(RADIATOR) Raius with MAC authentication
Hi all, I need to authenticate users by Radiator but if it is possible detect de user MAC and check it agains a database user--MAC, and if it is equal then user will OK. I know that directly MAC address is not sent by user, so is it possible to execute an external program after check user/pass ( like netstat IP -a , check the User--MAC, return a code OK , NOK) and then see if user will OK and give the IP...? Has anyone any idea about how to do that? A you can see this MAC authentication is very good to do a Token authentication. Let me know your opinion. Thank you for all your help and time. Best regards, Fernando Martn Dpto. Tcnico Interlinea 2000 Comunicaciones, S.A. Gabiria, 2 - Edif. Servicios - Local X 20.305 Irn - Gipuzkoa Telephone:(+34) 943 639698 Fax :(+34) 943 627340 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Little questions
Jason Thank you. I tried it and it worked. Now, I have a C program that every 5 minutes send .../perl radpwtst -s 194.224.12.17 -secret -user test -password test lograd.txt. and read the lograd.txt file to see if I have reply from my Radiator server. If not, it will send to me an E-mail. Thank you again. Best regards, Fernando Martín At 06:28 1/02/00 -0800, you wrote: On Tue, 1 Feb 2000, Fernando Martin wrote: Date: Tue, 1 Feb 2000 12:28:07 GMT From: Fernando Martin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Little questions Client Locahost Secret mysecret DupInterval 0 /Client . Try using client 194.224.12.17, that does not equal localhost.. or you can add the keyword "same settings as this client" but I can't remember off the top of my head what that is. I tried with 1-/perl radpwtst -s localhost -secret mysecret -user fer -password fer ---It woked 2-/perl radpwtst -s 194.224.12.17 -secret mysecret -user fer -password fer---It did not work. I said "Bad authenticator" and No reply in accounting 3-/perl radpwtst -s radius -secret mysecret -user fer -password fer--- Where radius is 194.224.12.17 (hosts file)---It did not work. The same "Bad authenticator" and No reply in accounting Why with Localhost does it works and with IP or name does not it work? I am using 2.14.1 with patche over NT 4.0 SP5 - I am using AcctColumnDef TIME_STAMP,Timestamp,integer-date but it only give me some thing like this Sep 3, 2000 13:12. That is, there is not seconds. I test to use AcctColumnDef TIME_STAMP,%l,integer-date ( Or '%l',...) but nothing. I test to use AcctColumnDef TIME_STAMP,Timestamp,Formatted-date ('.', '..'), but I have not the format.pm to execute it. Where is it, where to place it and does it work with MS SQL 7.0? You should be able to install the TimeDate package directly from ActiveState. Have a look at section 4.1 in the reference manual, follow the instructions to log in to ActiveState with ppm and then type "install TimeDate". Yes it works. First like you say I must to install DateTime from ppm, then I use formatted-date, Getdate() to writte the date and time with second in my MS SQL 7.0 database. Ok Thank Hugh for all your help. Best regrads, Fernando Martín Dpto. Técnico Interlinea 2000 Comunicaciones, S.A. Gabiria, 2 - Edif. Servícios - Local X 20.305 Irún - Gipuzkoa Telephone:(+34) 943 621033 Fax :(+34) 943 627340 Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. Fernando Martín Dpto. Técnico Interlinea 2000 Comunicaciones, S.A. Gabiria, 2 - Edif. Servícios - Local X 20.305 Irún - Gipuzkoa Telephone:(+34) 943 621033 Fax :(+34) 943 627340 ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Little questions
Hi Hugh, First thank you for your help. See below: At 08:16 28/01/00 +1100, you wrote: Hello Fernando - Questions: - Does Radiator 2.14.1 support different pool? How to program it into CFG file and Reply attributes to do that? Accually I am using a FrameGroupAddress but I want to be able to program pool with short ranges and assigne it group of users. You can define multiple FramedGroupBaseAddress parameters for a client and then refer to them in your Framed-Group reply items. Have a look at section 6.4.7 in the Radiator 2.14.1 reference manual. Yes Ok, I can have several FramedGroupBaseAddress but the problem is that it works using the NAS-Port adding to the last byte, and this is a problem because I want to have a short pool and closed, not a Initial IP. In my case user could comming to any NAS-Port and I want to assigne a dynamic IP from my Pool. Is it possible to use Radiator to assigne IPs taking off the NAS-Port? Why? - How to authenticate with users FILE when this user is not into the MS SQL 7.0? Could you explain How to porgram it, cfg file? I test to use a realm with AuthSQL and next AuthFILE but it does not work. You will need to use an AuthByPolicy to link the AuthBy clauses: Realm AuthByPolicy ContinueUntilAccept AuthBy SQL DBSource DBUsername DBAuth /AuthBy AuthBy FILE Filename /AuthBy /Realm Have a look at section 6.19.1 in the reference manual. Ok it works properly. - How could I see the users that are connected at a moment? I want to see the user connected: username, IP, time, any command app? Do I need a SQL table or a special cgi over NT...? Yes, you can use SQL and a SessionDatabase together with "radwho.cgi". You will need to build a RADONLINE table in your database and then configure a SessionDatabase in your configuration file: SessionDatabase SQL DBSource DBUsername DBAuth /SessionDatabase Then edit and install the radwho.cgi script in your web server. Have a look at sections 6.6 and 12.0 in the reference manual. OK It works. - How could I test remotely if radius service is running properly? I want to use a command app to test radius service and if it is blocked it must send an alarm. Any idea? Could I use Radpwtst remotely, how? Yes, simply specify the -s flag with the server address to radpwtst. Check section 8.0 in the reference manual. I have in my cfg file: Client Locahost Secret mysecret DupInterval 0 /Client . I tried with 1-/perl radpwtst -s localhost -secret mysecret -user fer -password fer ---It woked 2-/perl radpwtst -s 194.224.12.17 -secret mysecret -user fer -password fer---It did not work. I said "Bad authenticator" and No reply in accounting 3-/perl radpwtst -s radius -secret mysecret -user fer -password fer--- Where radius is 194.224.12.17 (hosts file)---It did not work. The same "Bad authenticator" and No reply in accounting Why with Localhost does it works and with IP or name does not it work? I am using 2.14.1 with patche over NT 4.0 SP5 - I am using AcctColumnDef TIME_STAMP,Timestamp,integer-date but it only give me some thing like this Sep 3, 2000 13:12. That is, there is not seconds. I test to use AcctColumnDef TIME_STAMP,%l,integer-date ( Or '%l',...) but nothing. I test to use AcctColumnDef TIME_STAMP,Timestamp,Formatted-date ('.', '..'), but I have not the format.pm to execute it. Where is it, where to place it and does it work with MS SQL 7.0? You should be able to install the TimeDate package directly from ActiveState. Have a look at section 4.1 in the reference manual, follow the instructions to log in to ActiveState with ppm and then type "install TimeDate". Yes it works. First like you say I must to install DateTime from ppm, then I use formatted-date, Getdate() to writte the date and time with second in my MS SQL 7.0 database. Ok Thank Hugh for all your help. Best regrads, Fernando Martín Dpto. Técnico Interlinea 2000 Comunicaciones, S.A. Gabiria, 2 - Edif. Servícios - Local X 20.305 Irún - Gipuzkoa Telephone:(+34) 943 621033 Fax :(+34) 943 627340 ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication over MS SQL 7.0
Hi Mike and Hugh, Firs thank you for your help. OK, As you say ODBC is the best way in my case, to authenticate agains a MS SQL 7.0 server. Of course I need first to load (PPMinstall DBI and PPMinstall DBD-ODBC) and define a DSN. But I have two questions jet: I read examples /goodies, common_sql.cfg, freeside.cfg. interbiler.cfg and radp.cfg and I can not undertand: 1- They have not an AuthSelect. How must you configure your AuthSelect to authenticate porperly a user agains a MS SQL 7.0 database? I think you need to check if - The login exist - The check items are mached ( User-password, Connect-Rate, Nas-Port-Type, Called-Station-id...). - Get the reply items to give an IP, netmask, Frame-Protocol, etc. Is it right somethink like this: DBSource dbi:ODBC:radius DBUsername admrad DBAuth AuthSelect select PASSWORD, IP, Frame-Protocol / from USERSDB where / USERNAME=´%n´and Connect-Rate=´28800´ and / Called-Station-id=´943319100´ Sorry but I can not undertand. You need to search ( pass and check items) and get the reply items to send them to the NAS Have anyone and example? 