(RADIATOR) Authentication Failure Messages
Hello, We need to keep authentication failure information in our database. This can of course be done with AuthLog SQL. To make it simple, let's say that we have to handle things like an account status (Active or Blocked) in the authentication process. This can be easily done by : AuthSelect select ... from ACCOUNT where USERNAME=%0 and STATUS = 'Active' But if someone with correct Usr/Psw but blocked RADIUS account tries to connect, it will of course result in the No such user failure message instead of some dedicated failure message such as Account Blocked. We could handle the Account Status check using check items and AddToRequest parameter instead of using AuthSelect and then get dedicated failure messages, but for other cases it is not that simple. Ex.: - For one account (usr/psw), multiple service subscriptions based on the NAS-Port-Type attribute of the Access-Request and resulting in different reply attributes. - Accounts should be bound to several Access Servers (RADIUS clients). We can handle this with proper data model and AuthSelect parameter but we need dedicated authentication failure messages (ex : No subscription for this service and Not allowed from this NAS) in case of correct Usr/Psw. I don't know much about PostAuthHook but I guess it may be the solution. Any suggestions ? Regards. Geoffrey === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Rewrite username or Quintum configuration?
Hi List,
I've been looking at the hooks with regards to rewriting usernames but
I'm not getting much mileage in what I'm trying to achieve.
What I want to do is the opposite of stripping realms out of requests.
If the username does not have a realm in it it will add the NAS IP
address as a realm instead. This is for a calling card platform where
requests are made with the username given as [EMAIL PROTECTED].
Hopefully the following Perl function will illustrate what I want to do:
sub
{
my $p = ${$_[0]};
my $username = $p-getUserName;
if ($username !~ /\@/)
{
$username = [EMAIL PROTECTED]get_attr('NAS-IP-Address');
}
return $username;
}
I want to do this because a customer wishes to use our calling card
platform with a Quintum which does not allow you to edit its IVR scripts
(and add the realm) and I don't want to write another load of handlers
when I can make the current ones more versatile.
If anyone else has a better idea or has experience getting Quintums to
authenticate as [EMAIL PROTECTED] it would be most welcome. Being a
Cisco shop no-one here has had much use with them!
TIA
Richard
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Rewrite username or Quintum configuration?
How about using the DefaultRealm directive inside of the client clause for
the Quintum boxes? Something like this-
Client 111.222.333.444
Identifier Quintum
Secret somesecret
DefaultRealm 111.222.333.444
Other client config
/Client
Client 111.222.333.555
Identifier OtherQuintum
Secret somesecret
DefaultRealm 111.222.333.555
Other client config
/Client
DefaultRealm is documented in Section 6.5.2 of my Radiator 2.19 manual and
is used to add a realm to incoming requests that do not have a realm
specified.
Frank Danielson
[Infrastructure Architect]
voice:407.515.8633
fax:407.515.9001
ClearSky Mobile Media, Inc.
56 E. Pine St. Suite 200
Orlando, FL 32801
USA
-Original Message-
From: Richard Grantham [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 30, 2003 1:10 PM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Rewrite username or Quintum configuration?
Hi List,
I've been looking at the hooks with regards to rewriting usernames but
I'm not getting much mileage in what I'm trying to achieve.
What I want to do is the opposite of stripping realms out of requests.
If the username does not have a realm in it it will add the NAS IP
address as a realm instead. This is for a calling card platform where
requests are made with the username given as [EMAIL PROTECTED].
Hopefully the following Perl function will illustrate what I want to do:
sub
{
my $p = ${$_[0]};
my $username = $p-getUserName;
if ($username !~ /\@/)
{
$username = [EMAIL PROTECTED]get_attr('NAS-IP-Address');
}
return $username;
}
I want to do this because a customer wishes to use our calling card
platform with a Quintum which does not allow you to edit its IVR scripts
(and add the realm) and I don't want to write another load of handlers
when I can make the current ones more versatile.
If anyone else has a better idea or has experience getting Quintums to
authenticate as [EMAIL PROTECTED] it would be most welcome. Being a
Cisco shop no-one here has had much use with them!
TIA
Richard
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) NULL usernames in Radius Packets
Hello,
We are seeing the following error in radiator.log:
Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS)
values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003
16:56:20', 'DD MM HH24:MI:SS'), '','Async',
'','2126823450','5000')': ORA-01400: cannot insert NULL into
(RADIUS.RADONLINE.USERNAME) (DBD ERROR: OCIStmtExecute)
From what we can tell, the RAS XX.XX.XX.XX is sending us start or stop
packets with no username. Is there something in the configuration (on
the radiator side or the ras, which is a lucent tnt) which could cause
this. My guess is that it is a RAS issue but we are not sure what/why
this is occuring.
mahesh
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) NULL usernames in Radius Packets
Hello Mahesh -
Unless you are using a RewriteUsername, Radiator does not do anything
with the username. I suspect that the NAS is sending an empty username,
but without seeing a copy of your configuration file (no secrets) and a
trace 4 debug from Radiator showing what is happening it is not
possible to say any more.
regards
Hugh
On Wednesday, Oct 1, 2003, at 07:02 Australia/Melbourne, Mahesh
Neelakanta wrote:
Hello,
We are seeing the following error in radiator.log:
Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS)
values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003
16:56:20', 'DD MM HH24:MI:SS'), '','Async',
'','2126823450','5000')': ORA-01400: cannot insert NULL into
(RADIUS.RADONLINE.USERNAME) (DBD ERROR: OCIStmtExecute)
From what we can tell, the RAS XX.XX.XX.XX is sending us start or stop
packets with no username. Is there something in the configuration (on
the radiator side or the ras, which is a lucent tnt) which could cause
this. My guess is that it is a RAS issue but we are not sure what/why
this is occuring.
mahesh
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
