Re: (RADIATOR) Trouble with SessionDatabase SQL
Hugh Irvine wrote: Salut Fred - Comment va la vie? Je suis desole qu'on s'est pas vu lors de ma derniere visite a Paris - mais peut-etre la prochaine fois? J'espere bien ! Depuis le temps... On Thursday 22 March 2001 04:50, Frederic Gargula wrote: Hi all, I write again to this list to report a strange behavior : I want to limit simultaneous logins : Each user can be logged on once at a time. [In the bottom, you can find interesting parts of my config file.] I agree with you - it looks quite strange. Could you tell me what version of Radiator you are running? And could you also try to remove the AuthByPolicy from the Handler? As you only have a single AuthBy you shouldn't need the AuthByPolicy anyway. Oh, Sorry. I'm using Radiator 2.17.1 ;) I've removed the AuthByPolicy that is useless as you said. (I've put it because I hoped Radiator will not send an Access-Accept after the Acces-Reject generated by the MaxSessions Exceeded state) without the authByPolicy Clause, the result is the same : two answers (An Access-Reject due to MaxSessions, and then an Access-Accept due to the correct LDAP lookup). I will be very glad if I could find the way to have only one answer... Regards, -- Frederic Gargula Systems Design Engineer Easynet France === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Trouble with SessionDatabase SQL
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID, Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE, Acct_Terminate-Cause,integer
AcctColumnDef NASIDENTIFIER, NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
AcctColumnDef CALLERID,Caller-Id
/AuthBy
Handler Vendor-Specific=dialup,Request-Type = Access-Request
RewriteUsername s/^([^@]+)$/$1\@easynet.fr/
RejectHasReason
SessionDatabase SDB1
AuthByPolicy ContinueUntilReject
MaxSessions 1
AuthBy Auth_ldap_dialup
/Handler
Handler Vendor-Specific=dialup,Request-Type = Accounting-Request
RewriteUsername s/^([^@]+)$/$1\@easynet.fr/
AuthByPolicy ContinueAlways
AuthBy Accounting1
/Handler
SessionDatabase SQL
DBSource dbi:mysql:x:x
DBUsername x
DBAuth x
Identifier SDB1
/SessionDatabase
--
Frederic Gargula
Systems Design Engineer
Easynet France
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) LDAP with MIMEBASE64 and MD5 trouble
Hi all,
I'm testing authentication with Radiator 2.17.1 on OpenLDAP 1.2.11 (each
on a separate sever, both on a private testing network), and I have
trouble with MD5 encryption.
On the LDAP server, passwords are stored in the form :
{MD5}ZviHb9U7k5r2YaTNG6QuTA== [this format is known as MD5 with MIME]
Following the documentation, and particulary the sections 13.1.1 and
13.1.2, Radiator supports this encrypted format for both 'User-Password'
and 'Encrypted-Password' check items.
I've tried both, and I have :
-using 'User-Password' :
Tue Feb 6 10:19:12 2001: DEBUG: Handling with Radius::AuthLDAP2
Tue Feb 6 10:19:12 2001: DEBUG: Connecting to 192.168.100.10, port 389
Tue Feb 6 10:19:12 2001: DEBUG: LDAP got result for
[EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
Tue Feb 6 10:19:12 2001: DEBUG: LDAP got userpassword: {MD5}ZviHb9U7k5r2YaTNG6QuTA==
Tue Feb 6 10:19:12 2001: DEBUG: LDAP got idletime: 0
Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ippool: 1
Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
Tue Feb 6 10:19:12 2001: DEBUG: LDAP got iproutemetric: 2
Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 looks for match with
[EMAIL PROTECTED]
Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
-using 'Encrypted-Password' :
Tue Feb 6 10:50:25 2001: DEBUG: Handling with Radius::AuthLDAP2
Tue Feb 6 10:50:25 2001: DEBUG: Connecting to 192.168.100.10, port 389
Tue Feb 6 10:50:25 2001: DEBUG: LDAP got result for
[EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
Tue Feb 6 10:50:25 2001: DEBUG: LDAP got userpassword:{MD5}ZviHb9U7k5r2YaTNG6QuTA==
Tue Feb 6 10:50:25 2001: DEBUG: LDAP got idletime: 0
Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ippool: 1
Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
Tue Feb 6 10:50:25 2001: DEBUG: LDAP got iproutemetric: 2
Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 looks for match with
[EMAIL PROTECTED]
Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password
I'm sure of my password, and I don't understand why Radiator still
rejects my requests.
I've seen many past posts in this mailing list, and I remember Robin
Gruyters's one, on Jun 13 2000 :
hi,
Because we use in our LDAP for password md5 with MIME64
(userpassword={MD5}qP0OV/oViFka8YbFMWEWeg==)
We had to make some changes in the Radius.pm file. Here is a patch:
--- Radius.pm Tue Jun 13 10:25:10 2000
+++ Radiusmd5.pmTue Jun 13 10:26:12 2000
@@ -708,6 +708,18 @@
# via Apache::AuthenRadius or similar
$result = check_digest_password($user, $submitted_pw,
$pw);
}
+elsif ($pw =~ /^{MD5}/)
+{
+require MIME::Base64;
+require Digest::MD5;
+my $context = new MD5;
+$context-reset();
+$context-add("$submitted_pw");
+
+my $tmppw = "{MD5}" .
MIME::Base64::encode_base64($context-digest());
+chomp($tmppw);
+$result = ($tmppw eq $pw);
+}
else
{
# Just ordinary old plaintext, look for an exact match
I don't understand why he has to patch Radius.pm, because following the
Class Hierarchy on section 17.5, the AuthLDAP2 inherits from
AuthGeneric.
Nowhere else the {MD5} encryption appears :
morrison:/usr/local/src/Radiator-2.17.1/Radius$ grep "{MD5}" *
AuthGeneric.pm:elsif ($pw =~ /^{MD5}/)
AuthGeneric.pm: $cmp_pass = '{MD5}' .
MIME::Base64::encode_base64($md5-digest());
AuthGeneric.pm: $cmp_pass = "{MD5}" . $md5-hexdigest();
I've put my config file in attachment.
Is the inheritance working ?
Does anyone have any idea for my trouble ?
--
Frederic Gargula
Systems Designer
Easynet France
radius.cfg_ldap
(RADIATOR) Authentication trouble
Hi,
I have a trouble on my radiator proxy servers. Sometimes, an
accept-request that sould invoke an Access-Reject receives an
Access-Accept instead.
I have noticed that when a fake Access-Accept is received, it's the same
reply that few times ago. The two request/replies uses the same
Identifier and Authenticator..
The two Access-Accept are exactly the same :
Let's see an example :
Tue Feb 15 10:25:28 2000: DEBUG: Packet dump:
*** Sending to 195.114.64.Y port 1645
Code: Access-Request
Identifier: 55
Authentic: 2918y165|140Azb7=++250U136
Attributes:
Proxy-Action = "AUTHENTICATE"
NAS-Identifier = "xxx"
NAS-IP-Address = 192.168.xxx.xxx
User-Name = "[EMAIL PROTECTED]"
CHAP-Password = ""
Called-Station-Id = ""
Acct-Session-Id = "3e8d38a91b76e32c6047"
NAS-Port-Type = Async
NAS-Port = 20109
User-Id = "hdantin"
CHAP-Challenge = ""
User-Realm = "easynet.fr"
Service-Type = Framed-User
Tunnel-Type = L2F
Tunnel-Medium-Type = IP
Proxy-State = 0
Vendor-Specific = "Siris"
Tue Feb 15 10:25:28 2000: DEBUG: Packet dump:
*** Received from 195.114.64.Y port 1645
Code: Access-Accept
Identifier: 55
Authentic: s4l1194177146{136*143'7237240
Attributes:
Service-Type = Framed-User
Ascend-Idle-Limit = 0
Maximum-Time = 1
Framed-IP-Netmask = 255.255.255.255
Ascend-Metric = 2
Framed-Routing = None
Framed-Protocol = PPP
Reply-Message = "EASYSTART"
Ok, a dialup user was accepted.
7 seconds later in the logfile, I found :
*** Sending to 195.114.64.Y port 1645
Code: Access-Request
Identifier: 55
Authentic: ]}185~2102302612163s4216022163.
Attributes:
User-Name = "totocom-user"
Service-Type = Without-Password
NAS-IP-Address = 195.114.64.Z
NAS-Port = 0
Vendor-Specific = "Mail"
Tue Feb 15 10:25:35 2000: DEBUG: Packet dump:
*** Received from 195.114.64.Y port 1645
Code: Access-Accept
Identifier: 55
Authentic: s4l1194177146{136*143'7237240
Attributes:
Service-Type = Framed-User
Ascend-Idle-Limit = 0
Maximum-Time = 1
Framed-IP-Netmask = 255.255.255.255
Ascend-Metric = 2
Framed-Routing = None
Framed-Protocol = PPP
Reply-Message = "EASYSTART"
Tue Feb 15 10:25:35 2000: DEBUG: Received reply in AuthRADIUS for req 55 from 19
5.114.64.Y:1645
Tue Feb 15 10:25:35 2000: WARNING: Bad authenticator received in reply to ID 55
And 195.114.64.Y never replied such an Access-Accept. The user
"totocom-user" doesn't exist in the database on 195.114.64.Y (this
server uses a patched Livingston Radius, and the users database is a
flat file hierarchy and a old password file.
