(RADIATOR) MD5 crypt()..

2001-01-03 Thread Chris Keladis 

Hi folks,

I'm a little unclear about encrypted passwords in a Radiator database.

I would like to MD5 encrypt all our user passwords.

I've been experimenting with Digest::MD5 and Crypt::PasswordMD5, and so
far only Crypt::PasswordMD5 gives me what i see as a 'true' MD5
password. (The salt beginning with '$1$').

I'm a little confused as to the standards regarding the salt, and if
Radiator will understand the MD5 hashed passwords i create.

Am i going about the issue the wrong way? How can i store well-encrypted
passwords in my database to be used for authentication?




Thanks,

Chris.


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Managing multiple realms.

2000-11-09 Thread Chris Keladis 

Hi folks,

I am configuring my Radiator systems (2.16.1) with many realms as i have
different "business units" i want to authenticate from the same
database. (Oracle). (I also have many different  clauses,
whereby i want certain realms logging in from a certain place, to only
have successfull access, bearing in mind all NASs are registered
's and i want to avoid someone hopping onto another network
using their login to access other networks they may not be supposed to).

I am using usernames of [EMAIL PROTECTED] and i have handlers
configured to authenticate the user when a 'hit' occurs on one of my
handler statements.

I would like the added security of dictating which NAS the user connects
from before i will give an Access-Accept response, otherwise generate an
Access-Reject.

I've got "NAS-IP-Address = 1.2.3.4" in my , which i havent
tested yet, but i assume will do what i want.

What i am wondering is, would i have to do this if i have 50 NASs, all
in the Handler line?

Looking through the docs there is the Identifier keyword, but that says
it's not supported in the standard Radiator code, only in hooks, so i
cant 'group' them and refer to them by a keyword.

I guess this begs the question, if i can have multiline Handlers, and if
so, what would be the correct syntax for them?

Commas/Newline and/or backslashes?

Also, out of curiosity, how would i specify a wildcard in a handler
statement? Does it have the smarts to parse a network/bitmask? (or a
derivative thereof)




Thanks in advance,


Chris.


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) L2TP (VPDN) & Radiator.

2000-10-02 Thread Chris Keladis 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi folks,

I'm attempting to configure "Per-User" Radius authentication for a VPDN i 
have here, using Radiator.

I am also rather new to Radiator, i have recently configured it to do basic 
authentication and it works quite well in that respect.

I am wondering if somebody can provide some guidance on how to configure 
radius.cfg to support "Per-User VPDNs" ? (Per-User = different vpdn 
attributes per user).

I've seen the sample 'users' file which describes the 'cisco-avpairs' 
needed for vpdn, and the FAQ lists a "realm-wide" configuration (for 
access-lists, but i could adapt it to vpdn)..

However to fulfill my goal i will need different attributes (mainly IP 
addresses), for each   user, so a "realm-wide" configuration statement 
isn't what i'm looking for.

I'm not too clear on how Radiator parses what comes back from the database 
into the Radius reply.

If anyone has done this and has some example configurations it would be 
greatly appreciated.



Thanks,

Chris.



-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.3 for non-commercial use 

iQA/AwUBOdpAECEx0akmf5vwEQJBagCfecrQkhSb1OkWbeuG+aetHuHTWbYAoJA8
UxY3/4TgO4QzHhNY1XrRDZuo
=0fJf
-END PGP SIGNATURE-


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) (Oracle) SQL Timeouts..

2000-09-29 Thread Chris Keladis 

David Lloyd wrote:

> I was just about to post the fix to this problem; we are using
> Solaris/Oracle.  The problem I think is in the way Solaris does
> alarm(0).  The solution is this:

Thanks for this David.

Merged your changes into my tree and it looks good, i'll leave it a while longer
just to make sure it stays up, but it definately hasn't been timing out like it
used to.

I want to thank Mike & Hugh as well for recognizing the bug and attempting to
fix it on the same day, even without having my setup locally. Great work guys!
:)




Thanks again,

Chris.


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) (Oracle) SQL Timeouts..