2- And what about the database table? what field does it need? I mean that I need to store check and reply items, does not ii? How? Have anyone and example? Thank you again for your help. Best regards, Fernando Mratín 12:23 19/01/00 -0500, you wrote: On Jan 19, 10:13am, Hugh Irvine wrote: Subject: Re: (RADIATOR) Authentication over MS SQL 7.0 Hello Fernando - On Wed, 19 Jan 2000, Fernando Martin wrote: Hi all, I think this questions is just very answered, but I need some information. Actually I have a NT 4.0 SP5 with Radiator 2.14.1 ( with patches 2.14.1) running properly, but I autherticate with a flat file. because of I have many users I need another way to do that, and I think MS SQL could be one of the best. I have read the manula pag 82, 107..and I know that: - I need to install DBI ( PPMinstall DBI - Then, search the right module/driver to connect database. In my case I think I need ODBC because my MS SQL server is into another NT server that Radiator. So PPMinstall DBD-ODBC. Is it right? Is there another way better? May be mSQL? Why? Is the ODBC conector stable? - I need to create the database into SQL server... - I need to configure my radius.cfg to authenticate and also create a System DSN into my Radiator server ( In my case DSN=Radius)to connect database Realm DEFAULT PasswordLogFileName %L/%d-%m-%y-password.log AuthByPolicy ContinueAlways AuthBy SQL # Data to open database. DSN= radius DBSource dbi:ODBC:radius DBUsername admrad # login to connect DBAuth # pass to connect Is it all ok until this point? AuthSelect select PASSWORD from USERSDB where USERNAME=´%n´ I do not know what I need to put here ( select...) to authenticate properly a user and also check his check items ( like Called-station-id, NAS-port, Acct-Status-Type, etc) agains the SQL. I think I need to configure my Radius databese and table USERSDB with login, pass, and check items... How to do that? Any example? # This enables accounting AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer # etc /AuthBy /Realm You are definitely on the right track with everything you mention above. The best place to start with SQL is in the goodies directory included in the Radiator distribution. You will find example SQL table definitions, SQL table creation scripts, and SQL configuration files. You can use these exactly as they are, or you can use them as a base from which to add your own extra features. Also have a look at the radius.cfg file in the main Radiator directory to see a very detailed and documented configuration file which includes various SQL definitions. Also, if you are on NT, wanting to talk to SQL on another NT, then DBD-ODBC is the best way to go. We usually prefer mysql to MS-SQL, but the ODBC connector to mysql on NT is still not terribly stable when used with Perl, so probably MS-SQL is best for you if you can afford it. I sent some patches to the mysql ODBC connector authors, but I dont know if they have been incorporated yet. Cheers. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Hugh Irvine -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd
(RADIATOR) Authentication over MS SQL 7.0
Hi all, I think this questions is just very answered, but I need some information. Actually I have a NT 4.0 SP5 with Radiator 2.14.1 ( with patches 2.14.1) running properly, but I autherticate with a flat file. because of I have many users I need another way to do that, and I think MS SQL could be one of the best. I have read the manula pag 82, 107..and I know that: - I need to install DBI ( PPMinstall DBI - Then, search the right module/driver to connect database. In my case I think I need ODBC because my MS SQL server is into another NT server that Radiator. So PPMinstall DBD-ODBC. Is it right? Is there another way better? May be mSQL? Why? Is the ODBC conector stable? - I need to create the database into SQL server... - I need to configure my radius.cfg to authenticate and also create a System DSN into my Radiator server ( In my case DSN=Radius)to connect database ... Realm DEFAULT PasswordLogFileName %L/%d-%m-%y-password.log AuthByPolicy ContinueAlways AuthBy SQL # Data to open database. DSN= radius DBSource dbi:ODBC:radius DBUsername admrad # login to connect DBAuth # pass to connect Is it all ok until this point? AuthSelect select PASSWORD from USERSDB where USERNAME=´%n´ I do not know what I need to put here ( select...) to authenticate properly a user and also check his check items ( like Called-station-id, NAS-port, Acct-Status-Type, etc) agains the SQL. I think I need to configure my Radius databese and table USERSDB with login, pass, and check items... How to do that? Any example? # This enables accounting AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer # etc /AuthBy /Realm I hope you could help me. Thank you for your time and help. Best regards, Fernando Martín Dpto. Técnico Interlinea 2000 Comunicaciones, S.A. Gabiria, 2 - Edif. Servícios - Local X 20.305 Irún - Gipuzkoa Telephone:(+34) 943 621033 Fax :(+34) 943 627340 ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Realm authentication problems
Hi all, I have running radiator 2.13.1 with patches over NT 4.0 SP3. My nas a PM3 I have defined a radius.cfg with two realms like this: .. # Realm Interlinea2000 Realm interlinea2000 PasswordLogFileName %L/%d-%m-%y-password.log AuthBy FILE FramedGroup 0 Filename %D/users.ftf /AuthBy AcctLogFileName %L/%d-%m-%y-detail.log AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port} %{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info} /Realm # Default Realm Realm DEFAULT PasswordLogFileName %L/%d-%m-%y-password.log AuthBy FILE # SE seleeciona El FrameGoupBaseAddress 0 (Pool) FramedGroup 0 Filename %D/users.ftf /AuthBy AcctLogFileName %L/%d-%m-%y-detail.log AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port} %{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info} /Realm .. users.ftf has a user fer8: fer8User-Password = "fer8" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP The problem is that I can not access with username fer8@interlinea2000 and password fer8 . The system rejects me. But all seems to be ok ! Whit trace 4 we can see that: Tue May 4 09:26:01 1999: DEBUG: Packet dump: *** Received from 194.224.0.62 port 1028 Code: Access-Request Identifier: 129 Authentic: 187D2081721018322170;18617815624124013224 Attributes: User-Name = "fer8@interlinea2000" User-Password = "w25230O147 189Y'G1281577g28m" NAS-IP-Address = 194.224.0.62 NAS-Port = 41 NAS-Port-Type = ISDN Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "943319101" Calling-Station-Id = "943639698" Tue May 4 09:26:01 1999: DEBUG: Handling request with Handler 'Realm=interlinea2000' Tue May 4 09:26:01 1999: DEBUG: Handling with Radius::AuthFILE Tue May 4 09:26:01 1999: DEBUG: Radius::AuthFILE looks for match with fer8@interlinea2000 Tue May 4 09:26:01 1999: INFO: Access rejected for fer8@interlinea2000: No such user Tue May 4 09:26:01 1999: DEBUG: Packet dump: *** Sending to 194.224.0.62 port 1028 Code: Access-Reject Identifier: 129 Authentic: 187D2081721018322170;18617815624124013224 Attributes: Reply-Message = "Request Denied" So, it says: 'Realm=interlinea2000' User-Name = "fer8@interlinea2000" INFO: Access rejected for fer8@interlinea2000: No such user Why is user fer8@interlinea2000, and not fer8? I think the system detects realm: interlinea2000, so it must authenticate user fer8 no more. is it right? How to solution that? Any idea? Thanks for your help and time. Best regards, PD: Sorry for my questions, too many this week, but I want to finish my radiator configuration. We are very close :-) Fernando Martin Interlinea2000 http://www.i2000.es Voz:(943)-621033 Fax:(943)-627340 === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) several and short questions
Hi all, I have Radiator 2.13.1 with patch running on a NT 4.0 SP3. My NAS is a PM3 from Lucent 1- Log question: In my radius.cfg file I have: AcctLogFileName %L/%d-%m-%y-detail.log # log Format AcctLogFileFormat %t %d %m %Y %n %a %{Acct-Status-Type} %{NAS-Port} %{Acct-Input-Octets} %{Acct-Output-Octets} %{Connect-Rate} %{Connect-Info} -How could I put %t in format HH:MM:SS ? I think in oracle is possible but with log file? - When a user conects with ISDN I have not any information about speed (%{Connect-Rate} %{Connect-Info}, on the other hand if a user connects by modem I have the following information "24000 LAPM/V42bits". That is, %{Connect-Rate} does not do any thing, and %{Connect-Info}only is for modem connections. Why? NAS problem? 2- Speed connection question: I have in my users file: fer5User-Password = "fer5",Simultaneous-Use = 1,Connect-Rate = 28800 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP So I want to allow user fer5 a (one) conection and not higher 28800 bits. The problem is that: - If user fer5 use ISDN connection the system allow him to connect. Why? I think Connect-Rate is not aceptable for my NAS. How to do that? I used trace 4 and nothing. 3- Simultaneous session Also fer5 has assigned a (one) connection or session Problem: - if fer5 connect by ISDN using 2 B channels ( 128k) the system allow him to do that, why? - On the other hand if fer5 connect by ISDN (B-64Kb)and try to do a new modem connetion with fer5 the ystem does not allow it. Is it right? Why does modem session works and not ISDN? I want to control session ( only one for user) and speed (modem-ISDN) How to do that per user? Thank you for your help. Beste regards, Fernando Martin Interlinea2000 http://www.i2000.es Voz:(943)-621033 Fax:(943)-627340 === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Give a dinamic IP from a pool
Hi Mike, Thank you. Now my radiator 2.13.1 is working. I have several questions about the progress to give a dinamic IP: 1- If I configure this users file fer User-Password = "fer" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, - Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP Then fer get an IP from the NAS server ( My NAS has a pool defined) Is it right? Some times it works but others does not. Why? 2- If I use: fer User-Password = "fer" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP And use FramedGroupBaseAddress 193.146.120.120. Then fer get an IP But not 120 + Port . I think this is a problem with my NAS. It has two PRIs If I do not use # FramedGroupBaseAddress 193.146.120.120.the system get me an IP but I do not know how, I think the NAS.. 3- FinallyI think the best solution to my problems is that I want to give a dinamic IP from a pool defined on the Radiator configuration. How to do that? How and where to define a pool? and how to configure the users profile to get it? Could I define several pools? Thank you for all your help and time. Best regards, Fernando Martin Interlinea2000 http://www.i2000.es Voz:(943)-621033 Fax:(943)-627340 === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Users file format with PM3
Hi all, We are using Radiator 2.13.1 with patches over NT 4.0 SP3 and PM3 with radpwtst it works. 1- We want to know the users file configuration that we need to give a dinamic IP ( We know that we can give an IP depending of the PORT). ( Using PM3 client) I have the dictionay.livingston file with all the ATTRIBUTE and VALUE I do not want to use the livingston users file. I want to define a new users file with the users profile ( IP assignement...). Could you send us a users file with this configuration? Someting like this: Users: mikem4 Password = "fred" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP 2- My radius.cfg is: Foreground LogStdout # log (detail, radius.pid, password.log, ...) LogDir ./rad/log # usuarios ( users, dictionary, ...) DbDir ./rad/bd DictionaryFile %D/dictionary.livingston # You will probably want to change this to suit your site. Client localhostT Secret mysecret # base IP # Ej port=5 194.24.0.129+5 FramedGroupBaseAddress 193.224.0.0.129 /Client # for PM3 Client 193.224.0.123 Secret mysecret FramedGroupBaseAddress 193.224.0.129 DupInterval 0 /Client # others Client DEFAULT Secret mysecret FramedGroupBaseAddress 193.224.0.0.129 /Client Realm DEFAULT MaxSessions 1 PasswordLogFileName %L/password.log AuthBy FILE Filename %D/users /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName %L/detail AcctLogFileFormat %User-Name %Acct-Status-Type %Acct-Session-Id WtmpFileName %L/wtmp /Realm I am using dictionary.livingston to access ATTRIBUTEs and VALUEs. Is all right? 3- I have problems with AcctLogFileFormat %User-Name %Acct-Status-Type %Acct-Session-Id. I can not write all what I want into the detail file. Only that when fred authentication Detail: fredser-Name %Acct-Status-Type %Acct-Session-Id fredser-Name %Acct-Status-Type %Acct-Session-Id fredser-Name %Acct-Status-Type %Acct-Session-Id fredser-Name %Acct-Status-Type %Acct-Session-Id I am using ATTRIBUTEs defined into dictionary.livingston file. What is the right format? 4-If you have experience with Radiator and PM3, please let me know if you could help me. Thank you for all your help and time. Best regards, Fernando Martin Interlinea2000 http://www.i2000.es Voz:(943)-621033 Fax:(943)-627340 === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.