(RADIATOR) How to refuse a call based on Called-Statio-ID (aka DNIS) on MAX TNT
Title: Message Hi Folks, This isn't a radiator specific question but should be of general interest: We have a need where in certain emergencies, we need to block/refuse/busy a call which is in-coming on our MAX TNT. We don't want the go through the process of having the RAS send a access-request to our Radiator process, and then we refuse the call based on the Called-Station-ID attribute. We want to do this as the call is in the process of establishing. Is there something in the MAX which allows this to be done? thanks, mahesh
RE: (RADIATOR) Xeon procs and session DB.
A technique we are experimenting with is to use a load balancer before the radiusd processes. We setup a dual proc system with two IP addresses. Then we run two radiusd processes where each process is bound to a one of the IP addresses. Then the load balancer (foundry server iron) is configured to load balance between the two IP addresses. However, since we can do port based load balancing, we direct ACCT to one I and AUTH to the other IP. By adding additional systems with a similar config, we can direct ACCT/AUTH to the different systems without having to modify any config files. mahesh -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 5:33 PM To: Wesley Hof Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Xeon procs and session DB. Hello Wesley - The simplest way to make use of dual processors is to run two instances of radiusd, one for authentication and the other for accounting. You can use different databases for sessionDB and accounting by setting the DBSource lines in each clause appropriately. regards Hugh On 16/12/2003, at 10:23 PM, Wesley Hof wrote: Hi list, I have 2 questions. 1) Radiator is based on perl, so I suppose that dual-proc machines don't have any purpose ? What about a machine with a xeon proc ? 2) Is the sessionDB split-up from the accounting DB? Thanks. W. -- (o_ Wesley Hof //\ UNIX System Engineer V_/_ UNInet ))) A Scarlet Company === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) NULL usernames in Radius Packets
Just a followup. We indeed were ignoring those types of packets since we don't have a handler where username is NULL (we check based on realms). So we added: Handler RejectHasReason AuthBy INTERNAL DefaultResult REJECT AcctResult ACCEPT /AuthBy /Handler And this seems to have helped. From what I can tell, others have also had problems with TNT sending NULL usernames. Thanks again, mahesh -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 10:27 PM To: Mahesh Neelakanta Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) NULL usernames in Radius Packets Hello Mahesh - Yes it does look like the NAS has been trying to send this accounting for a long time. What does the trace 4 debug from Radiator show? Perhaps your configuration file is not processing the request and it is simply being being ignored and retried forever. regards Hugh On Thursday, Oct 2, 2003, at 02:20 Australia/Melbourne, Mahesh Neelakanta wrote: Elias and Hugh, Thanks for your responses. We had though about this but what we are getting is a Start Accounting packet (captured from radstock): NAS-IP-Address Len 6 XX.XX.XX.XX NAS-Port-IdLen 6 111 NAS-Port-Type Len 6 Async Acct-Status-Type Len 6 Start Acct-Delay-TimeLen 6 75841 Acct-Session-IdLen 12 432625102* Acct-Authentic Len 6 Local Idle-Timeout Len 6 0 Ascend-Modem-PortNoLen 6 21 Ascend-Modem-SlotNoLen 6 7 Ascend-Modem-ShelfNo Len 6 1 Calling-Station-Id Len 12 2122859024 Called-Station-Id Len 6 What is strange is the Acct-Autentic (Local?) and the Acct-Delay-Time (over 21 hours). We believe this is definitely a local RAS issue but are not sure what it could be. It's almost as if the RAS has a HUGE backlog of old accounting which it is trying to re-send but only sends a portion of the full information. We did set acct-drop-stop-on-auth-fail = no to no avail. mahesh -Original Message- From: Elias [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 11:10 PM To: Mahesh Neelakanta Cc: Hugh Irvine Subject: Re: (RADIATOR) NULL usernames in Radius Packets *** Your mail has been scanned by TMnet VirusWall. *** Hi Mahesh, We've had the same thing happen to us before. Its actually a configuration on the tnt boxes. If I remember correctly it will send