributes at all.
This is for Radiator 3.5.
We went back to 3.3.1, and the Colubris-AVPair attributes
seem to be getting through. The Radiator logs and the Colubris logs both
attest to this.
Rodney Ebersole
Abbco Inc.
phone: (814) 234-9420
eMail: [EMAIL PROTECTED]
IM: rebersoleabbcoinc [AIM, MSN, YAHOO]
- Original Message -
From: Denis Beauchemin [EMAIL PROTECTED]
To: Radiator [EMAIL PROTECTED]
Sent: Thursday, January 16, 2003 12:01 PM
Subject: (RADIATOR) Problems with Colubris CN3000
Hello,
We are testing a Colubris CN3000 802.1x wireless access point and are having
some problems with it. (see
http://www.colubris.com/en/products/public_access/CN3000/ for more info).
The biggest one is the HTTP URLs that don't seem to be sent to (or accepted
by) the unit.
Here is what I have in radius.cfg (I am using Radiator 3.5): Client
132.210.X.Y
Secret oursecret
Identifier colubris
/Client
Handler Client-Identifier=colubris
MaxSessions 1
WtmpFileName %L/wtmp
AcctLogFileName
Re: (RADIATOR) Problems with Colubris CN3000
Hello Vincent -
Many thanks for the patch. This is indeed a bug.
Mike will have a patch up on the web site in the next day or so (we
will post a message to the list).
thanks again
regards
Hugh
On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua
wrote:
Hi, there,
I'm assuming all of you are using EAP-MD5 for authentication. We
identified
the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking
out
the source code, there was problems with the EAP_4.pm source code.
Maybe the
programming team can tell us whether this is a blind spot in the
design or a
failure in architect ?
I have the fix here for your reference here. Other auth methods seem
to be
fine.
Good luck!
==
Vincent Hua
Vice President Operations
Power2Roam Technologies Inc.
ISG InfoTech Systems Group Inc.
13988 Cambie Road, Suite 313 (2/F)
Richmond, BC, V6V 2K4
V: +1 (604) 303 6881 ext. 101
F: +1 (604) 303 6854
W: www.Power2Roam.com www.ISGGroup.com
ICQ: 196980 http://wwp.icq.com/196980
===
# EAP_4.pm
#
# Module for handling Authentication via EAP type 4 (MD5-Challenge) #
# See
RFCs 2869 2284 1994 # # Author: Mike McCauley ([EMAIL PROTECTED]) #
Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9
2002/11/07
04:10:47 mikem Exp $
package Radius::EAP_4;
use strict;
#
# request
# Called by EAP.pm when a request is received for this protocol type
sub
request {
my ($classname, $self, $context, $p, $data) = @_;
return ($main::ACCEPT);
}
#
# Called by EAP.pm when an EAP Response/Identity is received sub
response_identity {
my ($classname, $self, $context, $p) = @_;
$context-{md5_challenge} = Radius::Util::random_string(16);
my $message = pack('C a16 a*',
16, # MD5 challenge length
$context-{md5_challenge},
$main::hostname);
$self-eap_request($p-{rp}, $context,
$Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
return ($main::CHALLENGE, 'EAP MD5-Challenge');
}
#
# Called by EAP.pm when an EAP Response (other than Identity)
# is received
# $id is the id of the received EAP response
sub response
{
my ($classname, $self, $context, $p, $type, $typedata) = @_;
# This should be a response to a challenge
# we sent previously. The challenge is cached
# in the challenges array, indexed by
# challenge_id. The response should be the MD5 hash
# the challenge_id, the password, the challenge
my ($length, $response, $username) = unpack('C a16 a*', $typedata);
# OK, now we need the user details to check the password
my ($user, $result, $reason) =
$self-get_user($context-{identity},
$p);
if ($user $result == $main::ACCEPT)
{
my $correct_password = $user-get_check-get_attr('User-Password')
|| $user-get_check-get_attr('Password') ;
my $correct_response = Digest::MD5::md5
(chr($context-{this_id}) .
