[RADIATOR] Multi-Line Handler issues with 4.10
Hello - I've noticed with 4.10 that you can no longer have multi-line Handler statements. Under 4.9 something like this loads properly: Handler Called-Station-Id=/(7103925369|7105941010|\ 563974|4445690321|3335774198)/, CHAP-Password=/[\w]+/ Under 4.10 I'm getting: Sun Jul 1 13:27:43 2012: ERR: Unknown keyword 'Handler' in /etc/raddb/test.cfg line 6 Is this a bug? We have a fairly complex config file with several multi-line handlers and upgrading to 4.10 isn't going to be possible without having some seriously long Handler statements. Thanks. - Aaron Holtz aho...@bright.net Com Net, Inc. - ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) Keeping only Acct-Statu-Type = Stop
Wayne, Use the following in your radius.cfg file: AuthBy ... AccountingStopsOnly /AuthBy I believe that should work - it does for me. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Sep 9, Wayne molded the electrons to say I know that in 15.5 of the documentation it say that Every Accounting-Request regardless of the Acct-Status_type is stored in the log file. Is there anyway of tossing the start and alive messages generated by my cisco boxes ? I need to have the messages in order to keep track of the IP address in the online.db but if I could keep them out of my log file this would cut my size in 1/3. If anyone has made this change or could point me in the right direction that would be great. Wayne === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Sim. use control by Ping
I'm not sure that is correct. If you look at the code, DeleteQuery runs
right before a new session is entered into the online database. So if
your query includes removing the Framed IP from the database you should be
good to go. Using the ping type and changing up your DeleteQuery should
keep your online database almost perfect. The only instance where things
can get goofy are when a Stop packet is lost and the next user who gets
the Framed IP of the lost Stop packet user has their Start packet lost.
Just modify your DeleteQuery statement per Mike's previous suggestion and
you should be all set.
--
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Jun 15, Clement molded the electrons to say
I downloaded 2.16.1 and checked the document. It says "DeleteQuery" "is
executed whenever a user session finishes". So this modification will
not work because the problem that we want to fix is a loss of the
account close packet. And that sessions are not closed properly.
I suppose the change is to allow 2 SQL statements for "AddQuery". One
like this to delete any pre-existing one. And the normal one to create
the record. This can be made the default as no 2 sessions should share
the same IP address or same NASID and NASPORT pair.
Mike McCauley wrote:
The DeleteQuery gets run just before adding a new session. I wonder if the
right thing is to alter the DeleteQuery so it deletes the IP address too:
DeleteQuery delete from RADONLINE where (NASIDENTIFIER='%N' and
NASPORT=0%{NAS-Port}) or FRAMEDIPADDRESS = '%{Framed-IP-Address}'
Thoughts?
Cheers.
Regards,
Clement
ANS Communications P/L
===
Post Addr: P O Box 6626 Blacktown BC, NSW 2148
Tel: (02) 9552 1655 Fax: (02) 9972 2633
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Sim. use control by Ping
That makes pretty good sense. As the one who added the
DeleteIPQuery code and made this suggestion earlier, the mod offered by
Mike allows you to modify the delete query without changing any internal
code. No?
--
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Jun 15, Mike McCauley molded the electrons to say
On Jun 15, 8:33am, Hugh Irvine wrote:
Subject: Re: (RADIATOR) Sim. use control by Ping
Hello Clement -
On Wed, 14 Jun 2000, Clement wrote:
Hi Mike and Hugh,
Thank you very much for the new feature. Most of the time, it works
well. However, we just come into a situation when the old IP was
reallocated and the PING test just failed to tell.
I think the solution is simple. Before writing a new session record,
remove any existing one with the same IP address. This should be true
in all situations. An IP address just cannot be used by 2 or more
connections at the same time. For session data base using SQL, which we
are, it may need only one SQL statement like this to do the job.
delete * from RADONLINE where FRAMEDIPADDRESS = 'new.ip.addr';
Can you gentlemen make the change? I think it can be a 2 minute job for
you experts.
This is exactly what one of our other customers has done - he added a
"DeleteIPQuery" to the session database. We haven't yet included this in
Radiator because we are concerned about the potential for the session
database
to become corrupted in some circumstances.
I've forwarded your thoughts to Mike.
The DeleteQuery gets run just before adding a new session. I wonder if the
right thing is to alter the DeleteQuery so it deletes the IP address too:
DeleteQuerydelete from RADONLINE where (NASIDENTIFIER='%N' and
NASPORT=0%{NAS-Port}) or FRAMEDIPADDRESS = '%{Framed-IP-Address}'
Thoughts?
Cheers.
many thanks for your contributions
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
-- End of excerpt from Hugh Irvine
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS X
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) 2.16 LogQuery and format_special not being expanded
I'm setting up a custom LogQuery for my Log SQL function and it appears
that not all the % variables are getting expanded like I would expect
that they should. Here is my config:
Log SQL
Table radlog
LogQuery insert into radlog values (%t, '%N', '%h', $p, $s)
include %D/connections/logsql.remote.connection
Trace 3
/Log
Here is a snippet of the output:
*** Received from 205.212.1.1 port 1187
Code: Access-Request
Identifier: 140
Authentic: 1234567890123456
Attributes:
User-Name = "primus"
Service-Type = Framed-User
NAS-IP-Address = 205.212.1.1
NAS-Port = 1234
NAS-Port-Type = Async
Framed-IP-Address = 255.255.255.254
Password =
"164R196236p150219214Q{156237156187234229"
Fri Jun 2 12:56:58 2000: DEBUG: do query is: insert into radlog values
(959965018, '', 'radiator.comnetohio.com', 3, 'Access for \'primus\'
rejected: Bad Encrypted password')
%N should have no problem being expanded as there is a NAS-IP-Address
attribute. Some other attributes don't show up either (%n, %U to name
two.) I'm using radpwtst -gui to send this access packet. Not sure why
these aren't getting expanded like they should. It's as if the contents
of the packet are the ones that don't get expanded, just those variables
that are internal to the program (like the DbDir and hostname, etc.) I
didn't see any docs on using LogQuery or caveats so maybe I'm missing
something here. Thanks.
------
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Oddness with 2.16 and SessionDatabase Identifiers
With 2.16 I'm seeing two things that don't seem to fit with the docs.
One is that the last database defined in the config is not
the one used as the default, it is the first one listed. Second is that
the SessionDatabase item in the Handler sections are not being
honored. Here is my config that is relevant:
Handler Realm=/^mail.comnetohio.com/i
SessionDatabase MEMNULL
/Handler
Handler Realm="", User-Name=/^[a-z0-9\-\.]+$/
SessionDatabase SQLDB
AuthByPolicy ContinueWhileReject
AuthBy SQL
AuthSelect
AccountingTable detail
.
/Handler
SessionDatabase SQL
Identifier SQLDB
include %D/connections/sessiondb.remote.connection
include %D/connections/sessiondb.queries
/SessionDatabase
SessionDatabase NULL
Identifier MEMNULL
/SessionDatabase
Since NULL is listed last it should be the default. But no matter what
query I send, it always uses the SQLDB Identifier (at least the debug
output shows that is so and the query printed shows it is talking to
the database):
Fri Jun 2 10:13:18 2000: DEBUG: Packet dump:
*** Received from 205.212.1.1 port 1186
Code: Access-Request
Identifier: 94
Authentic: 1234567890123456
Attributes:
User-Name = "[EMAIL PROTECTED]"
Service-Type = Framed-User
NAS-IP-Address = 205.212.1.1
NAS-Port = 1234
NAS-Port-Type = Async
Framed-IP-Address = 255.255.255.254
Password =
"164R196236p150219139Q{156237156187234229"
Fri Jun 2 10:13:18 2000: DEBUG: Rewrote user name to
[EMAIL PROTECTED]
Fri Jun 2 10:13:18 2000: DEBUG: Rewrote user name to
[EMAIL PROTECTED]
Fri Jun 2 10:13:18 2000: DEBUG: Check if Handler
Realm=/^mail.comnetohio.com/i should be used to handle this request
Fri Jun 2 10:13:18 2000: DEBUG: Handling request with Handler
'Realm=/^mail.comnetohio.com/i'
Fri Jun 2 10:13:18 2000: DEBUG: SQLDB Deleting session for
[EMAIL PROTECTED], 205.212.1.1, 1234
Fri Jun 2 10:13:18 2000: INFO: Access rejected for
[EMAIL PROTECTED]:
Fri Jun 2 10:13:18 2000: DEBUG: do query is: insert into radlog
(TIME_STAMP, PRIORITY, MESSAGE) values (959955198, 3, 'Access rejected for
[EMAIL PROTECTED]: ')
Fri Jun 2 10:13:18 2000: DEBUG: Packet dump:
*** Sending to 205.212.112.1 port 1186
Code: Access-Reject
Identifier: 94
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Now if I were to switch the position of NULL and SQLDB in the config file,
then NULL becomes the sole database used by all Handlers. This is a fresh
unpack of 2.16 in its own directory. I get no errors on startup. But I
have noticed that order in the configuration file for some clauses is very
important. For example: I get no debug output from the Log SQL clause
unless it appears BEFORE the SessionDatabase ... clauses. Is there
something I should be watching out for? My Log SQL option is as
follows:
Log SQL
Table radlog
include %D/connections/logsql.remote.connection
Trace 3
/Log
In my packet dump above you can see that it shows entering in the error
message to the sql log, but that line never shows up (nor does the log sql
query sent at radiusd startup) if Log SQL appears after the
SessionDatabase .. clauses in the config file. Any input is
appreciated.
------
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) How do I get a cisco as5300 to give me framed-ip-addressina start record
Not sure of the version. I know 2.14 and higher. Check the Handler.pm module for the word 'Alive'. Also, it may be possible that you are filtering out that packet before the update could occur in your radius.cfg file - but I won't say that for sure. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Mar 25, Steve Lalonde molded the electrons to say I already have this aaa accounting update newinfo but it does not update my online list what version of radiator do i need to get this to work? Steve Lalonde Systems Manager ENTANET International Ltd I believe the technical term is "Oops!" - Original Message - From: "Aaron Holtz" [EMAIL PROTECTED] To: "Steve Lalonde" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, March 25, 2000 4:02 PM Subject: Re: (RADIATOR) How do I get a cisco as5300 to give me framed-ip-addressin a start record It doesn't show up in the Start record as it hasn't been assigned yet by the Cisco (at the time the record is generated). Add the following command to your aaa statements: aaa accounting update newinfo You will now get a second record (Called an Alive record, not a Start record). Radiator understands this packet and will update your online databases and other things accordingly with the new information for the user. This packet is generated after ppp is negotiated and the user has their framed IP. ------ Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Mar 25, Steve Lalonde molded the electrons to say Hi all How do I get a cisco as5300 to give me framed-ip-address in an auth record like my 3com hipers do? the cisco is running 12.1.1 here is a sample from the cisco Code: Accounting-Request Identifier: 57 Authentic: 2208T99230176207i*6141238n% Attributes: Client-Id = 192.168.115.1 NAS-Port = 1 Cisco-NAS-Port = "Async1" NAS-Port-Type = Async User-Name = "steve" Called-Station-Id = "" Calling-Station-Id = "xx" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "000E" Framed-Protocol = PPP Acct-Delay-Time = 0 heres what i want (3com hiperarc) Code: Accounting-Request Identifier: 239 Authentic: 195B222-227MY208167241159"27185230233 Attributes: User-Name = "000110" Client-Id = 192.168.110.1 Acct-Status-Type = Start Acct-Session-Id = "117965522" Acct-Delay-Time = 0 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = ISDN NAS-Port = 1801 USR-Modem-Training-Time = 1 USR-Interface-Index = 3057 Chassis-Call-Slot = 8 Chassis-Call-Span = 1 Chassis-Call-Channel = 9 Unauthenticated-Time = 0 Calling-Station-Id = "" Called-Station-Id = "" Modulation-Type = 0 Simplified-MNP-Levels = synchronousNone Simplified-V42bis-Usage = none Connect-Speed = 64000-BPS Framed-Protocol = PPP Framed-IP-Address = 192.168.117.251 VTS-Session-Key = "j167j232234A131"221,}8167241158g" Call-Arrived-time = 133539306 Framed-IP-Address is all i need but Connect-Speed would be nice to. this must be posible. Any ideas? TIA Steve Lalonde Systems Manager Entanet International Ltd. Do not meddle in the affairs of sysadmins, for they are easy to annoy and have the root password. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems installing IpassPerl 1.5
Gerald,
Try changing Makefile.PL to the following:
WriteMakefile(
'NAME' = 'Ipass',
'DISTNAME' = 'IpassPerl',
'VERSION_FROM' = 'Ipass.pm', # finds $VERSION
'LIBS' = ["-L$ipass_lib -lip -lssl -lcrypto -lndbm"],
'DEFINE' = '',
'INC' = "-I$ipass_include",
dist = {
COMPRESS = 'gzip -f',
SUFFIX = 'gz',
},
# You may need this on RedHat 6.1. See note above
dynamic_lib = {
OTHERLDFLAGS = '-Xlinker -static'
},
);
Then rerun perl Makefile.PL and make to see if that helps. I had a
similiar issue and this fixed it.
------
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Mar 13, Gerald Faerber molded the electrons to say
Hello,
when trying to install IpassPerl 1.5 we get the following error message.
Did anybody here already experience the same error? This is a RedHat 6.0
system,
with Perl 5.005_03.
Kind Regards,
Gerald Faerber
# make test
PERL_DL_NONLAZY=1 /usr/bin/perl -Iblib/arch -Iblib/lib
-I/usr/lib/perl5/5.00503/i386-linux -I/usr/lib/perl5/5.00503 test.pl
1..6
Can't load 'blib/arch/auto/Ipass/Ipass.so' for module Ipass:
blib/arch/auto/Ipass/Ipass.so: undefined symbol: __srandom at
/usr/lib/perl5/5.00503/i386-linux/DynaLoader.pm line 169.
at test.pl line 19
BEGIN failed--compilation aborted at test.pl line 19.
not ok 1
make: *** [test_dynamic] Error 255
===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Framed-IP-Address on Radonline
You need to add the following statement to your Cisco (and you may want to
have it send stop records only as this statement can basically replace
your Start record.):
aaa accounting update newinfo
This will include the Framed-IP after the PPP stream is started. Since
you end up with 2 records with this statement, you can have the Cisco only
send Stop records and use this Alive record (as it will be called in the
logs) to get the info you want. Radiator is built to handle these packets
and will update your radonline table with the information.
--
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Feb 11, Tuncay MARGILIC molded the electrons to say
Hi there,
I have use the verison 2.14.1 with 5300 Networt Access Servers. Users are
able to authanticate. Radiator also writes the stoponly accounting
information to the accounting table (including the FRAMED-IP-ADDRESS). But I
have a problem with radonline table, the FRAMED-IP-ADDRESS is not sent to
the insert statement. And I cannot see the IP adresses of the online users.
Do I have to do modifications on cisco side or is there a problem with my
Radiator or should I do something on the .cfg file to get every connected
users IP with snmpget???
PS: the version of the snmpget is UCD-snmp version:4.0.1
Tuncay Margilic
Siemens Business Services - Turkey
System Administrator
-
SessionDatabase SQL
DBSource dbi:Oracle:radora
DBUsername radius
DBAuth **
AddQuery insert into RADONLINE (USERNAME,NASIDENTIFIER,NASPORT,\
ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\
SERVICETYPE) values
('%U','%{NAS-IP-Address}',%{NAS-Port},'%{Acct-Session-Id}',\
%{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}','%{Framed-Protocol}')
/SessionDatabase
-
-
AccountingStopsOnly
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time
AcctColumnDef
ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDADDRESS,Framed-IP-Address
AcctColumnDef CALLERID,Calling-Station-Id
AcctColumnDef DATARATE,Ascend-Data-Rate,integer
AcctColumnDef XMITRATE,Ascend-Xmit-Rate,integer
AcctColumnDef CLIENTDNIS,Called-Station-Id
AcctColumnDef LOGDATE,Timestamp,integer-date
-
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Cisco update newinfo Question
Well, what you don't know in a brand new Alive/Start packet is information
about lost Stop records. Anything from the time of the lost record (which
may or may not be a big deal) to the radius accounting ID assigned to the
session (which again, may or may not be important.) Radiator tries to be
self healing in that if a new person comes on and gets a modem of someone
in the database, it removes them and then inserts the new user. Radiator
can also query the remote NAS unit to verify a user's connection and take
action from there. Maybe you might want to check that out. Although with
a little hacking, I'm sure a preclienthook or preauthhook could do a
little logic and magic on your radonline database and remove bad entries
to avoid contacting the NAS unit.
--
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Feb 11, Lutfi YUNUSOGLU molded the electrons to say
Hi,
We have another problem which can be solved this way. But I'm not sure.
We have some POP's on different cities which are connected to our main
location with point to point leased lines. Sometimes because of telco
problems we loose connection to this POP's. At this moment if some user
disconnects of course we don't have the stop record. Is it possible to use
this setting (in such situation) to insert stop records to the accounting
table.
Regards
Lutfi Yunusoglu
Siemens Business Services
System Administrator
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Aaron Holtz
Sent: Friday, February 11, 2000 2:54 PM
To: Tuncay MARGILIC
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Framed-IP-Address on Radonline
You need to add the following statement to your Cisco (and you may want to
have it send stop records only as this statement can basically replace
your Start record.):
aaa accounting update newinfo
This will include the Framed-IP after the PPP stream is started. Since
you end up with 2 records with this statement, you can have the Cisco only
send Stop records and use this Alive record (as it will be called in the
logs) to get the info you want. Radiator is built to handle these packets
and will update your radonline table with the information.
------
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Feb 11, Tuncay MARGILIC molded the electrons to say
Hi there,
I have use the verison 2.14.1 with 5300 Networt Access Servers. Users are
able to authanticate. Radiator also writes the stoponly accounting
information to the accounting table (including the FRAMED-IP-ADDRESS). But
I
have a problem with radonline table, the FRAMED-IP-ADDRESS is not sent to
the insert statement. And I cannot see the IP adresses of the online users.
Do I have to do modifications on cisco side or is there a problem with my
Radiator or should I do something on the .cfg file to get every connected
users IP with snmpget???
PS: the version of the snmpget is UCD-snmp version:4.0.1
Tuncay Margilic
Siemens Business Services - Turkey
System Administrator
---
-
-
SessionDatabase SQL
DBSource dbi:Oracle:radora
DBUsername radius
DBAuth **
AddQuery insert into RADONLINE (USERNAME,NASIDENTIFIER,NASPORT,\
ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\
SERVICETYPE) values
('%U','%{NAS-IP-Address}',%{NAS-Port},'%{Acct-Session-Id}',\
%{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}','%{Framed-Protocol}'
)
/SessionDatabase
---
-
-
---
-
-
AccountingStopsOnly
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time
AcctColumnDef
ACCTTERMINATECAUSE,Ascend-Disconnect-Cause,integer
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDe
Re: (RADIATOR) OFF TOPIC: authentication for large-scale internetmail applications
I believe Solaris 7 and 8 support ldap as a name service switch. Hence, any system calls (getpwnam, getspnam, etc.) are passed to ldap and then to anything else you've specified in /etc/nsswitch.conf -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Feb 9, John Coy molded the electrons to say Oh, I want to clarify that we're *not* on NT -- I'm using Sun Solaris boxes (2.5.1 and 2.6) for RADIUS, sendmail, and POP3 services. At 08:17 AM 2/9/00 +0100, [EMAIL PROTECTED] wrote: On Tue, Feb 08, 2000 at 06:53:30PM -0600, John Coy wrote: use Radiator for dial-up authentication. I was wondering if there are solutions out there which integrate Radius (or LDAP, or whatever is the appropriate piece) along with Sendmail and POP3 services. What I'm looking for is a way to distribute e-mail systems across multiple servers with a common authentication (and user directory) scheme. we're using Radiator with mysql and qmail with a virtual domain addon (www.inter7.com/vpopmail) that uses the same mysql database to store users for receiving mail and authorizing pop. it shouldnt be a problem to use vpopmail on more servers... if you want to stick to NT... if i'm not mistaken, exchange supports LDAP and so does radiator... Ricardo. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco NAS-IP oddity
Is this a multihomed router and/or does it have two paths out of the box over to your radius server? You can use the: ip radius source-interface command to force radius out a specific interface if that is the case. I haven't seen this 11.3 IOS's or 12.x so far. Though I get a TON of 'radius server dead/responding errors' from the version of 12 we've been running. Anyone else seeing this? I know my radius servers are just fine. :-) -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Feb 1, tom minchin molded the electrons to say Hi, This is not a Radiator question per se, has anyone experienced this gruesome 'bug' with Cisco? Tue Feb 1 00:30:00 2000: DEBUG: Packet dump: *** Received from 203.23.1.184 port 1645 Code: Access-Request Identifier: 114 Authentic: O1721721784158129220160232$=135v173- Attributes: NAS-IP-Address = 203.23.1.183 I'm pretty sure that Radiator would not be messing with the NAS-IP-Address, as it's only a couple of the NAS'es which are affected and they all reduce by one (ie 184 says it's 183). [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2511 - Not supplying allocated IP addresstoRadiator
I'd say that is your problem. If you don't log Start packets, I'm
guessing that Alive packets aren't processed either. Anything but a Stop
is ignored (or acknowledged and then ignored.) You'll need to remove that
statement to get those entries into your online db I believe. Do you have
anything other than 2511's on this Realm that are logging to the radonline
db?
--
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
On Nov 15, Brian Morris molded the electrons to say
I understand, but I am still not getting them into my radonline database.
Could it be because I have "AccountingStopsOnly" for this realm??
Thanks for the feedback.
Brian
- Original Message -
From: Hugh Irvine [EMAIL PROTECTED]
To: Aaron Holtz [EMAIL PROTECTED]; Brian Morris [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, November 15, 1999 4:29 PM
Subject: Re: (RADIATOR) Cisco 2511 - Not supplying allocated IP address
toRadiator
Hello Aaron and Brian -
On Mon, 15 Nov 1999, Aaron Holtz wrote:
Yes, I believe that the radiator code looks for the Alive packet as well
as a Start packet just for this case. Be sure you are running a newer
version of radiator - I believe that 2.13 and up should support it, but
don't quote me on that.
if ($status_type eq 'Start' || $status_type eq 'Alive')
{
# Some Ciscos dont send accounting-on, so we will
# detect a reboot with the first session (ID 0001)
$sessdb-clearNas($nas_id, $p)
if $session_id eq '0001';
# Ciscos sometimes sends Alive. Use them to make _sure_
# there is an entry in the database
$sessdb-add($original_username, $nas_id, $nas_port, $p);
Aaron is quite correct, here's the relevant code from Handler.pm (Radiator
2.14.1).
cheers
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Help! Static IP assignments not working!
Jay, What's in your file for the authby file? Is it anything other than the DEFAULT user? Maybe you should drop the file and put everything into the db. Put replyattr's for just those users with special setups and use something like this in your config: DefaultReply \ Service-Type=Framed-User,Framed-IP-Address=255.255.255.254,\ Framed-IP-Netmask=255.255.255.255,Framed-MTU=1500,\ Framed-Compression=Van-Jacobson-TCP-IP That way those without replyattr's in the db will get a default set. Then put everything that a special user would need in the db for just that user. Also, I'd wonder if the quotes around the reply items in the db aren't causing some issues. Maybe reput those items into your db without the quotes. On a Trace 4 is that testuser getting the right attributes in the reply packet? -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Nov 15, Jay West molded the electrons to say My full configuration was included in a previous email about 'problems with authbysql'. I'm now having a problem with static IP addresses. Note the file settings: mysql select * from SUBSCRIBERS - where Username='testuser'; +--+--+---+---+- -+ | USERNAME | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR | REPLYATTR | +--+--+---+---+- -+ | testuser | | NULL | NULL | Framed-IP-Address = "192.168.1.73",Framed-IP-Netmask = "255.255.255.252",Idle-Timeout = "0" | +--+--+---+---+- -+ 1 row in set (0.00 sec) And since I'm using authbysql followed by authbyfile with continuewhileaccept this is important: DEFAULT Service-Type = Framed-User Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP However, I've just verified that when this user (testuser) logs in, they're getting assigned an IP address from a pool defined on the router (via 255.255.255.254) instead of the specific IP address listed in SUBSCRIBERS (as well as a host route of 255.255.255.255 instead of the 252 above). Help (and THANKS IN ADVANCE!) Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2511 - Not supplying allocated IP address toRadiator
Brian, Add: aaa accounting update newinfo You need 11.3 or higher if I'm not mistaken. Cisco doesn't send the Framed-IP-Address in the Start packet like some others do - however, radiator will handle the Alive packet that the above command sends once the user has authenticated PPP and has a Framed address. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Nov 15, Brian Morris molded the electrons to say Hi All, I have setup some Cisco 2511's to authenticate with Radiator and they are all working fine, users can get on etc without any troubles at all. However, the 2511 does not report the IP address it allocated to the user into Radiator at all. Other NAS's are working fine, so I suspect it is something in the cisco 2511 config. Has anyone else had this problem? How would I fix it? Config details follow... Regards, Brian Morris. IOS 11.1.24 aaa new-model aaa authentication login TELNET-USERS local aaa authentication login no_radius enable aaa authentication login consoleport none aaa authentication ppp default if-needed radius aaa authorization network radius aaa accounting exec start-stop radius aaa accounting network start-stop radius aaa accounting connection start-stop radius aaa accounting system start-stop radius === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco 2511 - Not supplying allocated IP addresstoRadiator
Yes, I believe that the radiator code looks for the Alive packet as well as a Start packet just for this case. Be sure you are running a newer version of radiator - I believe that 2.13 and up should support it, but don't quote me on that. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Nov 15, Brian Morris molded the electrons to say Thanks Aaron, Yes, the alive packet does have the IP address, but unless I am mistaken this does not get inserted into RADONLINE which is what I would really like. Is there a way around this? - Original Message ----- From: Aaron Holtz [EMAIL PROTECTED] To: Brian Morris [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, November 15, 1999 1:31 PM Subject: Re: (RADIATOR) Cisco 2511 - Not supplying allocated IP address toRadiator Brian, Add: aaa accounting update newinfo You need 11.3 or higher if I'm not mistaken. Cisco doesn't send the Framed-IP-Address in the Start packet like some others do - however, radiator will handle the Alive packet that the above command sends once the user has authenticated PPP and has a Framed address. ------ Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Nov 15, Brian Morris molded the electrons to say Hi All, I have setup some Cisco 2511's to authenticate with Radiator and they are all working fine, users can get on etc without any troubles at all. However, the 2511 does not report the IP address it allocated to the user into Radiator at all. Other NAS's are working fine, so I suspect it is something in the cisco 2511 config. Has anyone else had this problem? How would I fix it? Config details follow... Regards, Brian Morris. IOS 11.1.24 aaa new-model aaa authentication login TELNET-USERS local aaa authentication login no_radius enable aaa authentication login consoleport none aaa authentication ppp default if-needed radius aaa authorization network radius aaa accounting exec start-stop radius aaa accounting network start-stop radius aaa accounting connection start-stop radius aaa accounting system start-stop radius === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Client-Id matching in Handler's not working
Hugh, I've discovered the problem - only Clients designated by a Client/Client clause work - anything labled as an IdenticalClients does not work. Example: Client 111.111.111.20 Secret pw /Client That would match Client-Id for 111.111.111.20 whether it is with a regex or direct. However, Client 111.111.111.3 IdenticalClients 111.111.111.20 Secret pw /Client That would NOT match 111.111.111.20 because it isn't on the Client line. Can a patch be made to include the IdenticalClients listed to work with the Client-Id check item? It seems practical that IdenticalClients should/could be subject to checks just like the listed Client IP's would be. Thoughts? -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Oct 29, Hugh Irvine molded the electrons to say Hello Aaron - On Thu, 28 Oct 1999, Aaron Holtz wrote: After making changes to match on Client-Id instead of Nas-IP-Address, I don't seem to be able to make any matches whether I do exact matches or a regex. Trace 4 dump: I have just tested this here with no problems. Note that the Client-Id check item was added to Radiator 2.14.1. From the revision history: Added support for NasType and Client-Id check items (http://www.open.com.au/radiator/history.html) hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Client-Id matching in Handler's not working
It won't match .20 because that is the ID of the nas unit sending the information, so only 1 ip can be sending the packet. IdenticalClients is useful if you have a large number of dial-up boxes that all have the same attributes (type, secret, etc.) You'd fill up a file big-time with Client/Client clauses otherwise. Since I'm matching based on the ID of the unit sending the request, it seems logical to be able to make a match on it when I'm in my Handler's regardless of where I define it in the configuration files. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Oct 29, Jason Godsey molded the electrons to say On Fri, 29 Oct 1999, Aaron Holtz wrote: Date: Fri, 29 Oct 1999 09:03:24 -0400 (EDT) From: Aaron Holtz [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Client-Id matching in Handler's not working Hugh, I've discovered the problem - only Clients designated by a Client/Client clause work - anything labled as an IdenticalClients does not work. Example: Client 111.111.111.20 Secret pw /Client That would match Client-Id for 111.111.111.20 whether it is with a regex or direct. However, Client 111.111.111.3 IdenticalClients 111.111.111.20 Secret pw /Client Will it match 111.111.111.3 even when they are dialed into .20? If so, this is the behavior I'd want. If you want to match .20, then it's not identical to .3 Just my point of view. Jason That would NOT match 111.111.111.20 because it isn't on the Client line. Can a patch be made to include the IdenticalClients listed to work with the Client-Id check item? It seems practical that IdenticalClients should/could be subject to checks just like the listed Client IP's would be. Thoughts? ------ Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Oct 29, Hugh Irvine molded the electrons to say Hello Aaron - On Thu, 28 Oct 1999, Aaron Holtz wrote: After making changes to match on Client-Id instead of Nas-IP-Address, I don't seem to be able to make any matches whether I do exact matches or a regex. Trace 4 dump: I have just tested this here with no problems. Note that the Client-Id check item was added to Radiator 2.14.1. From the revision history: Added support for NasType and Client-Id check items (http://www.open.com.au/radiator/history.html) hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Fw: LDAP Request
Are you authing' by SQL? If so, setup a field in your db that is for reply attributes. Only fill in that field for the users who get something special. Then in your auth clause setup something like: DefaultReply Service-Type=Framed-User,Framed-IP-Address=255.255.255.254,\ Framed-IP-Netmask=255.255.255.255,Framed-MTU=1500,\ Framed-Compression=Van-Jacobson-TCP-IP Change your select statement and column definitions to: AuthSelect select PW, REPLYATTRS from PASSWD where USERNAME='%n' AuthColumnDef 0,Encrypted-Password,check AuthColumnDef 1,GENERIC,reply Now any user with no reply attributes (an empty field in your sql table) will get the DefaultReply items. However, anyone with something in the REPLYATTRS field will get those instead.Sure beats using flat text files as everything is read on the fly There is an example of what that REPLYATTRS field should look like in the radiator docs. -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Oct 28, Steven E. Ames molded the electrons to say Would it be possible to modify the way that AuthLDAP handles reply attributes? Right now they are all listed in a singly replyattr attribute. This is unwieldy for a lot of our tools and increases the complexity of the parsing. A better mechanism would be to handle them the same way as SQL is handled. Under SQL you can put up a statement such as: AuthColumnDef 2, Session-Timeout, reply Following right behind on this topic... What's the best way to set default values for reply attributes and then let a matching user record override these defaults? -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) getNasId() question/problem
Hello - I've got a Handler that looks at the Nas-IP-Address to determine
what to do. I've also got a bad nas that doesn't send Nas-IP-Address in
the access packet. I used to have a preclienthook to set this up, but
that is now built into radiator. I've put a log statement in the getNasId
and the last statement that is supposed to fix this is indeed working.
However, my Handler isn't being matched. From Trace 4:
Wed Oct 27 12:25:27 1999: DEBUG: Packet dump:
*** Received from 111.111.49.2 port 1536
Code: Access-Request
Identifier: 181
Authentic: r23198~#18~_e 4255_Yp
Attributes:
User-Name = "usera"
Password = "254a%G22510d218OW186!28159cT"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 9
Wed Oct 27 12:25:27 1999: DEBUG: Check if Handler
NAS-IP-Address=/111.111.(49|59).2/, Service-Type=Framed-User should be
used to handle this request
Wed Oct 27 12:25:27 1999: DEBUG: Check if Handler Realm="",
User-Name=/^[a-z0-9\-\.]+$/ should be used to handle this request
Wed Oct 27 12:25:27 1999: DEBUG: Handling request with Handler 'Realm="",
User-Name=/^[a-z0-9\-\.]+$/'
I have another similiar Handler clause for a set of nas units that do send
the Nas-IP-Address in the access packet and they work as intended.
Any thoughts on why this may not be working? This is version 2.14.1
For posterity here is my old PreClientHook - which I have not tried under
2.14.1 as of yet:
PreClientHook sub { \
if (${$_[0]}-getAttrByNum(4) eq '')\
{\
my @l = Socket::unpack_sockaddr_in(${$_[0]}-{RecvFrom});\
my $x = Socket::inet_ntoa($l[1]);\
${$_[0]}-addAttrByNum(4, $x);\
${$_[0]}-{CachedAttrs}{4} = $x;\
}\
}
------
Aaron Holtz
ComNet Inc.
UNIX Systems Administration/Network Operations
"It's not broken, it just lacks duct tape."
--
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Suggestion for changing SQL backoff behaviour
I'd like to suggest a change in the way that SQL servers and backups are treated in radiator. What I'd like to see is the FailureBackoffTime represent the amount of time that an SQL servers is to be not be contacted again and the backup used. As it stands now, if the primary server doesn't respond, the backup SQL server is used until it times out and then it moves back through the list of db's to contact. The behaviour I'd like to see is that the backup server is used when the primary doesn't respond until FailureBackoffTime is reached - then the primary is recontacted. If it responds then the process starts over again. Right now the secondary/backup would take all requests forever or until it times out and then the list is retried. Since many db's have a cleanup routine where it can become unavailable for a short amount of time this behaviour would make more sense to me. You could tune FailureBackoffTime to be around the length of time your cleanup job takes so that the backup server would get your through that period. The main issue I've got is that you don't really know that the requests are going to the secondary/backup server and it may stay there for quite some time degrading performance (assuming that your primary db is setup to give better response due to location, machine type, etc.) Thoughts? -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) IpassPerl 1.4 module errors
Chris, I had the same problem - it's because the Ipass libraries posted on their site are NOT the ones that Mike used to create the module. Email Mike and he can hook you up with the latest Solaris and/or Linux libraries and header files. He is now authorized by Ipass to do so - I needed them as well. Again, the ones you get from Ipass (version 3.2 I believe) will not allow the 1.4 module to compile. I've got this working now if you have any questions that I can help with. I tried to get the libs from Ipass themselves with no luck -- Aaron Holtz ComNet Inc. UNIX Systems Administration/Network Operations "It's not broken, it just lacks duct tape." -- On Sun, 10 Oct 1999, Chris M wrote: I'm getting the following errors when compiling on a RedHat 4.2 system, can anyone provide any clues? Thanks, Chris cc -c -I/usr/ipass/include -Dbool=char -DHAS_BOOL -O2 -DVERSION=\"1.4\" -DXS_ VERSION=\"1.4\" -fpic -I/usr/lib/perl5/i386-linux/5.00404/CORE Ipass.c Ipass.xs: In function `XS_Ipass_remote_auth': Ipass.xs:385: structure has no member named `nas_port_type' Ipass.xs:387: structure has no member named `called_number' Ipass.xs:389: `IPASS_MAXPHONELEN' undeclared (first use this function) Ipass.xs:389: (Each undeclared identifier is reported only once Ipass.xs:389: for each function it appears in.) Ipass.xs:391: structure has no member named `calling_number' Ipass.xs: In function `XS_Ipass_remote_auth_chap': Ipass.xs:442: structure has no member named `nas_port_type' Ipass.xs:444: structure has no member named `called_number' Ipass.xs:446: `IPASS_MAXPHONELEN' undeclared (first use this function) Ipass.xs:448: structure has no member named `calling_number' Ipass.xs: In function `XS_Ipass_remote_acct': Ipass.xs:512: structure has no member named `nas_port_type' Ipass.xs:514: structure has no member named `called_number' Ipass.xs:516: `IPASS_MAXPHONELEN' undeclared (first use this function) Ipass.xs:518: structure has no member named `calling_number' === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radiator cgi script hosting
Jay, Yes, this is very doable if you are writing the online data into an sql database. If your database engine supports remote tcp/ip connections, then you can edit the cgi scripts to provide the proper username/password combination to talk to the radiator machine. If you are using the internal session database, then it would be pretty hard to get that information as it is being saved in memory or on disk in a .db file. An example of how to talk to a remote db follows (a snippet from the radwho.cgi script): $DBSource = 'dbi:Pg:dbname=passwd;host=remote.server.com'; $DBUsername = 'raduser'; $DBAuth = 'radPassword'; This would allow the radwho.cgi script to query the remote database on remote.server.com using the username raduser and the password radPassword. You'll have to modify according to the db you are using. -- Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- On Tue, 24 Aug 1999, Jay West wrote: There's a cgi program included in radiator that can be called from a webbrowser to see who's currently online, etc. etc. Is there any way that this cgi can be run on a different machine than the radiator server? I hate mucking up my nice radius servers with web server software when I have quite a few perfectly good web servers sitting next to them. Is this possible and what (in general terms) is required? Thanks in advance!! Jay West === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) script question
Hmmm... in perl it shouldn't matter until it hits the ';'. But how about
this?
