Re: [RADIATOR] Radiator and Load Balancer

2016-08-01 Thread Robert Blayzor 
This may be the case now, but pretty sure we went down this road YEARS ago and 
even with BindAddress, packets were still being sourced from the main IP 
address. In the mailing list archives this argument may exist. I vaguely 
remember being told by Hugh that it was not possible in Perl at the time to 
choose the source address to respond from.

Again, not arguing that now; just saying what we ran into in the past.

--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu




> On Jul 29, 2016, at 6:17 AM, Heikki Vatiainen  wrote:
> 
> When BindAddress is configured, a socket is created and bound for each 
> address defined by BindAddress. In this case the source address of a 
> reply is the specific non-wildcard address the socket was bound to.
> 
> In short: BindAddress can be useful on multi homed hosts. However, if IP 
> addresses are added and removed dynamically, this can cause problems 
> because the addresses are now part of the Radiator configuration too.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator and Load Balancer

2016-08-01 Thread Robert Blayzor 
In my experience this is not the case. It will LISTEN on those addresses for 
sure. But it’s return packets are always sourced from the primary IP address of 
the outgoing interface. DSR will work, but the clients will receive a response 
from an IP address that is not of the configure RADIUS server. This may (but 
should not) work for various clients. This may of changed, in recent years. 
YMMV.

--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu




> On Jul 29, 2016, at 5:19 AM, Hartmaier Alexander 
>  wrote:
> 
> When you configure the VIP as loopback on every radiator server and bind
> radiator to this ip the reply packets should be sent from it.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator and Load Balancer

2016-07-27 Thread Robert Blayzor 
DSR load balancing assumes the real servers know about the load balanced VIP 
and is generally configured on a loopback.

The problem with this I think is that Radiator responds with a source address 
of where the packet leaves. (at least that’s been my experience). Most clients 
will probably ignore the response as it’s coming from a different address.

With Radiator being Perl, I don’t think you can force Radiator to answer from a 
specific source address on the server.


NAT will work via the F5, you just have to make sure that the response traffic 
goes back out to the load balancer it came in on.

--
Robert
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP Key: 78BEDCE1 @ pgp.mit.edu




> On Jul 27, 2016, at 1:38 PM, shaun gibson  wrote:
> 
> i've used direct server return for radius and it seemed to work well :
> 
> http://blog.haproxy.com/2011/07/29/layer-4-load-balancing-direct-server-return-mode/
> https://devcentral.f5.com/articles/the-disadvantages-of-dsr-direct-server-return
> 
> using the f5 for inbound and outbound traffic nat will also work, just
> depends what your requirements are ...

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] AuthBy NTLM busted under 4.7?

2010-08-11 Thread Robert Blayzor 
Installed 4.7 today and upon launching it, I get:

Can't locate object method new via package Radius::AuthNTLM at 
Radius/Configurable.pm line 450, CONFIG line 136.


This worked fine under 4.2... so I simply rolled back to 4.2 and all is fine 
again.


This is perl, v5.8.9 built for i386-freebsd-64int

-- 
Robert Blayzor
INOC, LLC
rblay...@inoc.net
http://www.inoc.net/~rblayzor/




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy NTLM busted under 4.7?

2010-08-11 Thread Robert Blayzor 
On Aug 11, 2010, at 5:50 PM, Hugh Irvine wrote:
 Can you please send me a copy of the configuration file and a complete trace 
 4 debug from a terminal session like this:
 
   cd /your/Radiator-4.7/source
 
   perl radiusd -foreground -log_stdout -trace 4 -config_file 
 /your/Radiator/configuration
 
   ….
 
 Use you local pathnames in the above.
 
 many thanks


Hugh, it's a compile time error in perl, so it doesn't get to far, but it shows 
the problem.

I didn't have the MD4 perl module installed, which wasn't required before, it 
appears to be now.  I installed it, and it's running now under 4.7.


[qix:/usr/local/radius/Radiator-4.7] perl radiusd -foreground -log_stdout 
-trace 4 -config_file /usr/local/radius/radius.cfg 
Wed Aug 11 23:53:14 2010: ERR: Could not load AuthBy module Radius::AuthNTLM: 
Can't locate Digest/MD4.pm in @INC (@INC contains: . 
/usr/local/lib/perl5/5.8.9/BSDPAN /usr/local/lib/perl5/site_perl/5.8.9/mach 
/usr/local/lib/perl5/site_perl/5.8.9 /usr/local/lib/perl5/5.8.9/mach 
/usr/local/lib/perl5/5.8.9 .) at Radius/MSCHAP.pm line 47, CONFIG line 129.
BEGIN failed--compilation aborted at Radius/MSCHAP.pm line 47, CONFIG line 
129.
Compilation failed in require at Radius/AuthNTLM.pm line 20, CONFIG line 129.
BEGIN failed--compilation aborted at Radius/AuthNTLM.pm line 20, CONFIG line 
129.
Compilation failed in require at (eval 48) line 3, CONFIG line 129.

Wed Aug 11 23:53:14 2010: ERR: Unknown object 'AuthBy' in 
/usr/local/radius/radius.cfg line 129
Can't locate object method new via package Radius::AuthNTLM at 
Radius/Configurable.pm line 450, CONFIG line 136.