$correct_password . $context-{md5_challenge});
if ($correct_response eq $response)
{
$self-eap_success($p-{rp}, $context);
# add extra reply attributes for user== NEXT
LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
$self-authoriseUser($user, $p);
$self-adjustReply($p);
return ($main::ACCEPT);
}
}
$self-eap_failure($p-{rp}, $context);
return ($main::REJECT, 'EAP MD5-Challenge failed');
}
1;
=
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of engineering
Sent: January 16, 2003 12:50 PM
To: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Problems with Colubris CN3000
Denis,
We are encountering a very similar (if not the same) problem. We are
also
testing with a Colubris CN3000 and do not see the Colubris-AVPair
attributes
reaching the CN3000. Our radiator logs do not display the
Colubris-AVPair
attributes at all.
This is for Radiator 3.5.
We went back to 3.3.1, and the Colubris-AVPair attributes
seem to be getting through. The Radiator logs and the Colubris logs
both
attest to this.
Rodney Ebersole
Abbco Inc.
phone: (814) 234-9420
eMail: [EMAIL PROTECTED]
IM: rebersoleabbcoinc [AIM, MSN, YAHOO]
- Original Message -
From: Denis Beauchemin [EMAIL PROTECTED]
To: Radiator [EMAIL PROTECTED]
Sent: Thursday, January 16, 2003 12:01 PM
Subject: (RADIATOR) Problems with Colubris CN3000
Hello,
We are testing a Colubris CN3000 802.1x wireless access point and are
having
some problems with it. (see
http://www.colubris.com/en/products/public_access/CN3000/ for more
info).
The biggest one is the HTTP URLs that don't seem to be sent to (or
accepted
by) the unit.
Here is what I have in radius.cfg (I am using Radiator 3.5): Client
132.210.X.Y
Secret oursecret
(RADIATOR) WiFi - Business
Hi All, We are looking to provide Hotspot business but based on the current hotspot model arounds we find no business case. I will appriecate someone could share he/her opinions. Best Regards [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR)
unsubscribe
Re: (RADIATOR) WiFi - Business
Hello Steven - You make an interesting point. I'm looking forward to seeing other Radiator users comments. regards Hugh On Friday, Jan 17, 2003, at 12:35 Australia/Melbourne, [EMAIL PROTECTED] wrote: Hi All, We are looking to provide Hotspot business but based on the current hotspot model arounds we find no business case. I will appriecate someone could share he/her opinions. Best Regards [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) WiFi - Business
Dear Steven, I read your posting in the Radiator mailing list. We have a HotSpot business model and deploying in North American, Hong Kong, Macau, Mainland China and other countries in APEC. Let me know exactly what you are looking for and I may be able to help you out. Cheers! == Vincent Hua Vice President Operations Power2Roam Technologies Inc. ISG InfoTech Systems Group Inc. 13988 Cambie Road, Suite 313 (2/F) Richmond, BC, V6V 2K4 V: +1 (604) 303 6881 ext. 101 F: +1 (604) 303 6854 W: www.Power2Roam.com www.ISGGroup.com ICQ: 196980 http://wwp.icq.com/196980 Beijing Office No. 1028 Huamao Building, Chengxiang Trading Centre, A-23 Fuxing Road, Haidian District Beijing, China, 100036 Mobile: +86-1365-176-2774 Shanghai Office Rm 6-F, Block 4, Lane 2328 Hongqiao Road, Changning District Shanghai, China, 200336 Tel: +86-21-6262-7350 Fax: +86-21-6242-0439 IMPORTANT NOTICE: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, the obligations of confidentiality/privilege are binding upon you. Furthermore, you are hereby notified that any use, interference with, disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you receive this message in error, please immediately reply to sender and delete all information from your system and server. On Friday, Jan 17, 2003, at 12:35 Australia/Melbourne, [EMAIL PROTECTED] wrote: Hi All, We are looking to provide Hotspot business but based on the current hotspot model arounds we find no business case. I will appriecate someone could share he/her opinions. Best Regards [This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us immediately; you should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you.] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Problems with Colubris CN3000
Your are welcome, Hugh. Just figure we all should help each other. :-)
Regards,
Vincent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of Hugh Irvine
Sent: January 16, 2003 4:37 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: 'engineering'; [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Problems with Colubris CN3000
Hello Vincent -
Many thanks for the patch. This is indeed a bug.
Mike will have a patch up on the web site in the next day or so (we
will post a message to the list).
thanks again
regards
Hugh
On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua
wrote:
Hi, there,
I'm assuming all of you are using EAP-MD5 for authentication. We
identified
the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking
out
the source code, there was problems with the EAP_4.pm source code.
Maybe the
programming team can tell us whether this is a blind spot in the
design or a
failure in architect ?
I have the fix here for your reference here. Other auth methods seem
to be
fine.
Good luck!
==
Vincent Hua
Vice President Operations
Power2Roam Technologies Inc.
ISG InfoTech Systems Group Inc.
13988 Cambie Road, Suite 313 (2/F)
Richmond, BC, V6V 2K4
V: +1 (604) 303 6881 ext. 101
F: +1 (604) 303 6854
W:www.Power2Roam.com www.ISGGroup.com
ICQ: 196980 http://wwp.icq.com/196980
===
# EAP_4.pm
#
# Module for handling Authentication via EAP type 4 (MD5-Challenge) #
# See
RFCs 2869 2284 1994 # # Author: Mike McCauley ([EMAIL PROTECTED]) #
Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9
2002/11/07
04:10:47 mikem Exp $
package Radius::EAP_4;
use strict;
#
# request
# Called by EAP.pm when a request is received for this protocol type
sub
request {
my ($classname, $self, $context, $p, $data) = @_;
return ($main::ACCEPT);
}
#
# Called by EAP.pm when an EAP Response/Identity is received sub
response_identity {
my ($classname, $self, $context, $p) = @_;
$context-{md5_challenge} = Radius::Util::random_string(16);
my $message = pack('C a16 a*',
16, # MD5 challenge length
$context-{md5_challenge},
$main::hostname);
$self-eap_request($p-{rp}, $context,
$Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
return ($main::CHALLENGE, 'EAP MD5-Challenge');
}
#
# Called by EAP.pm when an EAP Response (other than Identity) # is
received # $id is the id of the received EAP response
sub response
{
my ($classname, $self, $context, $p, $type, $typedata) = @_;
# This should be a response to a challenge
# we sent previously. The challenge is cached
# in the challenges array, indexed by
# challenge_id. The response should be the MD5 hash
# the challenge_id, the password, the challenge
my ($length, $response, $username) = unpack('C a16 a*',
$typedata);
# OK, now we need the user details to check the password
my ($user, $result, $reason) =
$self-get_user($context-{identity},
$p);
if ($user $result == $main::ACCEPT)
{
my $correct_password = $user-get_check-get_attr('User-Password')
|| $user-get_check-get_attr('Password') ;
my $correct_response = Digest::MD5::md5
(chr($context-{this_id}) .
$correct_password . $context-{md5_challenge});
if ($correct_response eq $response)
{
$self-eap_success($p-{rp}, $context);
# add extra reply attributes for user == NEXT
LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
$self-authoriseUser($user, $p);
$self-adjustReply($p);
return ($main::ACCEPT);
}
}
$self-eap_failure($p-{rp}, $context);
return ($main::REJECT, 'EAP MD5-Challenge failed');
}
1;
=
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of engineering
Sent: January 16, 2003 12:50 PM
To: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Problems with Colubris CN3000
Denis,
We are encountering a very similar (if not the same) problem. We are
also
testing with a Colubris CN3000 and do not see the Colubris-AVPair
attributes
reaching the CN3000. Our radiator logs do not display the
Colubris-AVPair
attributes at all.
This is for Radiator 3.5.
We went back to 3.3.1, and the Colubris-AVPair attributes seem to be
getting through. The Radiator logs and the Colubris logs
both
attest to this.
Rodney Ebersole
Abbco Inc.
phone: (814) 234-9420
eMail: [EMAIL PROTECTED]
IM:
