Re: (RADIATOR) Re: Blocking Access based on Caller Id
Edgar, Check the hooks.txt in the patches area on the webserver. You will find some examples there that will be of help. - Joost. Edgar R Gutierrez wrote: Hi there, I would like to implement black listing caller ids which have known to have been used to hack into SYstems or into ISP accounts. Of course, I also need to know how to get the value of the Calling-Station-Id inside the PreAuthHook Code so that I could make a check if the caller id is black listed. If it is, Radiator will deny access. A pseudo code of what I want to implement is written below: a) Get value of Calling Station Id b) Search Black List Table for that caller id c) If caller id is black listed, then deny access Hoping for any support from all Radiator Guru out there..=) Egie --- Edgar R Gutierrez NOC- Network Services Manager Impact Information Systems - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Randy Cosby [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, May 13, 2000 8:59 AM Subject: RE: (RADIATOR) Merged ISP's Hi Randy - On Sat, 13 May 2000, Randy Cosby wrote: How do I BEST deal with the fall-through to the next radius if the first fails? You would specify multiple Host parameters in the AuthBy RADIUS clauses. Have a look at section 6.25.1 in the Radiator 2.15 reference manual. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy LDAP2: support for OpenLDAP?
Dave, It works perfectly with OpenLDAP. OpenLDAP is based on the U of M code. - Joost. Dave Kitabjian wrote: Regarding: http://www.open.com.au/radiator/ref.html#pgfId=369888 The docs say: "AuthBy LDAP2 works with the newer Net::LDAP module version in perl-ldap-0.09 or better (Available from CPAN). It is implemented in AuthLDAP2.pm. The Net::LDAP will work with both University of Michigan LDAP and Netscape's LDAP SDK, but it does not support SSL encrypted connections to the LDAP server." There is no mention of OpenLDAP, which is what we plan to use. However, there is a mention of it on: http://www.open.com.au/radiator/details.html So I assume that's just an omission? Does anyone have it running with OpenLDAP? Thanks for your input! Dave === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- ==== Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Error when running radiusd
Could it be that you are trying to use SNMP on a low port (161 is default) while running Radiator as a normal user (not root)? - joost. Richard Barnes -Listserv wrote: I'm installing Radiator on a Solaris7 machine... (it's actually going to be a secondary authenticator) I think I have everything installed and working, but when I start the radiusd program, I get the following error: Error: creating socket: Bad file number I've modified my /etc/services file, and when using radpwtst, I get OKs on the Access-Request and on the Accounting Requests... I know that radpwtst is working correctly because if I give it bogus info, I get a rejected... Everything seems to be fine, but I don't know what's up with the creating socket error... Any help would be appreciated... === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Undefined sub Radius::Handler
Jan, There were some errors in the doc's on this issue. They have been corrected in the newer versions. From an earlier mail to the list: You access the parameters like this: # get the parameters passed to this hook my $p = ${$_[0]}; # current request packet my $rp = ${$_[1]}; # current reply packet my $code = ${$_[2]}; # authentication result So that would be my $p = ${$_[0]}; PreAuthHook sub { $p - add_attr('cttIsSubscriber', '1'); } (untested) - Joost. Dear sir, We installed /use Radiator-2.12. The package has been installed on a SUN 2.6 system using almost all default settings, and works fine with one exeption. In the documentation (Installation and Reference manual For Radiator version 2.12) we found a description (par 5.8.9) for the parameter PreAuthHook. We added the following line to the configuration file: === # Null realm, handles users with no realm Realm PreAuthHook sub { $_[0] - add_attr('cttIsSubscriber', '1'); } AuthBy LDAP # The LDAP host to connect to # If not set, defaults to localhost === Whenever we 'use' the concerning Null realm the radius logfile 'reports' the following information: === Thu Apr 13 08:26:28 2000: DEBUG: Handling request with Handler 'Realm=' Thu Apr 13 08:26:28 2000: ERR: Error in PreAuthHook(): Undefined subroutine Rad ius::Handler::CODE called at (eval 33) line 1. === I found the declarations for this routine in the file .../Handler.pm Does the error-message mean the application cannot find or execute this Handler.pm file or is it some other configuration mismatch. Thanks in advance and best regards, Jan van Nieuwstadt Infonet Europe PO Box 93004, 2509AA The Hague, The Netherlands Koningin Sophiestraat 120, 2595 TM The Hague, The Netherlands Tel : +31 (0) 70 37 11302 Fax: +31 (0) 70 37 11888 Email: [EMAIL PROTECTED] ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 2000, NT, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) error in dictionary?
Euhm, you're right. We're still using 2.11 in production and this is the logfile from the 2.11 server. We'll be upgrading soon. Anyway, problem solved. thanx, Joost. Mike McCauley wrote: Hello Joost, On Apr 3, 10:58am, Joost Stegeman wrote: Subject: (RADIATOR) error in dictionary? Hi all, Could it be that the new dictionary included in the 2.15 release contains an error on line 38 (see below)? I changed type binary to abinary but that resulted in strange errors (see logfile excerpt below). I then changed the type to integer which in our case is right (should be string according to standards, but we use Ascend/Alcatel SMC). Mike, could you check the workings of the abinary type? I haven't had a look at the code yet, but this seems strange. binary is the correct data type for Proxy-State, and its been in Radiator for quite a few versions.. abinary is for Ascend filters. I am surprised by the error you are seeing. It makes me think there is a problem with your Radiator installation, such that its seeing an RDict.pm from a very old version. Otherwise there may be some unprintable character? Hope that helps. Cheers. - Joost. dictionary line 38: ATTRIBUTE Proxy-State 33 binary logfile: Mon Apr 3 12:46:23 2000: NOTICE: SIGHUP received: restarting Mon Apr 3 12:46:24 2000: ERR: Bad format in dictionary '/opt/APPradius/etc/dictionary' at line 38 Mon Apr 3 12:46:24 2000: INFO: Server started Mon Apr 3 12:46:30 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:44 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:46 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:46 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:51 2000: NOTICE: SIGHUP received: restarting Mon Apr 3 12:46:52 2000: INFO: Server started Mon Apr 3 12:46:55 2000: INFO: Radius::AuthKPNLDAP: Authentication failed for [EMAIL PROTECTED] Mon Apr 3 12:46:55 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:03 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:10 2000: INFO: Radius::AuthKPNLDAP: Authentication failed for [EMAIL PROTECTED] Mon Apr 3 12:47:10 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:17 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:36 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:38 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:39 2000: NOTICE: SIGHUP received: restarting Mon Apr 3 12:47:39 2000: INFO: Server started - Joost. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Joost Stegeman -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 2000, NT, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) error in dictionary?
Hi all, Could it be that the new dictionary included in the 2.15 release contains an error on line 38 (see below)? I changed type binary to abinary but that resulted in strange errors (see logfile excerpt below). I then changed the type to integer which in our case is right (should be string according to standards, but we use Ascend/Alcatel SMC). Mike, could you check the workings of the abinary type? I haven't had a look at the code yet, but this seems strange. - Joost. dictionary line 38: ATTRIBUTE Proxy-State 33 binary logfile: Mon Apr 3 12:46:23 2000: NOTICE: SIGHUP received: restarting Mon Apr 3 12:46:24 2000: ERR: Bad format in dictionary '/opt/APPradius/etc/dictionary' at line 38 Mon Apr 3 12:46:24 2000: INFO: Server started Mon Apr 3 12:46:30 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:44 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:46 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:46 2000: ERR: Attribute number 33 (vendor ) is not defined in your dictionary Mon Apr 3 12:46:51 2000: NOTICE: SIGHUP received: restarting Mon Apr 3 12:46:52 2000: INFO: Server started Mon Apr 3 12:46:55 2000: INFO: Radius::AuthKPNLDAP: Authentication failed for [EMAIL PROTECTED] Mon Apr 3 12:46:55 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:03 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:10 2000: INFO: Radius::AuthKPNLDAP: Authentication failed for [EMAIL PROTECTED] Mon Apr 3 12:47:10 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:17 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:36 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:38 2000: WARNING: Could not parse Proxy-State: generic out drop== Mon Apr 3 12:47:39 2000: NOTICE: SIGHUP received: restarting Mon Apr 3 12:47:39 2000: INFO: Server started - Joost. -- Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql and I'm lazy.
Hi all, I had the same problem yesterday, try this one. cu, - Joost. Hugh Irvine wrote: Hello Chris and Jason - On Thu, 23 Mar 2000, Chris M wrote: Hello Jason - On Tue, 21 Mar 2000, Jason Godsey wrote: Hello again, I've discovered I'm quite lazy and am looking for a simple way to setup SQL tables for all the records I want out of the detail file. Are there any utils to parse a detail file and generate a proper sql dump to hold all the information contained in the detail file? Other wise, do I just look up the attribute I want in the detail file to see if it is text/int? Is there a simply way to tell how long the field is? There is a sample SQL creation script in goodies/mysqlCreate.sql. And really the simplest way to write the database is with Radiator and an AuthBy SQL. hth Hugh -- I think what he's asking for is whether there is a way to parse detail files, and poke them into a new database (import existing data to mySQL). The short answer is no, which is why I was suggesting starting with the existing mysqlCreate.sql to use as a basis for developing your own database schema. As to a utility, there is an example "warehouse" perl program that was contributed by one of our customers. This utility currently reads an SQL table and writes another, but perhaps you could use it as a place to start. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- ==== Joost Stegeman Service Developer KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] acct2sql.pl
Re: (RADIATOR) RestartWrapper
Michael O Shea wrote: Hi folks, I am having some trouble with Restart Wrapper. I tried to run from the shell the command, perl /usr/bin/restartWrapper -mail micheal@localhost -delay 2 "/usr/local/Radiator-2.15/radiusd -config_file /usr/local/R shouldn't this be "perl /usr/local..."? Your radiusd probably isn't executable or has a wrong path for perl in the 'shebang'. - Joost. adiator-2.15/configs/myconfig.cfg" I then get mails from the script telling me , Your program /usr/local/Radiator-2.15/radiusd -config_file /usr/local/Radiator-2.15/configs/myconfig.cfg exited unexpectedly with exit status 127, signal number 0 and dump indication 0. The STDERR output was /usr/local/Radiator-2.15/radiusd: not found . The program will be restarted again by /usr/bin/restartWrapper in 2 seconds. The funny thing is that if I run, perl /usr/local/Radiator-2.15/radiusd -config_file /usr/local/Radiator-2.15/configs/myconfig.cfg it works fine. Am I missing something simple here.? Also can I run Radiator under a different user/group by passing flags to the script like -u radius -g radius? Thanks in advance. Micheal O Shea Email:[EMAIL PROTECTED] com4u.chhttp://www.com4u.ch Breitistrasse 7BPGP key available upon request. CH-5506 MaegenwilTel: +41 62 896 46 26 Switzerland === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- ==== Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) mysql and I'm lazy.
By the way, this script is for Ascend NASses and the RAdmin tables, you'll probably have to adjust some harcoded things ;-) - Joost. Joost Stegeman wrote: Hi all, I had the same problem yesterday, try this one. cu, - Joost. Hugh Irvine wrote: Hello Chris and Jason - On Thu, 23 Mar 2000, Chris M wrote: Hello Jason - On Tue, 21 Mar 2000, Jason Godsey wrote: Hello again, I've discovered I'm quite lazy and am looking for a simple way to setup SQL tables for all the records I want out of the detail file. Are there any utils to parse a detail file and generate a proper sql dump to hold all the information contained in the detail file? Other wise, do I just look up the attribute I want in the detail file to see if it is text/int? Is there a simply way to tell how long the field is? There is a sample SQL creation script in goodies/mysqlCreate.sql. And really the simplest way to write the database is with Radiator and an AuthBy SQL. hth Hugh -- I think what he's asking for is whether there is a way to parse detail files, and poke them into a new database (import existing data to mySQL). The short answer is no, which is why I was suggesting starting with the existing mysqlCreate.sql to use as a basis for developing your own database schema. As to a utility, there is an example "warehouse" perl program that was contributed by one of our customers. This utility currently reads an SQL table and writes another, but perhaps you could use it as a place to start. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- ==== Joost Stegeman Service Developer KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] Name: acct2sql.pl acct2sql.plType: Perl Program (application/x-perl) Encoding: 7bit -- ==== Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP Integration Services tel. 070 - 371 37 83 fax. 070 - 371 26 38 E-mail: [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) example hooks now available in the patches area (www.open.com.au/radiator/downloads/patches-2.15/hooks.txt)
Thanks Hugh! I'll have a look into this. Do we add the 'Profile' attr to the dictionary or is that not necessary? - Joost. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Adding an AV pair with AddToRequest
Hi Andrew, From memory, the arguments in the config file are read until end-of-line, so quotes shouldn't be necessary. On the other hand, it doesn't hurt using them. In most places, Radiator handles values with or without quotes but will usually quote them when printing them in logfiles etc. - Joost. Andrew Pollock wrote: Hi, If I add a string AV pair to a request packet with AddToRequest, do I need to put quotes around the string? e.g. AuthBy RADIUS AddToRequestNAS-Identifier=foo bar baz # or AddToRequestNAS-Identifier="foo bar baz" /AuthBy RADIUS Andrew === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the messag === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Binding as 'admin' against LDAP
You could of course setup an account for a lookup user, which has rights to read only the username/passwd/check/reply attribs. - Joost. Hugh Irvine wrote: Hello Stephen - On Wed, 15 Mar 2000, Felicetti, Stephen A. wrote: Hey guys I'm authenticating against LDAP, and all is working fine. Here's the problemin order for me to gain access to the password attribute, I must bind as the admin user. Is there anyway to use a NON plain text password in the config file? I can create a non admin user account that can have access to the password attribute, but I would still want that password encrypted. The passwords in the Radiator configuration file are always in cleartext. You should probably lock down the access priviledges to the file to readonly for the owner. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fw: (RADIATOR) Problem with AddToReplyIfNotIncluded
Steven, As Hugh mentioned earlier, the AddToReplyIfNotIncluded directive takes the list of parameters passed to it and looks at your reply packet. It takes the first attrib from the list and looks for it in the reply packet, it finds no Ascend-Data-Filter attribute and thus adds the attribute. It then takes the second parameter from the list (another Ascend-Data-Filter) and looks for it in the reply packet. It finds the Ascend-Data-Filter that was added just before and thus doesn't add any further Ascend-Data-Filter attribs. Solution: patch the code to Allow multiple Ascend-Data-Filters attribs if you add one OR add a directive AddFilterToReplyIfNotIncluded which does exactly this. Your first mail on this subject caught my attention as I wanted to use this solution for a new customer. As you found, it doesn't work and I'm looking at modifying the code to support the latter solution. It isn't that much work, it just needs to be done and to be tested and my todo list is long enough already. I'll send the patch to the list when I get around to that item on my list. - Joost. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authenticating against groups in LDAP
LOL! This is of course wishfull thinking. With a little effort and perl/Radiator knowledge it shouldn't be too hard to add this or the LDAP group support to the Radiator code. You could probably use a pre- or postAuthHook but it would be much nicer to use the already existing LDAP connection/query in the Radiator code. - Joost. Joost Stegeman Service Developer Integration Services KPN OVN BBT/IP ISU IS Can you clarify something for me? Is the 'RequireAttrValue usertype,radiususer' an actual attribute you can add to the config file, or is it just a wishfull thinking idea?:) I'm feeling a little silly right now, seeing that it's a Friday afternoon, and I can't find this in any documentation, and Radiator complains when I try to use it:( Thank god it's the weekend. Thanks, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joost Stegeman Sent: Friday, February 25, 2000 12:34 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Authenticating against groups in LDAP Hi Stephen, Radiator currently cannot use LDAP groups or my defintion of capabilities. It would be relatively easy to add a directive like RequireAttrValue usertype,radiususer which would require that apart from a matching password and other check-items, the user to be authenticated has an attribute "usertype" with value "radiususer" . This will probably start the everlasting discussion on how to implement groups in LDAP, but I think it would be relatively easy to add 'capabilities' to users and extend Radiator top use these. By a capability I mean the example above: an attribute defining to which 'group' a user belongs, or what this user is allowed or not. I like this setup because you can change just one attribute on a user to give hime or her more or less capabilities. Of course, full blow group support could be done, and it probably should. It's typical for LDAP servers to have groups. - Joost. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authenticating against groups in LDAP
Hi Stephen, Radiator currently cannot use LDAP groups or my defintion of capabilities. It would be relatively easy to add a directive like RequireAttrValueusertype,radiususer which would require that apart from a matching password and other check-items, the user to be authenticated has an attribute "usertype" with value "radiususer" . This will probably start the everlasting discussion on how to implement groups in LDAP, but I think it would be relatively easy to add 'capabilities' to users and extend Radiator top use these. By a capability I mean the example above: an attribute defining to which 'group' a user belongs, or what this user is allowed or not. I like this setup because you can change just one attribute on a user to give hime or her more or less capabilities. Of course, full blow group support could be done, and it probably should. It's typical for LDAP servers to have groups. - Joost. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Perl version and OS version will cause problem?
