RE: (RADIATOR) Bad attribute=value pair in 3.6
Hello Hugh, I had the same problem in 3.7, and changing the radius.cfg file as mentioned seemed to work. The users file remains as before. We're on RH 9 (2.4.18-3smp). Using Perl 5.6.1. Hardware is a Dell PowerEdge 2300. Regards, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 6:58 PM To: William Hernandez Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Bad attribute=value pair in 3.6 Hello William - This is most curious. Could you try something for me? Download and test Radiator 3.7 and see if it fixes the problem. Please let me know how you get on, and could you also tell me what hardware/software platform you are running on and what version of Perl? regards Hugh On Thursday, Sep 25, 2003, at 04:48 Australia/Melbourne, William Hernandez wrote: Hugh, Just to let you know the outcome of this issue. It looks like the problem is in the radius.cfg. Our radius.cfg is basically the same as it was when we started with Radiator 2.15. More Handlers have been added since 2.15 The following change in radius.cfg worked and ended the Bad attribute=value pair errors. (i.e, I removed the space before and after the equal sign). AddToReply Service-Type=Framed-User, \ Framed-Protocol=PPP, \ Framed-IP-Netmask=255.255.255.255, \ Framed-Compression=Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit=900 I will mention that the above only had to be changed in radius.cfg. Our users file works with the space before and after the equal sign. Do you think I should do a global replace to eliminate the spaces in the users file? Regards, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 5:47 AM To: William Hernandez Cc: 'Radiator' Subject: Re: (RADIATOR) Bad attribute=value pair in 3.6 Hello William - If you are running on a recent Redhat version, see the FAQ item here (and you should also install the latest Radiator patches). http://www.open.com.au/radiator/faq.html#127 Otherwise there may be a problem earlier in your configuration file. regards Hugh On Friday, Sep 19, 2003, at 07:45 Australia/Melbourne, William Hernandez wrote: Hello everyone, I'm upgrading from 3.3.1 to 3.6 plus patches. Using the same radius.cfg in 3.6 as was used in 3.3.1 I'm getting the following: Thu Sep 18 17:33:46 2003: ERR: Bad attribute=value pair: Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 Radius.cfg has the following: AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit = 900 Is there a syntax change in 3.6? Thanks in advance, William Hernandez === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Bad attribute=value pair in 3.6
Hugh, Just to let you know the outcome of this issue. It looks like the problem is in the radius.cfg. Our radius.cfg is basically the same as it was when we started with Radiator 2.15. More Handlers have been added since 2.15 The following change in radius.cfg worked and ended the Bad attribute=value pair errors. (i.e, I removed the space before and after the equal sign). AddToReply Service-Type=Framed-User, \ Framed-Protocol=PPP, \ Framed-IP-Netmask=255.255.255.255, \ Framed-Compression=Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit=900 I will mention that the above only had to be changed in radius.cfg. Our users file works with the space before and after the equal sign. Do you think I should do a global replace to eliminate the spaces in the users file? Regards, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 5:47 AM To: William Hernandez Cc: 'Radiator' Subject: Re: (RADIATOR) Bad attribute=value pair in 3.6 Hello William - If you are running on a recent Redhat version, see the FAQ item here (and you should also install the latest Radiator patches). http://www.open.com.au/radiator/faq.html#127 Otherwise there may be a problem earlier in your configuration file. regards Hugh On Friday, Sep 19, 2003, at 07:45 Australia/Melbourne, William Hernandez wrote: Hello everyone, I'm upgrading from 3.3.1 to 3.6 plus patches. Using the same radius.cfg in 3.6 as was used in 3.3.1 I'm getting the following: Thu Sep 18 17:33:46 2003: ERR: Bad attribute=value pair: Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 Radius.cfg has the following: AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit = 900 Is there a syntax change in 3.6? Thanks in advance, William Hernandez === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Bad attribute=value pair in 3.6
Hello everyone, I'm upgrading from 3.3.1 to 3.6 plus patches. Using the same radius.cfg in 3.6 as was used in 3.3.1 I'm getting the following: Thu Sep 18 17:33:46 2003: ERR: Bad attribute=value pair: Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 Radius.cfg has the following: AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit = 900 Is there a syntax change in 3.6? Thanks in advance, William Hernandez === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Unclosed quotation mark in SQL SessionDatabase DeleteQuery
Hello everyone, The following error messages appeared in radius.log: Wed Sep 17 09:17:55 2003: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xx.x' and NASPORT=010212': Server message number=105 severity=15 state=1 line=1 server=SQL text=Unclosed quotation mark before the character string 'xxx.xxx.xx.x'.Server message number=170 severity=15 state=1 line=1 server=SQL text=Line 1: Incorrect syntax near 'xxx.xxx.xx.x'. Wed Sep 17 09:17:55 2003: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='xxx.xxx.xx.x' and NASPORT=010212': Server message number=105 severity=15 state=1 line=1 server=SQL text=Unclosed quotation mark before the character string 'xxx.xxx.xx.x'.Server message number=170 severity=15 state=1 line 1 server=SQL text=Line 1: Incorrect syntax near 'xxx.xxx.xx.x'. Our Radiator 3.3.1 is configured to use an MSSQL2000 session database with a fallback to MySQL 3.23.49. We are using the default DeleteQuery. The messages appeared when the SQL Server was put temporarily offline causing Radiator to fallback to MySQL. And disappeared when the SQL Server was put back online and Radiator restarted. Actually the fallback to MySQL was a recent change to radius.cfg. Previously we only used MySQL as our session database and everything worked fine. We now use MSSQL with a fallback to MySQL. Any thoughts on what's happening here? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) How does SQL Fallover work?