$query = "UPDATE abacbill..logins set Password='$password' where
UserName='$username' AND DialAccount = 1";
$sth = $dbh-prepare("$query");
I would think that would work. Unless I'm mis-understanding the question
about it being multiple line...
------
Aaron Holtz
ComNet Inc.
UNIX Systems Specialist
Email: [EMAIL PROTECTED]
"It's not broken, it just lacks duct tape."
--
On Aug 10, Jamie Orzechowski molded the electrons to say
I have a script that will preform SQL commands via my unix machine .. the
problem is that I need to run a large (more than 2 line) SQL statement
I have the line:
$sth = $dbh-prepare("UPDATE abacbill..logins set Password='$password' where
UserName='$username' AND DialAccount = 1");
this is the actual statement ... anyone have any ideas how I can make this a
multiple line statement??
here is the script
---
#!/usr/bin/perl
$ENV{'SYBASE'}="/opt/sybase";
$ENV{'DSQUERY'}="rodopi";
use DBI;
$|=1;
$sql_data_source="dbi:Sybase:";
$sql_username="xxx";
$sql_auth="";
$dbh = DBI-connect($sql_data_source, $sql_username, $sql_auth);
open(OUTPUT,"output");
while(OUTPUT) {
($username,$password)=split;
$sth = $dbh-prepare("UPDATE abacbill..logins set Password='$password'
where UserName='$username'
$rv = $sth-execute;
if($rv) {
print "+";
} else {
print ".";
}
$sth-finish;
}
close(OUTPUT);
$dbh-disconnect || warn $dbh-errstr;
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Wishlist: command line utilities
Well the drivers used to talk to the db's are perl modules. This could be done as a command line utility and maybe a little ncurses programming would make it feasible. I suppose you could always use 'lynx' from the unix side to access those web utilities from a console. ;-) I've done some heavy duty radiator stuff, including incorporating the error logs and db search utilities into our tech support software. Makes it quite nice for a tech to see if a user is online as well as why they haven't been getting connected! It helps if you know perl and I'm afraid I'm not sure how well my perl scripts would port to NT (I shudder at the thought.) -- Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- On Jun 10, Felix Izquierdo molded the electrons to say Hi Radiators! My wishlist for the next version: command line utilities, in special versions of radwho and radacct. I know that is trivial to adapt radwho.cgi in a command line version, but it would be better if it is included with the distribution. Another beautifull utility that needs a command line version is nasclear.cgi by Aaron Holtz, now in goodies directory. I think that more Radiator users feel the lack of this feature... Cheers. Félix __ DATAGRAMA SERVICIOS INTERNET C/ Acer 30Tlf: +34 3 223 00 98 08038 BARCELONA ( Spain ) Fax: +34 3 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ =Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Using Log SYSLOG
I've been trying to get this to work to no avail. I'm trying to get
radiator to push its error logs to local0. I've tried:
Log SYSLOG
Facility LOG_LOCAL0
/Log
Log SYSLOG
Facility local0
/Log
Log SYSLOG
Facility LOCAL0
/Log
all to no avail. Using 'logger' I can send message to local0 just fine
and they get into the log as expected. Any guesses? syslog.ph exists as
does Sys::Syslog. I don't have any errors in the normal radiator logfile
so I'm not sure why these aren't making it as expected. syslog.ph has:
unless(defined(LOG_LOCAL0)) {
sub LOG_LOCAL0 () {(163);}
}
I also ran h2ph just to be sure... Thanks.
--
Aaron Holtz
ComNet Inc.
UNIX Systems Specialist
Email: [EMAIL PROTECTED]
"It's not broken, it just lacks duct tape."
--
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) A ton of these errors...
I've been logging these errors every few seconds from only my 2511's. They are all running at least 11.3(7). I have a large number of 5200 and 5300's that are not generating these errors from what I can tell. Has anyone seen this before and know what could be the deal? No idea were this would come from - I doubt that it is radiator but there sure are a lot of them. Is it some type of update coming from the router? Way odd. We aren't getting a lot of calls and they occur at all hours of the day so I'm wondering if it is something in the IOS or some type of update that is getting sent to the radius server. Just curious if anyone else has seen this one. Wed May 12 10:59:43 1999: INFO: Access rejected for ~!E: No such user A trace 4 does indeed show that is the username passed along: Wed May 12 08:29:35 1999: DEBUG: Packet dump: *** Received from 1.1.1.1 port 1645 Code: Access-Request Identifier: 202 Authentic: 191[h228179~1173Qr196Q222Jc Attributes: NAS-IP-Address = 1.1.1.1 NAS-Port = 14 NAS-Port-Type = Async User-Name = "~!E" Password = "180206h254e223133149168141194199159168220253" ------ Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Combatting a bad NAS...