I'm sure that 195.114.64.Y didn't send an Access-Accept for
"totocom-user".
I'm now trying to use DupInterval, to refuse a second Access-Accept with
the same Identifier, but I don't know if this is really the solution.
Does anyone have any idea about my problem ?
Thanks a lot for help.
Regards,
--
Frederic GARGULA
Ingenieur Reseaux Systemes
EASYNET France
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) without password authentication trouble
hi, I want to be able to test that a user exists in an MSSQL 7 database, but I don't want to check his password. In fact that authentication is made by a qmail mail server that wants to know if a user exist or not (simply to know if the mailbox exist, to deliver an incoming mail) I have wrote an Handler : Handler Realm=domain1.com,Service-Type=Without-Password RewriteUsername s/^([^@]+).*/$1/ AuthBy SQL DBSource dbi:ODBC:domain1 DBUsername username DBAuth password AuthSelect select * from T_LOGIN where LOGIN='%n' and LOGINTYPE=0 AuthColumnDef 0, User-Name, check # AuthColumnDef 1, Service-Type, reply /AuthBy /Handler when I want to check if my handler works, I use an home-made program to simulate an incoming mail : Code: Access-Request Identifier: 200 Authentic: !918330F145241w7_BN4200160Q Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Without-Password NAS-IP-Address = xxx.xxx.xxx.xxx NAS-Port = 0 and Radiator says : Fri Dec 3 19:03:42 1999: DEBUG: Handling request with Handler 'Realm=domain1. com,Service-Type=Without-Password' Fri Dec 3 19:03:42 1999: DEBUG: Rewrote user name to toto11 Fri Dec 3 19:03:42 1999: DEBUG: Deleting session for [EMAIL PROTECTED], xxx. xxx.xxx.xxx, 0 Fri Dec 3 19:03:42 1999: DEBUG: Handling with Radius::AuthSQL Fri Dec 3 19:03:43 1999: DEBUG: Handling with Radius::AuthSQL Fri Dec 3 19:03:43 1999: DEBUG: Query is: select * from T_LOGIN where LOGIN='to to11' and LOGINTYPE=0 Fri Dec 3 19:03:43 1999: ERR: Bad attribute=value pair: toto11 Fri Dec 3 19:03:43 1999: ERR: Bad attribute=value pair: toto9 Fri Dec 3 19:03:43 1999: DEBUG: Radius::AuthSQL looks for match with toto11 Fri Dec 3 19:03:43 1999: WARNING: No CHAP-Password or User-Password in request: does your dictionary have User-Password in it? Fri Dec 3 19:03:43 1999: DEBUG: Radius::AuthSQL REJECT: Bad Password Fri Dec 3 19:03:43 1999: DEBUG: Query is: select * from T_LOGIN where LOGIN='DE FAULT' and LOGINTYPE=0 Fri Dec 3 19:03:43 1999: INFO: Access rejected for toto11: Bad Password Fri Dec 3 19:03:43 1999: DEBUG: Packet dump: *** Sending to xxx.xxx.xxx.xxx port 1993 Code: Access-Reject Identifier: 200 Authentic: !918330F145241w7_BN4200160Q Attributes: Reply-Message = "Request Denied" I don't want to check the password, but I want to know if there such a user in the database... Do you have any ideas ? Thank you for help... Best Regards, -- Frederic GARGULA Ingenieur Reseaux Systemes EASYNET France === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) ODBC drivers for linux
Mike McCauley wrote: Hi Kevin On Jun 3, 4:41pm, Kevin Wormington wrote: Subject: Re: (RADIATOR) ODBC drivers for linux The only success that I have had is with DBI and DBD::FreeTDS which works very well connection to MS SQL 6.5 and 7.0 and requires no other client libraries. I have installed Openlink's multi-tier ODBC drivers and DBD::ODBC, which works fine with MS SQL 7. -- Frederic GARGULA Ingenieur Reseaux Systemes EASYNET France Tel.: +33 1 44 54 70 55 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
