Re: [RADIATOR] Radmin and Database
On 05/22/2013 12:30 AM, rohan.he...@cwjamaica.com wrote: Sample records below include one row per session (I haven't yet been able to do a proper conversion of epoch time to date for the START_TIME). You are thinking of consolidating the start and stop records into one session record, did I understand correctly? If so, I recommend using an external process, a cron job, database function, etc., to do this. This process or function could select all Stops, look up the respective start with Accounting-Session-Id and then create the combined record. I think you could do this with a Radiator hook that does the consolidation when an Accounting-Request with Acct-Status-Type=stop is received. The downside here would be the need to create and debug the hook and especially the extra processing Radiator needs to do. My choice would be to consider something that runs outside Radiator and does the session consolidation. I would also consider doing this fairly infrequently, maybe daily, if possible. Thanks, Heikki +---+---+-++---+ | USER_NAME | NAS_PORT | ACCT_START_TIME | ACCT_STOP_TIME | ACCT_SESSION_TIME | +---+---+-++---+ | elclarke | 805306450 | -00-00 00:00:00 | Mar 1, 2013 01:11 | 729805 | | elclarke | 805306450 | -00-00 00:00:00 | Mar 6, 2013 09:03 | 460108 | | elclarke | 805306450 | 1362578608 | Mar 12, 2013 03:33 | 498607 | | elclarke | 805306450 | 1363077402 | Mar 16, 2013 12:01 | 375888 | | elclarke | 805306450 | 1363467090 | Mar 21, 2013 14:53 | 428504 | On Tue, 21 May 2013 23:40:26 +0300 Heikki Vatiainen h...@open.com.au wrote: On 05/21/2013 11:02 PM, rohan.he...@cwjamaica.com wrote: Can Radmin work in an environment where Radiator writes a single record (containing both Start and Stop fields) to MySQL for each session as oppose to two records per session? Hello Rohan, can you provide an example? This might be possible by defining suitable SQL queries, but it's hard to say more. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radmin and Database
Hello Rohan - You can do this more simply by only processing stop records and subtracting the Acct-Session-Time from the Timestamp to get the start time. This can be done directly in the SQL statement. regards Hugh On 22 May 2013, at 17:11, Heikki Vatiainen h...@open.com.au wrote: On 05/22/2013 12:30 AM, rohan.he...@cwjamaica.com wrote: Sample records below include one row per session (I haven't yet been able to do a proper conversion of epoch time to date for the START_TIME). You are thinking of consolidating the start and stop records into one session record, did I understand correctly? If so, I recommend using an external process, a cron job, database function, etc., to do this. This process or function could select all Stops, look up the respective start with Accounting-Session-Id and then create the combined record. I think you could do this with a Radiator hook that does the consolidation when an Accounting-Request with Acct-Status-Type=stop is received. The downside here would be the need to create and debug the hook and especially the extra processing Radiator needs to do. My choice would be to consider something that runs outside Radiator and does the session consolidation. I would also consider doing this fairly infrequently, maybe daily, if possible. Thanks, Heikki +---+---+-++---+ | USER_NAME | NAS_PORT | ACCT_START_TIME | ACCT_STOP_TIME | ACCT_SESSION_TIME | +---+---+-++---+ | elclarke | 805306450 | -00-00 00:00:00 | Mar 1, 2013 01:11 | 729805 | | elclarke | 805306450 | -00-00 00:00:00 | Mar 6, 2013 09:03 | 460108 | | elclarke | 805306450 | 1362578608 | Mar 12, 2013 03:33 | 498607 | | elclarke | 805306450 | 1363077402 | Mar 16, 2013 12:01 | 375888 | | elclarke | 805306450 | 1363467090 | Mar 21, 2013 14:53 | 428504 | On Tue, 21 May 2013 23:40:26 +0300 Heikki Vatiainen h...@open.com.au wrote: On 05/21/2013 11:02 PM, rohan.he...@cwjamaica.com wrote: Can Radmin work in an environment where Radiator writes a single record (containing both Start and Stop fields) to MySQL for each session as oppose to two records per session? Hello Rohan, can you provide an example? This might be possible by defining suitable SQL queries, but it's hard to say more. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] A way to verify that the number of failed attempt is lesser than 3 in the las 30 minutes
Hi, We would like to block request to our Active Directory if a wireless user have been rejected 3 times in the last 30 minutes. We have Cisco Wireless Controllers, Radiator and AD. In a university environment a lot of our users have multiple wireless devices all authenticating trough Radiator and AD. We have a password expiration delay of 6 monts in AD. When the password expire for a user, the wireless devices of that user tries to authenticates to the wireless network over and over until the AD account is locked. The account is locked for 30 minutes. So if Radiator can do that, we would like to block authentication request after 3 unsuccessful requests in the last 30 minutes before doing the AuthByNTLM. I presume, we are not the only organization that face this issue. __ Pascal Beauregard Analyste en télécommunications Service des Technologies de l'information Université de Sherbrooke Tél. : 819-821-7770 Courriel : pascal.beaureg...@usherbrooke.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radmin and Database