-- 
Robert Blayzor
INOC, LLC
rblay...@inoc.net
http://www.inoc.net/~rblayzor/




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: (RADIATOR) Shutdown in a Hook

2004-01-05 Thread Robert Blayzor 
On 1/5/04 1:49 PM, Frank Danielson [EMAIL PROTECTED] wrote:

 How about using-
 
 kill '1',$$
 
 or if you are in a hurry-
 
 kill '9',$$

Actually if you are in that much a hurry why bother with kill when you can
just exit(); 

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5  0E93 8D02 9D0B CB1A A7B0

If the automobile had followed the same development cycle as the computer, a
Rolls-Royce would today cost $100, get a million miles per gallon, and
explode once a year, killing everyone inside. - Robert X. Cringely


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authentication

2003-11-10 Thread Robert Blayzor 
On 11/10/03 6:03 PM, Dan Boucaut [EMAIL PROTECTED] wrote:

 Is it possible to use different authentication methods based on username.
 
 ie usernameA authenticates to serverA
 and usernameB authenticates to serverB ??

Sure with Radiator, almost anything is possible! ;-)

Handler Username = /A$/
AuthBy ...
/AuthBy
/Handler

Handler Username = /B$/
AuthBy ...
/AuthBy
/Handler

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Any sufficiently advanced bug is indistinguishable from a feature.  -
Kulawiec


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Help with Ascend Max and RADIUS performance

2003-10-06 Thread Robert Blayzor 
We have recently acquired several Ascent MAX 6000 boxes and are having a
problem with a lot of duplicate RADIUS accounting packets.  The problem
seems to be that the MAX's are overly aggressive when sending RADIUS
requests.  They seem to send requests every second until the timeout seconds
is reached, which seems a little extreme.  When you are doing multi-hop
RADIUS proxy, some accounting requests usually take a second or more.

I'm wondering if there is any way to tweak the MAX's RADIUS behavior like
you can in a Cisco AS5x00 series.

Normally on a Cisco you can specify the RADIUS timeout, which is the value
between retry packets, the number of retries, and then the server deadtime.
I really want to step the MAX's down to about 3 seconds between retries
because of the hops involved.  Right now we're seeing 2-3 duplicate
accounting records because the MAX's are sending requests every second until
the requests are ack'd.  Seems overly aggressive to me.

If this can be tweaked, where, and what settings should I use?  Ideally I'm
looking for 3 seconds between requests with 3-5 retries until it should go
to the next server.

Thanks in advance to anyone that can help.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Calm down -- it's only ones and zeroes.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) CachePasswords not available in AuthBy ROUNDROBIN

2003-10-02 Thread Robert Blayzor 
I have a Radiator farm setup which I'm trying to AuthBy ROUNDROBIN to... It
doesn't appear that CachePasswords works for this AuthBy.  Looking at my
trace, auths are always sent to the clients and never lookedup in the cache
even though I've authed several times..

Here is the handler I have:

Handler
UsernameCharset [EMAIL PROTECTED]
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\s+//g
RewriteUsername s/[EMAIL PROTECTED]/\?/g
AuthBy ROUNDROBIN
FailureBackoffTime  300
Secret  
Retries 3
RetryTimeout10
AuthPort1812
AcctPort1813
Host 1.1.1.1
/Host
Host 2.2.2.2
/Host
CachePasswords
RejectEmptyPassword
NoDefault
/AuthBy
SessionDatabase NoneDB
/Handler

Shouldn't CachePasswords be supported in this AuthBy?  It is in AuthBy
RADIUS...


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

If at first you don't succeed, call it version 1.0


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) CachePasswords not available in AuthBy ROUNDROBIN

2003-10-02 Thread Robert Blayzor 
On 10/2/03 1:01 PM, Robert Blayzor [EMAIL PROTECTED] wrote:

 I have a Radiator farm setup which I'm trying to AuthBy ROUNDROBIN to... It
 doesn't appear that CachePasswords works for this AuthBy.  Looking at my
 trace, auths are always sent to the clients and never lookedup in the cache
 even though I've authed several times..

I got this one figured out.  Helps to consult the manual first, mine was a
little out of date on print.  Anyway, changing the default handling of this
was the fix.

I do have one question for Hugh however.

How can one completely drop or reject any request coming in at the client
level based on attributes received (or NOT received for that matter).

For example, say I want to ignore or drop any accounting requests from a
client with the User-Name attribute missing, or empty string.  I see this
problem a lot on Ascent maxes.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

A Life? Cool! Where can I download one of those from?



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Small bug in 3.7 on FreeBSD

2003-09-29 Thread Robert Blayzor 
I don't know if this effects other OS's, but on FreeBSD, when sending a SIG
HUP to Radiator the monitor port stops working...

Mon Sep 29 11:55:17 2003: NOTICE: SIGHUP received: restarting
Mon Sep 29 11:55:17 2003: ERR: Could not bind Monitor socket: Address
already in use
Mon Sep 29 11:55:17 2003: NOTICE: Server started: Radiator 3.7 on foo


Once this happens it seems like it's still answering connections on port
9048, but then accepts no commands.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

You are in a dark room with a compiler, vi, an internet connection, and a
thermos of coffee.
 :Your Move ?



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Discard queries based on attribute values

2003-09-16 Thread Robert Blayzor 
I'm having a problem on our RADIUS cluster with PPPoE clients being way to
aggressive.  Sometimes when a user is shut off, the PVC in the DSL network
isn't turned down for some time and it leaves aggressive PPPoE clients
trying to connect at a sometimes ungodly rate. (dozens per minute).  This
litters our logs and creates a lot of unnecessary IO's to the backend, etc.

I'm wondering what the best practice is to be able to discard these requests
before they even go to any handler, and to dump the packet/request
completely without even logging it.  Well not discard these, but send back
an instant NAK to the NAS...

I assume some PreHandlerHook (or PreClientHook) would be needed, but is
there an example how to?  ie:  Say I have a list of usernames in a file that
I want to discard on..

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Stock item: We shipped it once before, and we can do it again, probably.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) formatted TIME_STAMP in AcctSQLStatement

2003-09-11 Thread Robert Blayzor 
On 9/11/03 7:23 PM, tracker [EMAIL PROTECTED] wrote:

 Is it possible to use a formatted TIME_STAMP in AcctSQLStatement, like
 
 formatted-date,'%e %m %Y %H:%M:%S'

Easier way may be to have your SQL server insert the time for you.  That is,
if your SQL server and your RADIUS server's times are sync'd.  (and current
date/time is what you want)  You can do this several ways depending on your
backend, ie:

MSSQL - getdate()

Or PgSQL - timestamp 'now'

More..

INSERT INTO tbl_radacct (recdate) values (timestamp 'now')

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

I'm not sure.  Try calling the Internet's head office -- it's in the book.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) formatted TIME_STAMP in AcctSQLStatement

2003-09-11 Thread Robert Blayzor 
On 9/11/03 7:19 PM, Mike McCauley [EMAIL PROTECTED] wrote:

 Yes, but you really should take into account the Acct-Delay-Time in accounting
 requests, which is the amount of time the request has been sitting in the NAS
 waiting for successful transmission. The Timestamp attrtibute takes this into
 account, so its best to use that if possible.

If that's the case, could you not just use the DateFormat directive from
the manual, 6.28.18. ?

Since many of us may use stored procedures, AcctColumnDef's don't do a whole
lot.. ;-)

So lets say I'm using MSSQL...

DateFormat  %m/%d/%Y %X
AcctSQLStatementEXEC sp_acctinsert '%{Acct-S
ession-Id}','%{Acct-Status-Type}','%{User-Name}','%{TimeStamp}'


Should insert the TimeStamp as '9/11/2003 21:21:21' ???

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

A successful tool is used to do something undreamed of by its author.  -
Johnson



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) formatted TIME_STAMP in AcctSQLStatement

2003-09-11 Thread Robert Blayzor 
  So lets say I'm using MSSQL...
 
  DateFormat  %m/%d/%Y %X
  AcctSQLStatementEXEC sp_acctinsert '%{Acct-S
  ession-Id}','%{Acct-Status-Type}','%{User-Name}','%{TimeStamp}'
 
 
  Should insert the TimeStamp as '9/11/2003 21:21:21' ???
 
 The only time the DateFormat is used in AuthBy SQL is to 
 format AcctColumnDefs 
 with integer-date types.
 
 Timestamp can be got in a number of formats usign special 
 characters like:
 
 %b, %o etc.
 
 I wonder if a new special character that means 'Timestamp in 
 standard SQL date 
 format' might be useful?

Well that being said.  How am I able to easily pass in a TimeStamp
field in the format I need so that my specific AcctSQLStatement can
insert it however I need it. (see above).  Since stored procedurs use
argument lists instead of direct insert column/value pairs.

Given above, I need to get TimeStamp into the format above to pass it in
the argument list.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Exclusive: We're the only ones who have the documentation.
 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

2003-09-10 Thread Robert Blayzor 
On 9/10/03 10:49 PM, tracker [EMAIL PROTECTED] wrote:

 Is it possible to store the accounting record of a user if my server
 just acts as proxy? If so, how?
 Example, below is my config for the realm domain.com

Handler Realm = someisp.net
   AuthByPolicyContinueAlways
   AuthBy  Proxy-Acct
   AuthBy  Proxy-Auth
/Handler

AuthBy RADIUS
   Identifier  Proxy-Auth
   Host 1.1.1.1
   Secret  mysecret
   AuthPort1812
   AcctPort1813
   /Host
   Retries 2
/AuthBy

AuthBy SQL
Identifier  Proxy-Acct
DBSourcedbi:MySQL:server=BLAH
DBUsername  radius
DBAuth  foo
AuthSelect
AccountingTable
AcctSQLStatementINSERT INTO blah ...
/AuthBy

At least that's what's worked for me ...


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Life would be much easier if I had the source code.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) CATool Private Certificate Authority software now available

2003-09-10 Thread Robert Blayzor 
On 9/10/03 5:52 PM, Bon sy [EMAIL PROTECTED] wrote:

 Is it just me or this happens to others too? I received the
 following three times. I reply one to Mike directly but did not get
 reply. Several posting dated Sept 8 I saw two days ago came to my mail
 folder again the last few hrs.

Yep, same thing here.  I've seen posts duplicated over the last couple of
days...

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Hackers have kernel knowledge.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

2003-09-10 Thread Robert Blayzor 
On 9/11/03 2:42 PM, tracker [EMAIL PROTECTED] wrote:

 Using this method, how do you enforce that only Accounting Stop records
 will be stored locally?

Add the AccountingStopsOnly directive in your AuthBy SQL section.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Calm down -- it's only ones and zeroes.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) rewrite NAS-Port-type?

2003-06-18 Thread Robert Blayzor 
On 6/17/03 12:29 PM, Craig Gittens [EMAIL PROTECTED] wrote:

 I am trying to implement a VPN solution using linux pppd and it is sending
 the port type as Async. The problem is I don't want dialup customers able to
 use this service as well. I was wondering if you could rewqrite NAS port
 type before authentication in the CLIENT?

Try something like this:

Client x.x.x.x
Identifier  VPN-Client
Secret  foobar
PreHandlerHook  file:vpn-port-rewrite.pl
/Client


Then in vpn-port-rewrite.pl do this:

sub {
${$_[0]}-delete_attr('NAS-Port-Type');
${$_[0]}-add_attr('NAS-Port-Type', 'VPN');
}


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Design: The activity of preparing for a design review.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) how to setup disconnection cause attribute

2003-06-15 Thread Robert Blayzor 
On 6/15/03 8:13 AM, Muhammad Talha [EMAIL PROTECTED] wrote:

 Dear all
 
 i want to setup disconnection cause attribute to know y users are disconnected
 from RAS ( AS5300 and Max 6000 )
 i am using Radiator-2.18 on solaris 9 .
 
 what changes are required to achieve this ??

None that I'm aware of.  I know that at least on the AS5300's they send a
termination reason in with every stop record.  Just search the RADIUS
dictionary for terminate it's in there..  Once you find that attribute you
can deal with it in your accounting policy.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

I'm sorry a pentium won't do, you need an SGI to connect with us.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Run Stored Proc for Stop-records

2003-06-13 Thread Robert Blayzor 
On 6/13/03 7:16 AM, Herman verschooten [EMAIL PROTECTED] wrote:

 I would like to run a stored procedure on MS-SQL for stop-records.  But
 I want to keep the normal inserts of the Start/Update/Stop-records too.
 How can I most easily do this?  An extra AuthBy SQL? Can I use the
 AcctInsertQuery to run the stored proc?  I would very much like the
 functionality to be able to select a value from different values
 depending on their availability in the radius-packet.

Yes, you can just pass your accounting query to a stored procedure.  What
you do with the data from there is totally up to you.  With Radiator you can
specify the exact accounting query to your backend with as many or as little
RADIUS attribs as you want

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Real programmers don't document. If it was hard to write, it should be hard
to understand.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Apache authentication problem

2002-08-30 Thread Robert Blayzor 

 I want to authenticate the apache users with Radiator, I've installed:
Radiator 3.1
mod_auth_radius-1.5.2
apache1.3.19-5
 
 when I try to connect to my web site, apache show me the popup for the
 radius authentication, I fill a valid radius username but the
 authentication failed, on the radius log there is a bad 
 password error,
 but the password is right.
 Someone have any idea ???

I just looked at this and wanted to check it out for myself, so I
managed to download it, install it and get it to work for the first
time.

The main thing I would look at in your case is to make sure that the
secrets match in your httpd.conf and in your Radiator configuration for
the client.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

State-of-the-art: What we could do with enough money.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Telnet, SMTP and port 25

2002-08-21 Thread Robert Blayzor 

Sounds like you do not have a default gateway set, or your subnet mask
is wrong.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

If the automobile had followed the same development cycle as the
computer, a Rolls-Royce would today cost $100, get a million miles per
gallon, and explode once a year, killing everyone inside. - Robert X.
Cringely


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of Ayotunde Itayemi
Sent: Wednesday, August 21, 2002 2:11 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Fw: (RADIATOR) Telnet, SMTP and port 25



- Original Message - 
From: Ayotunde Itayemi 
To: Hugh Irvine 
Sent: Wednesday, August 21, 2002 6:23 PM
Subject: Re: (RADIATOR) Telnet, SMTP and port 25


Hi Hugh,

Traceroute gets to the destination.
Pings are replied (reaches destination).
Also telnet to myself (mail server) on port 25 (from the same box)
works i.e, telnet 127.0.0.1 25
This also works:telnet mail 25

BUT this does not:telnet any-internet-mailserver 25

Regards,
Tunde I.

- Original Message - 
From: Hugh Irvine 
To: Ayotunde Itayemi 
Cc: [EMAIL PROTECTED] 
Sent: Wednesday, August 21, 2002 5:37 PM
Subject: Re: (RADIATOR) Telnet, SMTP and port 25


Hello Tunde -

The error message clearly states No route to host.

Try a traceroute to see what is amiss.

regards

Hugh


On Wednesday, August 21, 2002, at 06:12 PM, Ayotunde Itayemi wrote:


Hi Hugh, Hi all,
 
Okay this is not a RADIUS question, but excuse me anyway.
 
I have a RedHat 6.2 Linux system that has been configured as a mail
server
for a real Internet domain. Users can receive their mails but nothing
(mails) can be sent out.
 
After a lot of troubleshooting I made out the following:
 
1. The system can't send mails out because you cannot initiate a telnet
session from it
to any other system on port 25 e.g.,
 
[root@mail itayemi]# telnet 10.0.4.4 25
Trying 10.0.4.4...
telnet: Unable to connect to remote host: No route to host
 
This is the same message that keeps being written to the mail log
(/var/log/maillog)
by sendmail. Any ideas?
 
You can telnet to it on port 25 from other systems.
 
I have looked at all the common causes I can think of (DNS, inetd,
routing, sendmail etc)
Nothing seems to work. The system is not configured as a firewall and
the port is not blocked
by the router or any other device.
 
Regards,
Tunde I.
 
 



NB: I am travelling this week, so there may be delays in our
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Pre Handler hook help...

2002-07-15 Thread Robert Blayzor 

Hugh, I did as you suggested, appears to be a bug with Radiator and the
PERL oct() function.  For some reason Radiator has broken oct()
fucntion.

My Sub I included:

sub {
print oct() Test:  . oct(0b01011000) . \n;
}

Output from Ratiator:

oct() Test: 0


Output from PERL (any other program or right from perl -e):

[shell:~] perl -e 'print oct(0b01011000).\n;'
1408

What gives?

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Advanced design: 
Upper management doesn't understand it.



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of Hugh Irvine
 Sent: Friday, July 12, 2002 6:12 PM
 To: [EMAIL PROTECTED]; Robert Blayzor; [EMAIL PROTECTED]
 Subject: Re: (RADIATOR) Pre Handler hook help...
 
 
 
 Hello Robert -
 
 I suggest you do two things:
 
 1. put the hook code in a file so it is easier to edit - 
 something like this:
 
   PreHandlerHook file:%D/nasport.pl
 
 2. unwind the code a bit and add print statements between the 
 statements so 
 you can see what is going on
 
 Then you can run radiusd from the command line and you will 
 see the print 
 output in the terminal window where you are running it - like this:
 
   radiusd -foreground -log_stdout -config_file .
 
 regards
 
 Hugh
 
 
 On Sat, 13 Jul 2002 06:21, Robert Blayzor wrote:
  We have an handler which uses the following hook:
 
  Client 64.246.152.18
  Identifier  DSL1
  Secret  s
  DupInterval 2
  NasType ignore
  PreHandlerHook sub { ${$_[0]}-add_attr('NAS-Port-Type',
  'SDSL'); my $i_p = ${$_[0]\
  }-get_attr('RB-NAS-Real-Port'); my $i_a = 
 sprintf(%s/%s/%s.%s, map
  oct(0b$_), unpack(\
  B32, pack(N, $i_p)) =~ /(.{5})(.{3})(.{8})(.*)/);
  ${$_[0]}-add_attr('Calling-Station-Id\
  ', $i_a);}
  /Client
 
 
  In a nutshell the Hander basically adds a NAS-Port-Type and 
 is to take a
  32bit integer representation of DSL ports and put them in the
  'Calling-Station-Id' attribute.
 
  The output should come out to be soething like:  5/0/0/233, etc.
  However everything comes out at 0/0/0.0, like $i_p is null, 
 but it's not
  because the following code (if I reverse things) works fine...
 
  PreHandlerHook sub { ${$_[0]}-add_attr('NAS-Port-Type',
  'SDSL'); my $i_p = ${$_[0]\
  }-get_attr('RB-NAS-Real-Port');
  ${$_[0]}-add_attr('Calling-Station-Id', $i_p);}
 
 
  Output the following code right from PERL works fine too:
 
  perl -e 'print sprintf(%s/%s/%s.%s, map(oct(0b$_), unpack(B32,
  pack(N, 671088873)) =~ /(.{5})(.{3})(.{8})(.*)/)) .\n;'
  5/0/0.233
 
 
  Any ideas?  I really need to get this to work.  Thanks!
 
 -- 
 Radiator: the most portable, flexible and configurable RADIUS server
 anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
 -
 Nets: internetwork inventory and management - graphical, extensible,
 flexible with hardware, software, platform and database independence.
 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.
 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Pre Handler hook help...

2002-07-15 Thread Robert Blayzor 

 Hi,
 You can also do it like this:
 
 $p-add_attr( 'Calling-Station-Id',(($p-get_attr( 
 'RB-NAS-Real-Port') 
 0xff)  16) .\
 .. ($p-get_attr( 'RB-NAS-Real-Port')  0x)); \


Right.  We figured that out also, with all the attribs, after fussing
around with the oct which was not needed as the bit shifting is much
faster anyway.  Thanks.

my $i_id = ($i_port  0xf800)  27 ./. ($i_port  0x0700)
 24 ./.
 ($i_port  0xff)  16 ... ($i_port  0x);

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

That function is not currently supported, but Bill Gates assures us it
will be featured in the next upgrade.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Strange unknown attributes

2002-06-04 Thread Robert Blayzor 

I've been noticing some strnage errors in our Radiator log files.  I
believe this is coming from a badly behaving Ascend Max.  I'm wondering
if anyone has seen this before?

Sun Jun  2 07:27:17 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 07:27:17 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 07:27:17 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 07:27:17 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 07:29:27 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 07:29:27 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 07:29:27 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 07:29:27 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 20:32:36 2002: ERR: Attribute number 105 (vendor 1147499380)
is not defined in your dictionary
Sun Jun  2 20:32:38 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary
Sun Jun  2 20:32:38 2002: ERR: Attribute number 99 (vendor 1399813490)
is not defined in your dictionary


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

If at first you don't succeed, call it version 1.0


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) AuthLog questions

2002-05-30 Thread Robert Blayzor 

I've followed the Radiator manual for AuthLog SQL

Here are my config entries:

AuthLog SQL
Identifier  SQL-AuthLog1
FailureQueryEXEC sp_RadiusAuthLog
'%{GlobalVar:ServerID}','%n','%{Class}','%N','%{Called-Station-Id}','%{C
alling-Station-Id}','%1'
LogSuccess  0
LogFailure  1
/AuthLog

Handler
RewriteUsername s/^(P|C|S)//
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/\s+//g
AuthByPolicyContinueAlways
AuthBy  Acct-SQL
AuthBy  Auth-NAS
AuthLog SQL-AuthLog1
SessionDatabase Null-SDB
/Handler


My questions is, how does AuthLog SQL know which database source to use?
Or will it assume to use the same source as the AuthBy?   Or does it
accept DBSource, etc?  The manual does not state so.  All the manual
states is:

6.50 AuthLog SQL
The clause indicates to log authentication successes and failures to an
SQL database. You can define as many AuthLog SQL clauses as you wish
at the top level or within Realm or Handler clauses. Each clause can
specify different logging conditions and a different log database.

As well as the generic parameters described in Section 6.48 , AuthLog
SQL understands the following parameters:


Please advise.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

If the automobile had followed the same development cycle as the
computer, a Rolls-Royce would today cost $100, get a million miles per
gallon, and explode once a year, killing everyone inside. - Robert X.
Cringely


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Problems with AuthLog SQL

2002-05-30 Thread Robert Blayzor 

Hi Hugh,

I have a small problem with AuthLog SQL.  I posted a previous message
and just assumed to try putting the connect information in the config
file.  It appears to work.

I get the results placed in the database, and trace 4 shows no errors...

Thu May 30 09:56:34 2002: DEBUG: Radius::AuthSQL looks for match with
kdelaet
Thu May 30 09:56:34 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password
Thu May 30 09:56:34 2002: INFO: Access rejected for kdelaet: Bad
Password
Thu May 30 09:56:34 2002: DEBUG: do query is: EXEC sp_RadiusAuthLog
'0','kdelaet','kdelaet','64.246.152.18','','','Bad Password'

Thu May 30 09:56:34 2002: DEBUG: Packet dump:
*** Sending to 64.246.152.18 port 1812 

But, I'm getting these messages printed in the console I have run
Radiator from, quite frequently:

AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x857924c)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x854949c)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x8571c24)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x8549784)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x8571c90)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x85711bc)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x85474d8)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x8571fb4)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x8571d20)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x8547430)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x857a03c)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x854dfcc)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x85474d8)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x8571d98)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 1 Bad Password
Radius::Radius=HASH(0x8571f6c)
AuthLogSQL log Radius::AuthLogSQL=HASH(0x83152b8) 0
Radius::Radius=HASH(0x85711f8)


My config section seems fine.  If I comment out the use of my AuthLog,
these errors disappear.

AuthLog SQL
DBSourcedbi:Sybase:server=SQL
DBUsername  
DBAuth  
Identifier  SQL-AuthLog1
FailureQueryEXEC sp_RadiusAuthLog
'%{GlobalVar:ServerID}','%n','%{Class}','%N','%{Called-Station-Id}','%{C
alling-Station-Id}',%1
LogSuccess  0
LogFailure  1
/AuthLog


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Meets quality standards:  Compiles without errors.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) AuthBy SQL and Passwords ..

2002-01-06 Thread Robert Blayzor 

   So I got the bright idea to add a AND PASS='%{Password}' to
 the AuthSelect line.  But the query ends up AND PASS='' 
 (nothing is put
 in there.)  So, obviously RADIUS either 1) can't pass it like 
 that or 2)
 can but I'm doing it wrong.


Perhaps you want AND PASS='%P'   ???

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) PasswordLogFile contents

2002-01-05 Thread Robert Blayzor 

I'm curious to know if it's possible to do either of the following:

1) Change the format of what is included in the PasswordLogFile

Or

2) Omit the PASSED password entries and log only the FAIL's

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Document code?  Why do you think they call it code?


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) SQL Accounting / Radius Attribute Values only

2002-01-04 Thread Robert Blayzor 

Correct... If you are using the standard accounting INSERT   But
how would you do it if you need to use:

AcctSQLStatementEXEC sp_RadiusAcctInsert
'0','%{Acct-Session-Id}','%{Acct-Status-
Type}','%{User-Name}','%{Called-Station-Id}','%{Calling-Station-Id}','%c
','%{NAS-Port}','%{NAS-Po
rt-Type}','%{Service-Type}','%{Framed-Protocol}','%{Framed-IP-Address}',
'%{Connect-Info}','%{Acct
-Terminate-Cause}','%{Acct-Input-Octets}','%{Acct-Output-Octets}','%{Acc
t-Session-Time}'


A more advanced SQL statement?

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]


 -Original Message-
 From: Hugh Irvine [mailto:[EMAIL PROTECTED]] 
 Sent: Thursday, January 03, 2002 11:38 PM
 To: [EMAIL PROTECTED]; Robert Blayzor
 Cc: [EMAIL PROTECTED]
 Subject: Re: (RADIATOR) SQL Accounting / Radius Attribute Values only
 
 
 
 Hello Robert -
 
 You can do this with AcctColumnDef's:
 
   AcctColumnDef NASPORT,NAS-Port,integer
 
 Have a look at section 6.28.13 in the Radiator 2.19 reference manual.
 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) NAS-IP-Address

2002-01-04 Thread Robert Blayzor 

This usually happens if your NAS is multihomed or has a loopback
interface set.  You have to tell the NAS the interface you want the
NAS-IP to be identified as.  If this is a Cisco NAS, then you might want
to check your Loopback interface (if you have one set)  If the box is
simply multihomed, then you can force the NAS source from by using
something like ip radius source-interface whatever.

If you're multihomed, it's probably a good idea to set a loopback
interface as common, then source and send requests from it that way you
don't have to setup two different client connections to RADIUS.  Then
again, this may not solve your problem as you haven't provided enough
information about your NAS.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Artificial Intelligence:  Making computers behave like they do in the
movies.



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of Mike McCauley
 Sent: Friday, January 04, 2002 7:02 PM
 To: [EMAIL PROTECTED]
 Subject: (RADIATOR) NAS-IP-Address
 
 
 
 
 --  Forwarded Message  --
 
 Subject: BOUNCE [EMAIL PROTECTED]:Non-member 
 submission from [Alex 
 Fritz [EMAIL PROTECTED]]
 Date: Fri, 4 Jan 2002 16:10:11 -0600
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 
 From [EMAIL PROTECTED] Fri Jan  4 16:10:10 2002
 Received: from ncninternet.com (ns1.ncninternet.com [63.252.251.123])
   by server1.open.com.au (8.11.0/8.11.0) with ESMTP id 
 g04MA5318629
   for [EMAIL PROTECTED]; Fri, 4 Jan 2002 16:10:10 -0600
 Received: from cc529972a [65.81.72.44] by ncninternet.com
   (SMTPD32-7.04) id A0BF380106; Fri, 04 Jan 2002 17:54:39 -0600
 From: Alex Fritz [EMAIL PROTECTED]
 To: Radiator NewsGroup [EMAIL PROTECTED]
 Subject: NAS-IP-Address
 Date: Fri, 4 Jan 2002 17:45:22 -0600
 Message-ID: [EMAIL PROTECTED]
 MIME-Version: 1.0
 Content-Type: text/plain;
   charset=iso-8859-1
 Content-Transfer-Encoding: 7bit
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
 Importance: Normal
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
 
 We noticed something that has caused a little difficulty for 
 us.. In the
 Radius text logs, when set to Trace 4, it displays the 
 Clients correct IP
 address at the top of the packet, but later in the packet next to
 Nas-Ip-Address it displays some other IP address.  How can we get the
 Clients correct IP address in to the database then for 
 queries?  Please
 help... below is a copy of the log and I place   
 around the places
 needing attention..
 
 Thanks,
 Alex Fritz
 NCN Internet
 
 Fri Jan  4 07:39:15 2002: INFO: Server started: Radiator 
 2.18.2 on thor
 Fri Jan  4 07:39:15 2002: DEBUG: Packet dump:
 *** Received from 216.127.139.10 port 3949 .--- 
 This IP (The
 NAS's)
 Code:   Accounting-Request
 Identifier: 153
 Authentic:  26189d209S253F0[164#1836249}M
 Attributes:
   User-Name = [EMAIL PROTECTED]
   NAS-IP-Address = 67.208.224.53   
 --- doesn't match this
   NAS-Port = 182
   NAS-Port-Type = Async
   Service-Type = Framed-User
   Acct-Status-Type = Stop
 
 
 ---
 Outgoing mail is certified Virus Free.
 Checked by AVG anti-virus system (http://www.grisoft.com).
 Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001
 
 ---
 
 -- 
 Mike McCauley   [EMAIL PROTECTED]
 Open System Consultants Pty. LtdUnix, Perl, 
 Motif, C++, WWW
 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
 Phone +61 3 9598-0985   Fax   +61 3 9598-0955
 
 Radiator: the most portable, flexible and configurable RADIUS server 
 anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
 Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
 on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
 ===
 Archive at http://www.open.com.au/archives/radiator/
 Announcements on [EMAIL PROTECTED]
 To unsubscribe, email '[EMAIL PROTECTED]' with
 'unsubscribe radiator' in the body of the message.
 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) MSCHAP and MPPE

2002-01-03 Thread Robert Blayzor 

I am trying to replace M$ IAS with Radiator to authenticate VPN
connections from a PIX firewall via PPTP and MPPE.

If I use the IAS with Win2K server, all is fine.