Jason, We're using radiator 2.11 with some enhancements under perl 5.00404 on Solaris 2.6. I upgraded perl to 5.00503 two weeks ago and apart from a memeory leak (probably related to AuthLDAP with OpenLDAP libs) there are no problems. I plan to upgrade to 2.15 in the next two weeks and will change to AuthLDAP2 to check if the memory leak is related to the OpenLDAP libs or Net::LDAPapi 1.42. Our test setup runs Solaris 2.6 with 2.24.1 with latest patches (effectively 2.15?) and shows no problems, though it is not under load. - Joost. Joost, Thanks for providing information. I have tried your way to install new perl in /opt but it still does not work. Now I really suspect it is not perl's version which causes problem. Could you tell me what is the OS of your machine? Jason Jason, I have the same problems with upgrading perl in our operational environment. I therefore installed a new version of perl in /opt (we do everything there) especially for Radiator. Then edit radiusd and radpwtst to use this new perl binary and everything should work, provided you also pay attention to the PERL5LIB environment var to include only 'new per ready' paths. - Joost. Hi Hugh, Thanks for providing inforamtion for my question. I know I had better build a newer perl on my target machine but there are some practical reasons which forbid me to do so. Is it recommandable to compile and run radius server against a new version of perl, say /usr/local/bin/perl5.00503, in stead of the default /usr/local/bin/perl which is a problematic 5.00404 version? I have tried this approach but it failed. I found that radiusd is hardcoded to use /usr/local/bin/perl. However even though I change radiusd script to use /usr/local/bin/perl5.00503, the radius server still manifests the same odd behaviors. Should I continue to work on this approach? Has this approach ever been worked out successfully? Jason On Sun, 20 Feb 2000, Hugh Irvine wrote: Hello Jason - On Sun, 20 Feb 2000, Jason Kao wrote: Hi, I am using Radiator-2.14.1, SunOS 5.7 Generic_106541-04 sun4u sparc SUNW,Ultra-1 and perl version 5.005_02 built for sun4-solaris-thread. Radius server run well. I run the Radius on the production machine which has older perl and OS. SunOS 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-Enterprise perl, version 5.004_04 built for sun4-solaris. The radius starts manifesting very odd behaviors in my production machine which has perl 5.004_04 and SUNOS 5.6. Is there any problems that the perl's version and OS's version might cause? We have seen many problems caused by exactly this. You are always better to build the latest stable version of Perl on your target machine and then install everything else from scratch. The latest stable version of Perl on www.perl.com is Perl 5.005_03. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem with AddToReplyIfNotIncluded
Hi Steven, You have uncovered a bug here, that is triggered by white space before an attribute name in an AddToReplyIfNotExist. We have fixed that for the next release. Thanks for reporting it. All the same, Radiator is only going to add the first Ascend-Data-Filter in your AddToReplyIfNotExist, since when it looks at the second one, it will find there is already an Ascend-Data-Filter in the reply, and decline to add it and all the following ones. Hmm, seems I have some hacking to do. I planned to use this next week for this new customer. I'll have a look. Too bad Ascend filters always come in pairs (or more). I have patched AuthLDAP.pm to be able to just supply a filter name, instead of the whole lot of AV pairs. AuthLDAP.pm now uses this name to lookup the filter definition in a file and then reply_parse's this filter def. in the reply packet. Very neat, makes changing filters so much easier. I'll send in the patch this week. - Joost. Hope that helps Cheers. On Feb 22, 4:31pm, Steven Ames wrote: Subject: (RADIATOR) Problem with AddToReplyIfNotIncluded I want to add a filter to the authentication reply. This filter will only go to Ascend TNT so the syntax here is correct. This works fine as a 'replyitem' on individual accounts but I cannot get it to be included across the board. What I'm trying to do is: AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp est",Ascend-Data-Filter="ip in forward dstip 204.120.165.33", Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in forward" I'm only seeing the 1st part of the filter in the reply packet and then an ERR in the log file saying the rest is a bad A/V pair. Are the quotes confusing things? Radiator version 1.14.1 (just downloaded 1.15 to put into my test environment) -Steve === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from Steven Ames -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Perl version and OS version will cause problem?