Hello everyone, The Radiator 3.3.1 manual states in Section 6.28 AuthBy SQL AuthBy SQL is tolerant of database failures. If your database server goes down, Radiator will try to reconnect to a database as described above, starting again at the first database you specified. What does server goes down mean? Does it refer to a hardware failure? Does it mean the SQL Server application goes down? Does it mean that the particular database for some reason becomes unavailable and a connection is not possible although the SQL Server is still running? Does it mean that a connection was made, but there was an error/problem with the SQL query? All of the above? Thanks in advance, William Hernández === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) NASIDENTIFIER in RADONLINE and Accounting Detail File
Hello everyone, The NASIDENTIFIER column in RADONLINE and the NAS-IP-Address line in the accounting detail file for our users who connect via Total Control NASes shows as the NASes private ip address. We would like this to show as the public ip address. A related problem is that accounting requests are falling through to the DEFAULT client clause instead of being handled by the client clause with the NASes hostname. Access requests are handled correctly. Is this a Radiator issue or is this a Total Control issue? Thanks in advance, William Hernández Radiator 3.3.1 RH 7.3 Perl 5.6.1 TotalControl HiPerArc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) make test in Radiator 3.5
Hugh and Mike, The new patches file worked. Radiator 3.5 is running. Cheers, William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike McCauley Sent: Monday, February 24, 2003 6:44 AM To: Hugh Irvine; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: (RADIATOR) make test in Radiator 3.5 Hi Hugh and others, I think this problem was triggered by a bad patch to Handler.pm. If you installed the 3.5 patches in the last few days, you will need to download and install a new 3.5 patches file. We apologise for this problem. Cheers. On Mon, 24 Feb 2003 06:38 pm, you wrote: Hello Surajh - Could you please download and install the source tarball? Please let me know how you get on. regards Hugh On Monday, Feb 24, 2003, at 18:25 Australia/Melbourne, Surajh Surjoo [ MTN Sandhurst ] wrote: yes...we have done an upgrade also this weekend and received the same errors, exactly. dont know what went wrong! Surajh Surjoo Systems Engineer - Data Mobile: 0832129829 Mobile Fax: 083 8 2129829 Office Fax: 011 3018811 Office Tel: 011 3016000 [EMAIL PROTECTED] Imagination is more important than Knowledge - Albert Einstein -Original Message- From: William Hernandez [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 February 2003 6:25 PM To: Radiator (Radiator) Subject: (RADIATOR) make test in Radiator 3.5 Hello everyone, I'm testing Radiator 3.5 (with patches) on our RH 7.3 which is currently running Radiator 3.3.1. I'm seeing a lot of not oks in make test. # perl Makefile.PL # make # make test PERL_DL_NONLAZY=1 /bin/perl -Iblib/arch -Iblib/lib -I/usr/lib/perl5/5.6.1/i386-l inux -I/usr/lib/perl5/5.6.1 test.pl Starting tests... Starting 2 test servers. Please wait... ok 1a ok 1b ok 1c ok 1d ok 1e not ok 2a ok 2b not ok 2c ok 2d ok 2e not ok 2f ok 2g not ok 2h ok 2i not ok 2j ok 2k not ok 2l not ok 2m not ok 2n not ok 2o ok 2p not ok 2q not ok 2r not ok 2s not ok 2t not ok 2u not ok 2v not ok 2x not ok 2y not ok 2z not ok 3a ok 3b ok 3c not ok 3d ok 3e ok 3f not ok 3g not ok 3h not ok 4a ok 4b ok 4c not ok 5a ok 5b ok 5c not ok 5d ok 5e not ok 5f ok 5g not ok 6a not ok 6b not ok 6c ok 6d not ok 6e not ok 6f not ok 6g not ok 6h not ok 7a not ok 7b not ok 7c not ok 8a not ok 8b Tests completed sh: kill: (20643) - No such process Did I miss a step? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) make test in Radiator 3.5
Thanks Hugh, No changes have been made to the distribution Radiator 3.5. www:/usr/local/updates/radius/Radiator-3.5# sum users 2857311 www:/usr/local/updates/radius/Radiator-3.5# sum radius.cfg 5481056 www:/usr/local/updates/radius/Radiator-3.5# sum radius2.cfg 35752 1 www:/usr/local/updates/radius/Radiator-3.5# sum test.pl 5533714 No errors were reported downloading or tar xvfz of the distribution and patch files. Please advise, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 7:52 PM To: William Hernandez Cc: Radiator (Radiator) Subject: Re: (RADIATOR) make test in Radiator 3.5 Hello William - I suspect that either the users file, or the radius.cfg file in the main Radiator directory have been changed. You will find the test script in test.pl in the main directory, and it expects to use the original radius.cfg (and radius2.cfg) and the users file as included in the distribution. regards Hugh On Friday, Feb 21, 2003, at 03:24 Australia/Melbourne, William Hernandez wrote: Hello everyone, I'm testing Radiator 3.5 (with patches) on our RH 7.3 which is currently running Radiator 3.3.1. I'm seeing a lot of not oks in make test. # perl Makefile.PL # make # make test PERL_DL_NONLAZY=1 /bin/perl -Iblib/arch -Iblib/lib -I/usr/lib/perl5/5.6.1/i386-l inux -I/usr/lib/perl5/5.6.1 test.pl Starting tests... Starting 2 test servers. Please wait... ok 1a ok 1b ok 1c ok 1d ok 1e not ok 2a ok 2b not ok 2c ok 2d ok 2e not ok 2f ok 2g not ok 2h ok 2i not ok 2j ok 2k not ok 2l not ok 2m not ok 2n not ok 2o ok 2p not ok 2q not ok 2r not ok 2s not ok 2t not ok 2u not ok 2v not ok 2x not ok 2y not ok 2z not ok 3a ok 3b ok 3c not ok 3d ok 3e ok 3f not ok 3g not ok 3h not ok 4a ok 4b ok 4c not ok 5a ok 5b ok 5c not ok 5d ok 5e not ok 5f ok 5g not ok 6a not ok 6b not ok 6c ok 6d not ok 6e not ok 6f not ok 6g not ok 6h not ok 7a not ok 7b not ok 7c not ok 8a not ok 8b Tests completed sh: kill: (20643) - No such process Did I miss a step? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) make test in Radiator 3.5
Hello everyone, I'm testing Radiator 3.5 (with patches) on our RH 7.3 which is currently running Radiator 3.3.1. I'm seeing a lot of not oks in make test. # perl Makefile.PL # make # make test PERL_DL_NONLAZY=1 /bin/perl -Iblib/arch -Iblib/lib -I/usr/lib/perl5/5.6.1/i386-l inux -I/usr/lib/perl5/5.6.1 test.pl Starting tests... Starting 2 test servers. Please wait... ok 1a ok 1b ok 1c ok 1d ok 1e not ok 2a ok 2b not ok 2c ok 2d ok 2e not ok 2f ok 2g not ok 2h ok 2i not ok 2j ok 2k not ok 2l not ok 2m not ok 2n not ok 2o ok 2p not ok 2q not ok 2r not ok 2s not ok 2t not ok 2u not ok 2v not ok 2x not ok 2y not ok 2z not ok 3a ok 3b ok 3c not ok 3d ok 3e ok 3f not ok 3g not ok 3h not ok 4a ok 4b ok 4c not ok 5a ok 5b ok 5c not ok 5d ok 5e not ok 5f ok 5g not ok 6a not ok 6b not ok 6c ok 6d not ok 6e not ok 6f not ok 6g not ok 6h not ok 7a not ok 7b not ok 7c not ok 8a not ok 8b Tests completed sh: kill: (20643) - No such process Did I miss a step? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) VTS-Session-Key in AcctLogFileFormat
Hello everyone,
I'm using
AcctLogFileFormat %o %r ... VTS-Session-Key = %{VTS-Session-Key}
%r ...