If I cut over to Radiator, Radiator accepts the connections, but the
Windows client (Win2K VPN client) rejects the connection because it does
not use encryption.  Here is a clip our of my users file:

joeuser User-Password = mypass, Service-Type = Framed-User
Framed-IP-Address = 255.255.255.254,
MS-MPPE-Encryption-Policy = Encryption-Required,
MS-MPPE-Encryption-Types = Encryption-40,
MS-MPPE-Send-Key = mysendkey,
MS-MPPE-Recv-Key = myrecvkey,
Tunnel-Type = PPTP


Radiator trace shows:

Thu Jan  3 12:01:42 2002: DEBUG: Check if Handler Client-Identifier =
PIX-FW should be used to ha
ndle this request
Thu Jan  3 12:01:42 2002: DEBUG: Handling request with Handler
'Client-Identifier = PIX-FW'
Thu Jan  3 12:01:42 2002: DEBUG: Handling with Radius::AuthFILE: 
Thu Jan  3 12:01:42 2002: DEBUG: Reading users file /radius/vpn-users
Thu Jan  3 12:01:42 2002: DEBUG: Radius::AuthFILE looks for match with
joeuser
Thu Jan  3 12:01:42 2002: DEBUG: Radius::AuthFILE ACCEPT: 
Thu Jan  3 12:01:42 2002: DEBUG: Access accepted for joeuser
Thu Jan  3 12:01:42 2002: DEBUG: Packet dump:
*** Sending to 10.0.0.1 port 1812 
Code:   Access-Accept
Identifier: 138
Authentic:  136!F74]210163160Y3025520421*27
Attributes:
Framed-IP-Address = 255.255.255.254
Service-Type = Framed-User
MS-MPPE-Encryption-Policy = Encryption-Required
MS-MPPE-Encryption-Types = Encryption-40
MS-MPPE-Send-Key = removed
MS-MPPE-Recv-Key = removed
Tunnel-Type = PPTP


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Esc key to reboot Universe, or any other key to continue...


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) SQL Accounting / Radius Attribute Values only

2002-01-03 Thread Robert Blayzor 

We have a very high number of accounting records that get stored on our
SQL servers, our goal is to reduce space consumption a bit.  Is there a
way to have Radiator store the actual value of the RADIUS accounting
attributes and not the dictionary definitions?


Ie:


EXEC sp_RadiusAcctInsert '0', '0015', 'Stop', 'joeuser', '6894448',
'5184329030', '64.246.132.1','12', 'Async', 'Framed-User', 'PPP',
'64.246.132.11', '', 'User-Request', '2194', '1138', '63'


Instead Stop, value would be integer 2. 

NAS-Port-Type, Framed-Protocol, etc, all are integers and use much less
space to store than their text meanings.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Earth is 98% full...please delete anyone you can.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) SQL Accounting / Radius Attribute Values only

2002-01-03 Thread Robert Blayzor 

 My first inclination would be to archive the accounting data 
 on a periodic 
 basis (every day, every week, every month, whatever). One 
 easy way to do this 
 is to set up a different table for each month (week, day, 
 whatever) for 
 example and then use the Radiator special characters in your 
 AcctSQLStatement 
 to specify the table name.

Thank you for your response.

We've been through all this.  We need to keep at least six months of
RADIUS accounting data on-line at all times.  Archiving really isn't the
issue, but when you have some 20,000+ users, that's a LOT of RADIUS
accounting data.  We're taking about 25GB+ per month at current rate.
If we were able to specify the integer values, it would save us about
30-40% of that space over saving the string values.  We can easily
inner-join cross reference tables on queries.

 I really wouldn't suggest storing the integer values as 
 trying to post 
 process the data will be very messy.

Well not really post processing, more like pre-processing.  The
attribute values arrive to Radiator in integer value, why not have the
ability to store the integer value.  I know I was able to do this with
SBR in the past.  When it comes to large data warehousing of accounting
records, it makes the most sense.  Either case, I was just curious as if
this could be done in one way or another It would make a nice
feature.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Years of development: We finally got one to work.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Multiple Check Attributes

2001-12-31 Thread Robert Blayzor 

Using AuthBy SQL, how would one return multiples of the same Check
Attributes and have Radiator accept the session if the user
NAS-Port-Type matched any of those returned.

For example, I have a user that can use NAS-Port-Type Async or IDSL, but
he cannot use NAS-Port-Type Sync (ISDN).  According to the Radiator docs
the list of check attributes are compared and ALL must match, if I
return say:

NAS-Port-Type=Async,NAS-Port-Type=IDSL and the user calls and uses type
Async, will the request fail?.. And if so, how can I change it so that
any NAS-Port-Type I return from SQL will accept the session so long as
one of the attributes matches..

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

Logic:   The art of being wrong with confidence...


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) MSSQL best connection method

2001-10-19 Thread Robert Blayzor 

We are currently implementing a couple of Radiator servers in our NOC
and we will be using MSSQL stored proceedures to do both authentication
lookups and the storing of accounting information.

According to the Radiator FAQ, FreeTDS is not the recommended choice for
obveious reasons.  I'm curious as to how many people may be using MSSQL
for their backend but using Unix (in my case FreeBSD 4.4) as the RADIUS
server platform.

Right now my choices seem to be limited to DBI proxy or FreeTDS.  I have
FreeTDS working for web applications via PERL, etc.  Just wondering how
stable FreeTDS would perform in a very active RADIUS server environment.

The one quirk I've always noticed is that if the connection breaks
between FreeTDS and your MSSQL server, FreeTDS mod seems to bomb out the
whole PERL script running.  Any work arounds or suggestions?

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]

It only makes sense that every facet of our daily lives should depend
upon the position of celestial bodies hundreds of millions of miles
away. 
 - Calvin and Hobbes


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.