Jason, I have the same problems with upgrading perl in our operational environment. I therefore installed a new version of perl in /opt (we do everything there) especially for Radiator. Then edit radiusd and radpwtst to use this new perl binary and everything should work, provided you also pay attention to the PERL5LIB environment var to include only 'new per ready' paths. - Joost. Hi Hugh, Thanks for providing inforamtion for my question. I know I had better build a newer perl on my target machine but there are some practical reasons which forbid me to do so. Is it recommandable to compile and run radius server against a new version of perl, say /usr/local/bin/perl5.00503, in stead of the default /usr/local/bin/perl which is a problematic 5.00404 version? I have tried this approach but it failed. I found that radiusd is hardcoded to use /usr/local/bin/perl. However even though I change radiusd script to use /usr/local/bin/perl5.00503, the radius server still manifests the same odd behaviors. Should I continue to work on this approach? Has this approach ever been worked out successfully? Jason On Sun, 20 Feb 2000, Hugh Irvine wrote: Hello Jason - On Sun, 20 Feb 2000, Jason Kao wrote: Hi, I am using Radiator-2.14.1, SunOS 5.7 Generic_106541-04 sun4u sparc SUNW,Ultra-1 and perl version 5.005_02 built for sun4-solaris-thread. Radius server run well. I run the Radius on the production machine which has older perl and OS. SunOS 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-Enterprise perl, version 5.004_04 built for sun4-solaris. The radius starts manifesting very odd behaviors in my production machine which has perl 5.004_04 and SUNOS 5.6. Is there any problems that the perl's version and OS's version might cause? We have seen many problems caused by exactly this. You are always better to build the latest stable version of Perl on your target machine and then install everything else from scratch. The latest stable version of Perl on www.perl.com is Perl 5.005_03. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: SV: (RADIATOR) Auth by Java Class
Hi Christopher, Why don't you use secure LDAP, that's what it's there for! Radiator supports secure LDAP and it's the easiest way of doing it IMO. By the way, the SSL connection stays up until the connection is lost, so there is no extra handshake overhead for every request (except for the encryption). I think Stuarts remark about tunneling over SSH resulting in less overhead isn't valid. Worse, when your SSH tunnel goes down, you need to get it up somehow. SSL is incorporated in the LDAP client and the connection brough up automatically. For openssl there should be patches, Netscape's LDAP SDK ships with the SSL libraries and several other LDAP servers can work with SSL too. - Joost. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Feature request ?