Inline comments below. On Wed, 22 May 2013 17:35:35 +1000 Hugh Irvine h...@open.com.au wrote: Hello Rohan - You can do this more simply by only processing stop records and subtracting the Acct-Session-Time from the Timestamp to get the start time. This can be done directly in the SQL statement. Yes. I can get this accomplished using the SQL statement. I was also hoping to make Radiator do the conversion and add the start time (not epoch time) to the database. Is this at possible? regards Hugh On 22 May 2013, at 17:11, Heikki Vatiainen h...@open.com.au wrote: On 05/22/2013 12:30 AM, rohan.he...@cwjamaica.com wrote: Sample records below include one row per session (I haven't yet been able to do a proper conversion of epoch time to date for the START_TIME). You are thinking of consolidating the start and stop records into one session record, did I understand correctly? Correct. If so, I recommend using an external process, a cron job, database function, etc., to do this. This process or function could select all Stops, look up the respective start with Accounting-Session-Id and then create the combined record. I think you could do this with a Radiator hook that does the consolidation when an Accounting-Request with Acct-Status-Type=stop is received. The downside here would be the need to create and debug the hook and especially the extra processing Radiator needs to do. My choice would be to consider something that runs outside Radiator and does the session consolidation. I would also consider doing this fairly infrequently, maybe daily, if possible. Thanks. And what implication would this (start/stop records in one session) have on the setup of RADMIN? Thanks, Heikki +---+---+-++---+ | USER_NAME | NAS_PORT | ACCT_START_TIME | ACCT_STOP_TIME | ACCT_SESSION_TIME | +---+---+-++---+ | elclarke | 805306450 | -00-00 00:00:00 | Mar 1, 2013 01:11 | 729805 | | elclarke | 805306450 | -00-00 00:00:00 | Mar 6, 2013 09:03 | 460108 | | elclarke | 805306450 | 1362578608 | Mar 12, 2013 03:33 | 498607 | | elclarke | 805306450 | 1363077402 | Mar 16, 2013 12:01 | 375888 | | elclarke | 805306450 | 1363467090 | Mar 21, 2013 14:53 | 428504 | On Tue, 21 May 2013 23:40:26 +0300 Heikki Vatiainen h...@open.com.au wrote: On 05/21/2013 11:02 PM, rohan.he...@cwjamaica.com wrote: Can Radmin work in an environment where Radiator writes a single record (containing both Start and Stop fields) to MySQL for each session as oppose to two records per session? Hello Rohan, can you provide an example? This might be possible by defining suitable SQL queries, but it's hard to say more. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Rohan Henry Server Administrator Cable And Wireless Jamaica Phone (876) 936-4819 Mobile (876) 997-0729 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] A way to verify that the number of failed attempt is lesser than 3 in the las 30 minutes
Could you log failed auth attempts to a database table (AuthLog SQL?) and when a user connects have an initial AuthBy that checks this table 1st, and if they have 3 Auth failures in the last 30 minutes take the appropriate action: eg If Authlog updates a table called authlog then have an AuthBy that has a query equivalent to: SELECT Username FROM Radius.authlog WHERE Username= %0 AND TIMESTAMP ( UNIX_TIMESTAMP(now() - 1800) GROUP BY USERNAME HAVING COUNT(*) 3 We do a similar thing but in reverse. If the user has had a certain number of failed auths in the day then any subsequent Auth failures result in an automatic Access Accept that puts them into a walled garden for an hour, stops them hammering authentication with bad requests. Jim. On 22/05/2013 16:09, Pascal Beauregard wrote: Hi, We would like to block request to our Active Directory if a wireless user have been rejected 3 times in the last 30 minutes. We have Cisco Wireless Controllers, Radiator and AD. In a university environment a lot of our users have multiple wireless devices all authenticating trough Radiator and AD. We have a password expiration delay of 6 monts in AD. When the password expire for a user, the wireless devices of that user tries to authenticates to the wireless network over and over until the AD account is locked. The account is locked for 30 minutes. So if Radiator can do that, we would like to block authentication request after 3 unsuccessful requests in the last 30 minutes before doing the AuthByNTLM. I presume, we are not the only organization that face this issue. __ *Pascal Beauregard* Analyste en télécommunications Service des Technologies de l'information Université de Sherbrooke Tél. : 819-821-7770 Courriel : pascal.beaureg...@usherbrooke.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator