Re: (RADIATOR) Trouble with SessionDatabase SQL
Hugh Irvine wrote: Salut Fred - Comment va la vie? Je suis desole qu'on s'est pas vu lors de ma derniere visite a Paris - mais peut-etre la prochaine fois? J'espere bien ! Depuis le temps... On Thursday 22 March 2001 04:50, Frederic Gargula wrote: Hi all, I write again to this list to report a strange behavior : I want to limit simultaneous logins : Each user can be logged on once at a time. [In the bottom, you can find interesting parts of my config file.] I agree with you - it looks quite strange. Could you tell me what version of Radiator you are running? And could you also try to remove the AuthByPolicy from the Handler? As you only have a single AuthBy you shouldn't need the AuthByPolicy anyway. Oh, Sorry. I'm using Radiator 2.17.1 ;) I've removed the AuthByPolicy that is useless as you said. (I've put it because I hoped Radiator will not send an Access-Accept after the Acces-Reject generated by the MaxSessions Exceeded state) without the authByPolicy Clause, the result is the same : two answers (An Access-Reject due to MaxSessions, and then an Access-Accept due to the correct LDAP lookup). I will be very glad if I could find the way to have only one answer... Regards, -- Frederic Gargula Systems Design Engineer Easynet France === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Trouble with SessionDatabase SQL
AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID, Acct-Session-Id AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE, Acct_Terminate-Cause,integer AcctColumnDef NASIDENTIFIER, NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address AcctColumnDef CALLERID,Caller-Id /AuthBy Handler Vendor-Specific=dialup,Request-Type = Access-Request RewriteUsername s/^([^@]+)$/$1\@easynet.fr/ RejectHasReason SessionDatabase SDB1 AuthByPolicy ContinueUntilReject MaxSessions 1 AuthBy Auth_ldap_dialup /Handler Handler Vendor-Specific=dialup,Request-Type = Accounting-Request RewriteUsername s/^([^@]+)$/$1\@easynet.fr/ AuthByPolicy ContinueAlways AuthBy Accounting1 /Handler SessionDatabase SQL DBSource dbi:mysql:x:x DBUsername x DBAuth x Identifier SDB1 /SessionDatabase -- Frederic Gargula Systems Design Engineer Easynet France === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP with MIMEBASE64 and MD5 trouble
Hi all, I'm testing authentication with Radiator 2.17.1 on OpenLDAP 1.2.11 (each on a separate sever, both on a private testing network), and I have trouble with MD5 encryption. On the LDAP server, passwords are stored in the form : {MD5}ZviHb9U7k5r2YaTNG6QuTA== [this format is known as MD5 with MIME] Following the documentation, and particulary the sections 13.1.1 and 13.1.2, Radiator supports this encrypted format for both 'User-Password' and 'Encrypted-Password' check items. I've tried both, and I have : -using 'User-Password' : Tue Feb 6 10:19:12 2001: DEBUG: Handling with Radius::AuthLDAP2 Tue Feb 6 10:19:12 2001: DEBUG: Connecting to 192.168.100.10, port 389 Tue Feb 6 10:19:12 2001: DEBUG: LDAP got result for [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net Tue Feb 6 10:19:12 2001: DEBUG: LDAP got userpassword: {MD5}ZviHb9U7k5r2YaTNG6QuTA== Tue Feb 6 10:19:12 2001: DEBUG: LDAP got idletime: 0 Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ippool: 1 Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255 Tue Feb 6 10:19:12 2001: DEBUG: LDAP got iproutemetric: 2 Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 looks for match with [EMAIL PROTECTED] Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password -using 'Encrypted-Password' : Tue Feb 6 10:50:25 2001: DEBUG: Handling with Radius::AuthLDAP2 Tue Feb 6 10:50:25 2001: DEBUG: Connecting to 192.168.100.10, port 389 Tue Feb 6 10:50:25 2001: DEBUG: LDAP got result for [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net Tue Feb 6 10:50:25 2001: DEBUG: LDAP got userpassword:{MD5}ZviHb9U7k5r2YaTNG6QuTA== Tue Feb 6 10:50:25 2001: DEBUG: LDAP got idletime: 0 Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ippool: 1 Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255 Tue Feb 6 10:50:25 2001: DEBUG: LDAP got iproutemetric: 2 Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 looks for match with [EMAIL PROTECTED] Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password I'm sure of my password, and I don't understand why Radiator still rejects my requests. I've seen many past posts in this mailing list, and I remember Robin Gruyters's one, on Jun 13 2000 : hi, Because we use in our LDAP for password md5 with MIME64 (userpassword={MD5}qP0OV/oViFka8YbFMWEWeg==) We had to make some changes in the Radius.pm file. Here is a patch: --- Radius.pm Tue Jun 13 10:25:10 2000 +++ Radiusmd5.pmTue Jun 13 10:26:12 2000 @@ -708,6 +708,18 @@ # via Apache::AuthenRadius or similar $result = check_digest_password($user, $submitted_pw, $pw); } +elsif ($pw =~ /^{MD5}/) +{ +require MIME::Base64; +require Digest::MD5; +my $context = new MD5; +$context-reset(); +$context-add("$submitted_pw"); + +my $tmppw = "{MD5}" . MIME::Base64::encode_base64($context-digest()); +chomp($tmppw); +$result = ($tmppw eq $pw); +} else { # Just ordinary old plaintext, look for an exact match I don't understand why he has to patch Radius.pm, because following the Class Hierarchy on section 17.5, the AuthLDAP2 inherits from AuthGeneric. Nowhere else the {MD5} encryption appears : morrison:/usr/local/src/Radiator-2.17.1/Radius$ grep "{MD5}" * AuthGeneric.pm:elsif ($pw =~ /^{MD5}/) AuthGeneric.pm: $cmp_pass = '{MD5}' . MIME::Base64::encode_base64($md5-digest()); AuthGeneric.pm: $cmp_pass = "{MD5}" . $md5-hexdigest(); I've put my config file in attachment. Is the inheritance working ? Does anyone have any idea for my trouble ? -- Frederic Gargula Systems Designer Easynet France radius.cfg_ldap
(RADIATOR) Authentication trouble
Hi, I have a trouble on my radiator proxy servers. Sometimes, an accept-request that sould invoke an Access-Reject receives an Access-Accept instead. I have noticed that when a fake Access-Accept is received, it's the same reply that few times ago. The two request/replies uses the same Identifier and Authenticator.. The two Access-Accept are exactly the same : Let's see an example : Tue Feb 15 10:25:28 2000: DEBUG: Packet dump: *** Sending to 195.114.64.Y port 1645 Code: Access-Request Identifier: 55 Authentic: 2918y165|140Azb7=++250U136 Attributes: Proxy-Action = "AUTHENTICATE" NAS-Identifier = "xxx" NAS-IP-Address = 192.168.xxx.xxx User-Name = "[EMAIL PROTECTED]" CHAP-Password = "" Called-Station-Id = "" Acct-Session-Id = "3e8d38a91b76e32c6047" NAS-Port-Type = Async NAS-Port = 20109 User-Id = "hdantin" CHAP-Challenge = "" User-Realm = "easynet.fr" Service-Type = Framed-User Tunnel-Type = L2F Tunnel-Medium-Type = IP Proxy-State = 0 Vendor-Specific = "Siris" Tue Feb 15 10:25:28 2000: DEBUG: Packet dump: *** Received from 195.114.64.Y port 1645 Code: Access-Accept Identifier: 55 Authentic: s4l1194177146{136*143'7237240 Attributes: Service-Type = Framed-User Ascend-Idle-Limit = 0 Maximum-Time = 1 Framed-IP-Netmask = 255.255.255.255 Ascend-Metric = 2 Framed-Routing = None Framed-Protocol = PPP Reply-Message = "EASYSTART" Ok, a dialup user was accepted. 7 seconds later in the logfile, I found : *** Sending to 195.114.64.Y port 1645 Code: Access-Request Identifier: 55 Authentic: ]}185~2102302612163s4216022163. Attributes: User-Name = "totocom-user" Service-Type = Without-Password NAS-IP-Address = 195.114.64.Z NAS-Port = 0 Vendor-Specific = "Mail" Tue Feb 15 10:25:35 2000: DEBUG: Packet dump: *** Received from 195.114.64.Y port 1645 Code: Access-Accept Identifier: 55 Authentic: s4l1194177146{136*143'7237240 Attributes: Service-Type = Framed-User Ascend-Idle-Limit = 0 Maximum-Time = 1 Framed-IP-Netmask = 255.255.255.255 Ascend-Metric = 2 Framed-Routing = None Framed-Protocol = PPP Reply-Message = "EASYSTART" Tue Feb 15 10:25:35 2000: DEBUG: Received reply in AuthRADIUS for req 55 from 19 5.114.64.Y:1645 Tue Feb 15 10:25:35 2000: WARNING: Bad authenticator received in reply to ID 55 And 195.114.64.Y never replied such an Access-Accept. The user "totocom-user" doesn't exist in the database on 195.114.64.Y (this server uses a patched Livingston Radius, and the users database is a flat file hierarchy and a old password file. I'm sure that 195.114.64.Y didn't send an Access-Accept for "totocom-user". I'm now trying to use DupInterval, to refuse a second Access-Accept with the same Identifier, but I don't know if this is really the solution. Does anyone have any idea about my problem ? Thanks a lot for help. Regards, -- Frederic GARGULA Ingenieur Reseaux Systemes EASYNET France === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) without password authentication trouble
hi, I want to be able to test that a user exists in an MSSQL 7 database, but I don't want to check his password. In fact that authentication is made by a qmail mail server that wants to know if a user exist or not (simply to know if the mailbox exist, to deliver an incoming mail) I have wrote an Handler : Handler Realm=domain1.com,Service-Type=Without-Password RewriteUsername s/^([^@]+).*/$1/ AuthBy SQL DBSource dbi:ODBC:domain1 DBUsername username DBAuth password AuthSelect select * from T_LOGIN where LOGIN='%n' and LOGINTYPE=0 AuthColumnDef 0, User-Name, check # AuthColumnDef 1, Service-Type, reply /AuthBy /Handler when I want to check if my handler works, I use an home-made program to simulate an incoming mail : Code: Access-Request Identifier: 200 Authentic: !918330F145241w7_BN4200160Q Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Without-Password NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 and Radiator says : Fri Dec 3 19:03:42 1999: DEBUG: Handling request with Handler 'Realm=domain1. com,Service-Type=Without-Password' Fri Dec 3 19:03:42 1999: DEBUG: Rewrote user name to toto11 Fri Dec 3 19:03:42 1999: DEBUG: Deleting session for [EMAIL PROTECTED], xxx. xxx.xxx.xxx, 0 Fri Dec 3 19:03:42 1999: DEBUG: Handling with Radius::AuthSQL Fri Dec 3 19:03:43 1999: DEBUG: Handling with Radius::AuthSQL Fri Dec 3 19:03:43 1999: DEBUG: Query is: select * from T_LOGIN where LOGIN='to to11' and LOGINTYPE=0 Fri Dec 3 19:03:43 1999: ERR: Bad attribute=value pair: toto11 Fri Dec 3 19:03:43 1999: ERR: Bad attribute=value pair: toto9 Fri Dec 3 19:03:43 1999: DEBUG: Radius::AuthSQL looks for match with toto11 Fri Dec 3 19:03:43 1999: WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it? Fri Dec 3 19:03:43 1999: DEBUG: Radius::AuthSQL REJECT: Bad Password Fri Dec 3 19:03:43 1999: DEBUG: Query is: select * from T_LOGIN where LOGIN='DE FAULT' and LOGINTYPE=0 Fri Dec 3 19:03:43 1999: INFO: Access rejected for toto11: Bad Password Fri Dec 3 19:03:43 1999: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1993 Code: Access-Reject Identifier: 200 Authentic: !918330F145241w7_BN4200160Q Attributes: Reply-Message = "Request Denied" I don't want to check the password, but I want to know if there such a user in the database... Do you have any ideas ? Thank you for help... Best Regards, -- Frederic GARGULA Ingenieur Reseaux Systemes EASYNET France === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ODBC drivers for linux
Mike McCauley wrote: Hi Kevin On Jun 3, 4:41pm, Kevin Wormington wrote: Subject: Re: (RADIATOR) ODBC drivers for linux The only success that I have had is with DBI and DBD::FreeTDS which works very well connection to MS SQL 6.5 and 7.0 and requires no other client libraries. I have installed Openlink's multi-tier ODBC drivers and DBD::ODBC, which works fine with MS SQL 7. -- Frederic GARGULA Ingenieur Reseaux Systemes EASYNET France Tel.: +33 1 44 54 70 55 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.