Me too! To be honest, I would really like to be able to log messages to a different file for every realm/handler. We're reselling ports and this way I could show the (relevant) errors to our customers on a webpage. They could do some more "selfcare" and wouldn't bother our helpdesk as much. Of course the uid would be very important too. I could probably build a filter on those in the meantime. - Joost. In the radiator log file for trace level 3 it would be nice if on a failed connect the caller-id is also logged to the radiator.log file :-) Gary --- Ausmail Your virtual home on the net. Email, News Home pages. --- Coming soon !! === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Unsecure permissions on logfiles
I am running radiator 2.14 on Solaris 2.6. It is started from /etc/inittab and thus runs with a umask of 000. All log and accounting files are created with mode 666. Is there a way to set the mode on the logfiles other than wrapping radiator in a shell script and setting umask in that script ?? Edit the code ;-) Use the source Luke ! - Joost. TIA Paul -- Paul van der Zwan paulz @ trantor.xs4all.nl "I think I'll move to theory, everything works in theory..." === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) POP3 Authentication Using Radius
Having got Radiator/Radmin setup and running. I would like to move over to doing all of my authentication from the Radmin database. The main problem at the moment is that my qpopper POP3 server authenticates using the shadow password file on my Redhat 6.0 Linux server. Before I destroy next weekend in a frenzy of hacking, can someone tell me if there already exists a patch to allow a POP server to authenticate using Radius? (Ditto for IMAP) Regards. Paul There are several such solutions, check the IMAP and POP newsgroups. - Joost. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy LDAP2 works only once ...
Hi Mike, == From: Mike McCauley I have had a report of something similar for one kind of LDAP server. Apparently what happens is that that type of LDAP server closes the TCP connection after a timeout of a few minutes, whereas Radiator expects the connection to stay up. I have problems even if I perform two authentications within a few seconds. What type of LDAP server do you have? Can you confirm whther you are seeing similar behaviour? I'm using a LDAP server which comes with the Imail server 5.0.3 for this. Some info about this is at http://www.ipswitch.com/products/imail_server/openstandards.html Somebody using this LDAP server successfully in combination with radiator?? We're using the the AuthLDAP module. Maybe you should change to this older module. We have had no problems using the Netscape Directory Server and the OpenLDAP server. Connections stay up as they should. IMHO this is the preferred way, as it reduces the rather large overhead of setting up a new connection and binding etc for every new connection. - Joost. Joost Stegeman Internet Service Unit KPN Telecom -Wim === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP Request
Hugh, I'm not sure your suggestion to define multiple CheckAttr and ReplyAttr fields in the LDAP config works in Radiator 2.14.1. It doesn't work in 2.11 for sure. Maybe you mean that multiple atribute values in the LDAP directory are concatenated with commas? from AuthLDAP.pm, line 274: elsif ($attr eq lc $self-{CheckAttr}) { # This is the attribute with check items in it $user-get_check-parse(join ',', @vals); } elsif ($attr eq lc $self-{ReplyAttr}) { # This is the attribute with reply items in it $user-get_reply-parse(join ',', @vals); } Here I see the $attr's from the LDAP query being checked against a single value in the configuration tree. This, and my tests with 2.11 lead me to believe your suggestion is not correct. I really like the idea from Steven Ames, who build som patches which make the configuration much alike the SQL configuration. Any other thoughts, I am wrong? - Joost. Hello Steven - On Fri, 29 Oct 1999, Steven Ames wrote: Would it be possible to modify the AuthLDAP modules so that instead of (or in addition to to maintain backward compatibility) having a single attribute that holds all of the reply items we can instead set things up more like the SQL modules? What I mean is under SQL you can do things like: AuthColumnDef 2, Session-Timeout, reply saying that the column 2 attribute is a reply item and should be combined with 'Session-Timeout' to create 'Session-Timeout = X'. Under LDAP the same thing could apply: LDAPAttribute, netmask, Framed-IP-Netmask, reply stating that there is an LDAP attribute called 'netmask' which should be used as the value for the reply string 'Framed-IP-Netmask'. That'd make things so much cleaner in my LDAP databases ditto with check items :) You can already do this simply by putting multiple CheckAttr and ReplyAttr lines in your configuration file. The only caveat is that each LDAP field must contain the complete attribute=value pair. Handler AuthBy LDAP CheckAttr ServiceType # contains Service-Type = Framed-User CheckAttr ReplyAttr ServiceType # contains Service-Type = Framed-User ReplyAttr FramedIPAddress # Framed-IP-Address = x.x.x.x ReplyAttr FramedIPNetmask # Framed-IP-Netmask = y.y.y.y ReplyAttr /AuthBy /Handler See Section 6.30.10 and 6.30.11 in the Radiator 2.14.1 reference manual. hth Hugh === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.