2000-09-28 Thread Chris Keladis 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

I am having a rather peculiar timeout problem with Radiator authenticating 
from an Oracle SQL database..

Firstly, the details..

Solaris 2.6 (sparc) OS
Radiator 2.16.3
Oracle 8.0.5 (sparc)

perl 5.005_03
Digest-MD5 2.12
DBI 1.14
DBD Oracle 1.06
TimeDate 1.10


Install went fine, a 'make test' gave all OK's, Radiator starts up fine, 
and everything hums along..

However, when i use the radpwtest utility to throw a Radius request at it, 
(even a few requests in succession), it gives me an Accept or Reject 
response (based on if i gave it a correct or incorrect password), but about 
a minute after that, the radiusd process dies with "timeout at 
Radius/SqlDb.pm line 265." (Inside sub getOneRow).


A sample session (Trace 5, Sensitive information obfuscated):

# radpwtst -s x.x.x.x -secret mysecret -user test -password test1 -noacct
sending Access-Request...
Fri Sep 29 14:37:36 2000: DEBUG: Packet dump:
*** Received from x.x.x.x port 32838 

Packet length = 70
[...snipped]
Code:   Access-Request
Identifier: 156
Authentic:  1234567890123456
Attributes:
 User-Name = "test"
 Service-Type = Framed-User
 NAS-IP-Address = 203.63.154.1
 NAS-Port = 1234
 NAS-Port-Type = Async
 User-Password = 
"[<222>h<159><193><30><222>14<254><172><209><234>(<127>J"

Fri Sep 29 14:37:36 2000: DEBUG: Check if Handler  should be used to handle 
this request
Fri Sep 29 14:37:36 2000: DEBUG: Handling request with Handler ''
Fri Sep 29 14:37:36 2000: DEBUG:  Deleting session for test, x.x.x.x, 1234
Fri Sep 29 14:37:36 2000: DEBUG: Handling with Radius::AuthSQL
Fri Sep 29 14:37:36 2000: DEBUG: Handling with Radius::AuthSQL
Fri Sep 29 14:37:36 2000: DEBUG: Query is: select password from subscribers 
where username='test'

Fri Sep 29 14:37:36 2000: DEBUG: Radius::AuthSQL looks for match with test
Fri Sep 29 14:37:36 2000: DEBUG: Radius::AuthSQL ACCEPT:
Fri Sep 29 14:37:36 2000: DEBUG: Access accepted for test
Fri Sep 29 14:37:36 2000: DEBUG: Packet dump:
*** Sending to x.x.x.x port 32838 
Code:   Access-Accept
Identifier: 156
Authentic:  1234567890123456
Attributes:

OK

[...after about 1 minute...]

  timeout at Radius/SqlDb.pm line 265.


I've used ansiCreate.sql to build the tables in Oracle, and this Radius 
server simply does pure authentication (as it's currently in testing, it's 
not doing any accounting or authorization)..

The database runs on the same machine as Radiator and uses IPC to 
communicate, tnsping shows ~0-10ms and that the database is alive.. The 
established session counter increments indicating connections by Radiator.


Here is the sample config i am currently using:

Foreground
LogStdout
LogDir  /logs
DbDir   .
# User a lower trace level in production systems:
Trace   5

# You will probably want to change this to suit your site.

 Secret  mysecret
 DupInterval 0



 
 DBSourcedbi:Oracle:mydb
 DBUsername  blah
 DBAuth  blahblah
 AccountingTable
 AuthSelect select password from subscribers where 
username='%n'
 



I've tried different Timeout settings in the .cfg (i've set it up to 120), 
but i suspect this is a DBI problem and that the Timeout setting will have 
no effect..


I've almost got it working, any help will be greatfully received! :)




Regards,

Chris.
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.3 for non-commercial use 

iQA/AwUBOdT2lCEx0akmf5vwEQK1iwCg58vlt/RwWa1dnMn/sSWaPL+YfT4AoMA4
GRKJOZAweuRclk1gbJY97lZR
=3dcj
-END PGP SIGNATURE-


===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.