an Stop accounting packet with a blank username if the line gets dropped prematurely (before a proper connection gets established). - Elias - - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Mahesh Neelakanta [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 6:41 AM Subject: Re: (RADIATOR) NULL usernames in Radius Packets *** Your mail has been scanned by TMnet VirusWall. *** Hello Mahesh - Unless you are using a RewriteUsername, Radiator does not do anything with the username. I suspect that the NAS is sending an empty username, but without seeing a copy of your configuration file (no secrets) and a trace 4 debug from Radiator showing what is happening it is not possible to say any more. regards Hugh On Wednesday, Oct 1, 2003, at 07:02 Australia/Melbourne, Mahesh Neelakanta wrote: Hello, We are seeing the following error in radiator.log: Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS) values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003 16:56:20', 'DD MM HH24:MI:SS'), '','Async', '','2126823450','5000')': ORA-01400: cannot insert NULL into (RADIUS.RADONLINE.USERNAME) (DBD ERROR: OCIStmtExecute) From what we can tell, the RAS XX.XX.XX.XX is sending us start or stop packets with no username. Is there something in the configuration (on the radiator side or the ras, which is a lucent tnt) which could cause this. My guess is that it is a RAS issue but we are not sure what/why this is occuring. mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence
RE: (RADIATOR) NULL usernames in Radius Packets
Elias and Hugh, Thanks for your responses. We had though about this but what we are getting is a Start Accounting packet (captured from radstock): NAS-IP-Address Len 6 XX.XX.XX.XX NAS-Port-IdLen 6 111 NAS-Port-Type Len 6 Async Acct-Status-Type Len 6 Start Acct-Delay-TimeLen 6 75841 Acct-Session-IdLen 12 432625102* Acct-Authentic Len 6 Local Idle-Timeout Len 6 0 Ascend-Modem-PortNoLen 6 21 Ascend-Modem-SlotNoLen 6 7 Ascend-Modem-ShelfNo Len 6 1 Calling-Station-Id Len 12 2122859024 Called-Station-Id Len 6 What is strange is the Acct-Autentic (Local?) and the Acct-Delay-Time (over 21 hours). We believe this is definitely a local RAS issue but are not sure what it could be. It's almost as if the RAS has a HUGE backlog of old accounting which it is trying to re-send but only sends a portion of the full information. We did set acct-drop-stop-on-auth-fail = no to no avail. mahesh -Original Message- From: Elias [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 11:10 PM To: Mahesh Neelakanta Cc: Hugh Irvine Subject: Re: (RADIATOR) NULL usernames in Radius Packets *** Your mail has been scanned by TMnet VirusWall. *** Hi Mahesh, We've had the same thing happen to us before. Its actually a configuration on the tnt boxes. If I remember correctly it will send an Stop accounting packet with a blank username if the line gets dropped prematurely (before a proper connection gets established). - Elias - - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Mahesh Neelakanta [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 6:41 AM Subject: Re: (RADIATOR) NULL usernames in Radius Packets *** Your mail has been scanned by TMnet VirusWall. *** Hello Mahesh - Unless you are using a RewriteUsername, Radiator does not do anything with the username. I suspect that the NAS is sending an empty username, but without seeing a copy of your configuration file (no secrets) and a trace 4 debug from Radiator showing what is happening it is not possible to say any more. regards Hugh On Wednesday, Oct 1, 2003, at 07:02 Australia/Melbourne, Mahesh Neelakanta wrote: Hello, We are seeing the following error in radiator.log: Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS) values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003 16:56:20', 'DD MM HH24:MI:SS'), '','Async', '','2126823450','5000')': ORA-01400: cannot insert NULL into (RADIUS.RADONLINE.USERNAME) (DBD ERROR: OCIStmtExecute) From what we can tell, the RAS XX.XX.XX.XX is sending us start or stop packets with no username. Is there something in the configuration (on the radiator side or the ras, which is a lucent tnt) which could cause this. My guess is that it is a RAS issue but we are not sure what/why this is occuring. mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) NULL usernames in Radius Packets
Hello, We are seeing the following error in radiator.log: Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS) values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003 16:56:20', 'DD MM HH24:MI:SS'), '','Async', '','2126823450','5000')': ORA-01400: cannot insert NULL into (RADIUS.RADONLINE.USERNAME) (DBD ERROR: OCIStmtExecute) From what we can tell, the RAS XX.XX.XX.XX is sending us start or stop packets with no username. Is there something in the configuration (on the radiator side or the ras, which is a lucent tnt) which could cause this. My guess is that it is a RAS issue but we are not sure what/why this is occuring. mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AddToReply Usage
Thanks Hugh. Will this Reply-Message also match the %1 from the FailureFormat of the AuthLOG? The reason is that in our Radiator (2.19), %1 should print Request Denied but does not. mahesh -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Saturday, September 13, 2003 6:43 PM To: Mahesh Neelakanta Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) AddToReply Usage Hello Mahesh - You can use the RejectHasReason in your Realm or Handler clause. See section 6.16.23 in the Radiator 3.6 reference manual (doc/ref.html). regards Hugh On Sunday, Sep 14, 2003, at 00:27 Australia/Melbourne, Mahesh Neelakanta wrote: Hello from Sunny South Florida, USA, I have a pretty simple question: We want to add the attribute Reply-Message only when we reject a connection. For example if we have a handler: AuthBy GROUP Identifier Test_Group AuthByPolicy ContinueUntilReject AuthBy Auth_1 AuthBy Radius_2 AuthBy File_1 AuthBy SQL_1 /AuthBy AuthBy FILE Identifier FILE_1 Filename %D/users.txt /AuthBy AuthBy RADIUS Identifier RADIUS_1 Host XX Secret X Retries 10 RetryTimeout 15 /AuthBy . . . In the RADIUS_1 or FILE_1 (or perhaps better still in Test_Group, I need to append Reply-Message only when we are going to reject the AUTH. Thanks, mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply Usage
Hello from Sunny South Florida, USA, I have a pretty simple question: We want to add the attribute Reply-Message only when we reject a connection. For example if we have a handler: AuthBy GROUP Identifier Test_Group AuthByPolicy ContinueUntilReject AuthBy Auth_1 AuthBy Radius_2 AuthBy File_1 AuthBy SQL_1 /AuthBy AuthBy FILE Identifier FILE_1 Filename %D/users.txt /AuthBy AuthBy RADIUS Identifier RADIUS_1 Host XX Secret X Retries 10 RetryTimeout 15 /AuthBy . . . In the RADIUS_1 or FILE_1 (or perhaps better still in Test_Group, I need to append Reply-Message only when we are going to reject the AUTH. Thanks, mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Default AuthLOG for all Handler's
Title: Message Is there a way to enable all handlers to usea single AuthLOG? I.e. we have many, many handlers and need to log success/failures to find out if we are failing authentications. However, we want to avoid having to code this into each handler. thanks, mahesh ps. quick dirty fixes are accepted :-)
RE: (RADIATOR) Default AuthLOG for all Handler's
Title: Message Thanks Hugh. This is what we started doing. However, having to put the "AuthLog SQLAuthLog" into each handler would be too much (we have over 1000) to do by hand. What I was hoping for is a "global" AuthLog entry which would do it for all handlers, etc. mahesh -Original Message-From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:24 PMTo: Mahesh NeelakantaCc: [EMAIL PROTECTED]Subject: Re: (RADIATOR) Default AuthLOG for all Handler's Hello Mahesh - You can use an Identifier in your AuthLog clause, then refer to it as follows: AuthLog SQL Identifier SQLAuthLog . /AuthLog Handler . AuthLog SQLAuthLog . /Handler See section 6.49 in the Radiator 3.6 reference manual ("doc/ref.html"). NB - this same technique can also be used with AuthBy clauses, SessionDatabase clauses, etc. regards Hugh On Wednesday, Aug 20, 2003, at 23:51 Australia/Melbourne, Mahesh Neelakanta wrote: Is there a way to enable all handlers to usea single AuthLOG? I.e. we have many, many handlers and need to log success/failures to find out if we are failing authentications. However, we want to avoid having to code this into each handler. thanks, mahesh ps. quick dirty fixes are accepted :-) NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.