I have a NAS unit (An Osicom IQX - read: junk) that doesn't send the NAS-IP-Address in the authentication packet. Is there a down and dirty way to pull that information out of the packet header and use it? The reason I ask is that I have a Handler based on NAS address that doesn't work from this unit because of this missing information (this is confirmed missing via a trace 4 dump of the authenticator packet.) I believe I saw something similiar elsewhere in one of the radius modules, but wasn't sure how/where I could implement this. Thanks in advance. Here is the packet dump: Mon Apr 19 13:48:19 1999: DEBUG: Packet dump: *** Received from 1.1.1.1 port 1611 Code: Access-Request Identifier: 2 Authentic: F725h13KCT157241436246317r Attributes: User-Name = "test" Password = "178@.2330230224180R189$163.C(%" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 29 I see in Radius.pm that Socket::inet_ntoa($l[1]) can be the IP of the sending unit. Is there a place I can setup a test to see if during the Access-Request phase the NAS-IP-Address is set and if not, make it from the packet? The information is there during the accounting phases but it appears that Osicom is quite slow in implementing this change that we've asked.. It doesn't *technically* violate the RFC but I believe it suggests in all caps that the NAS ip be sent during this phase.. ------ Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Making a db call within Handler.pm
Hello, I'd like to add a db call in Handler.pm just before the session is put into the radonline table. Can anyone give me a hint of what I need to do? Basically during the Accounting phase I have some additional information about the user that's in a db that I also want in the radonline table. I haven't had luck using class attributes or other ways, so I thought this would work. Basically I want to use the $name variable (the username) and grab out the attributes from the subscribers db that I need. Then, along with the other info, I'll pass that information to the $sessdb-add command. I'm a bit confused, so any assistance or other thoughts of how to get that information into the online db would be most helpful. If I modify this line in Handler.pm: $sessdb-add($name, $nas_id, $nas_port, $p); to include my extra entries, what other file(s)/areas need to be modified to ensure it's added properly? Thanks. -- Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Answered my own question...
... I figured out how to get my extra db information into the radonline
db. After studying the code I see that in order to be able to use the
AddQuery structure, I need to get my value into the current packet. Once
it passes through format_special then I can access it via %{value}
Once I figured that out, it wasn't a tough fix. Thanks in advance.
--
Aaron Holtz
ComNet Inc.
UNIX Systems Specialist
Email: [EMAIL PROTECTED]
"It's not broken, it just lacks duct tape."
--
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) syncing multiple users files question...
I use 'rsync' combined with 'ssh'. This allows for secure transmission between the servers and rsync is a more advanced version of rdist (plus it uses the ssh stuff for security.) rysnc: http://rsync.samba.org ssh: http://www.cs.hut.fi/ssh -- Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- On Mar 22, Jay West molded the electrons to say Greetings! We have two radiator servers, each is independent but the configurations and user files are identical. Our NAS is setup to query the first, and if there is no reply to query the second. In this way, if one server fails the other is available to respond. Is there a slick neato way to sync up the users file between the two? It's a pain to have to add new users in two places. We'd prefer to not have one spot (like a remote SQL database, etc.) because this introduces a single point of failure. The first method that comes to mind is setting up a cron job to rcp or ftp the users file on one machine or the other. We're not crazy about allowing rcp or ftp into our radius servers though... Is there another method anyone has found? Jay West === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Retrieving/Collecting Conection Parameter
Richard, I've tried getting connect speeds too using: radius-server host xxx.xxx.xxx.xxx non-standard with no success. Another reader on this list said they had the Ascend compatibility code working with connect speeds using the above line. In order to get the IP in the start record, you'll need to do the following: aaa accounting update newinfo This sends an "Alive" record (vs. Start or Stop record) right after they start their PPP session that includes their IP address. We've set things up to not send Start records and I only deal with the Alive records. Radiator is setup to handle the Alive record and will update your online DB with the new information when it arrives. Make sure you are using at least 11.3 IOS. ------ Aaron Holtz ComNet Inc. UNIX Systems Specialist Email: [EMAIL PROTECTED] "It's not broken, it just lacks duct tape." -- On Mar 21, Richard Cameron molded the electrons to say First, I am new to this list and have been using Radiator since 10 Mar 99. Our site uses a Cisco 5300 as a NAS, with IP address allocated from a pool on the NAS. I would like to be able to retrieve the IP address allocated at the start of a session vice at the stop of the session - the allocated IP address is not sent at the start. As well, I would like to collect the NAS receive and transmit speeds for the port. Using TACACS+, the receive and transmit speeds were sent with the end of session messages. Any suggestions on how I can configure Radiator or the NAS to do this? Rich Cameron Network Manager RMC === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Anyone know....
How to get the user's group ID during the accouting phase? I don't think
it would be difficult. I've made a small patch to radiator that makes
auth'ing out of /etc/shadow emulate /etc/passwd in that the $user-{Group}
hash is built during startup. This allows me to track and test a user
for rejection based on their group ID in the password file in addition to
their entry in /etc/group. I would also like to log into my sessionDB
their group ID as well. The problem I'm having (I think) is how to get the
hash value for the username to get the info out of the array that I want.
In Handler.pm (around line 467) I can't simply do as a test:
main::log($main::LOG_DEBUG, "This user's group is: $name-{Group}");
I get the error:
Can't use string ("username") as a HASH ref while "strict
refs" in use at .
The 'username' is replaced with the person's username. Anyone know how I
can turn that username into a proper hash value to get the information I
want? I would think there is a subroutine to pack that username (if that
is the proper method) to get the info I want. Any help is appreciated!
Thanks much.
------
Aaron Holtz
ComNet Inc.
Manager, Unix Systems Administration
Email: [EMAIL PROTECTED]
"It's not broken, it just lacks duct tape."
--
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