But it prints out garbage in the accounting detail file.
Without the AcctLogFileFormat Radiator prints lines like
VTS-Session-Key = m15227158165+
9149S255166=223.16
Can I get the same output using the AcctLogFileFormat?
Thanks in advance,
William Hernández
Radiator 3.3.1
RH 7.3
Perl 5.6.1
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) radpwtst trace level 3
Hello everyone, Using the radpwtst of Radiator 3.3.1 there is no difference in output between radpwtst -trace 2 and radpwtst -trace 3 and radpwtst -trace 4 provides way too much output. # radpwtst -trace 3 sending Access-Request... OK I seem to recall that with Radiator 2.18.2 # radpwtst -trace would output the attributes in the Access-Accept and the final result. This was simpler and cleaner output. Is radpwtst -trace 3 working correctly? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Version 3.3.1 released
Mike, Does this installation problem affect running on Redhat 7.3? Thanks in advance, William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike McCauley Sent: Friday, August 30, 2002 5:40 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: (RADIATOR) Version 3.3.1 released Following an inadvertent installation problem in the recent version 3.3, we announce the availability of Radiator version 3.3.1 As usual, the new version is available free of charge to current licensees from http://www.open.com.au/radiator/downloads/Radiator-3.3.1.tgz and http://www.open.com.au/radiator/downloads/Radiator-3.3.1-1.noarch.rpm and to current evaluators from http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.3.1.tgz and http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.3.1-1.noa rch.rpm -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) 'No such user' in radius.log
Hello everyone, Testing on Radiator 3.3 with radpwtst -user username -password badpassword We see the message in radius.log INFO: Access rejected for username: No such user. Actually it should say: INFO: Access rejected for username: Bad password. The radius.cfg has: AuthBy SQL Identifier check-active AuthSelect select password from customer \ where CONVERT(binary(100),username)=CONVERT(binary(100),'%U') \ and active='Y' AuthColumnDef 0, User-Password, check NoDefault /AuthBy Note that the query returns a row, but the password is incorrect. Please comment. Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Attribute Number 79
Hello everyone, I'm testing our upgrade to 3.1 and I'm getting ERR: Attribute number 79 is not defined in your dictionary I get the error with the 'dictionary' file from the 3.1 release. At this point we're just testing with radpwtst so I didn't think it was a vendor specific attribute, but I also get the error with a concatenation of 'dictionary' and 'dictionary.usr' and 'dictionary.ascend2' (since we have both ascend and total control hardware). And I also get the error with the 'dictionary' file that we were using with Radiator 2.18.2. Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Malformed request packet: Attribute 25 with length 1: ignored
Hugh, The class string is set in a PostAuthHook. We're now using Perl 5.6.1, Freetds 0.60 and DBD:Sybase 0.94. I was able to reproduce the problem outside of Radiator directly in Perl so I've concluded it's not a Radiator problem. When we were using Radiator 2.1.8.2, Perl 5.6.0, Freetds 0.52, DBD:Sybase 0.91 we weren't getting this error. As a work-around I modified the PostAuthHook to strip the null characters at the end of the strings. Perhaps you do this already in the Radiator 3.1 code. Thanks in advance, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Friday, August 16, 2002 10:02 PM To: William Hernandez Cc: Radiator (Radiator) Subject: Re: (RADIATOR) Malformed request packet: Attribute 25 with length 1: ignored Hello William - I will need to see a more complete trace 5 debug (including hex dumps) of the incoming request, the corresponding access accept and the subsequent accounting requests. I will also need a copy of the configuration file (no secrets) and a copy of the relevant user record. Just looking at what you have included, it looks like the Class attribute is being set incorrectly by your configuration. regards Hugh On Saturday, August 17, 2002, at 04:18 AM, William Hernandez wrote: Hello everyone, I've just installed Radiator 3.1 plus patches on RedHat 7.3. Our users are authenticating, but I'm getting the following on every request: Malformed request packet: Attribute 25 with length 1: ignored The trace 4 output has: Fri Aug 16 14:10:45 2002: DEBUG: User whr has content controls of xstop: A, R ALCO ALTER ANAR CHAT CRIMI CULTS DRUGS GAMB HATE OBSC PORN RRATED I, 1 Code: Access-Accept Identifier: 0 Authentic: 1234567890123456 Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 900 Service-Type = Framed-User Framed-Protocol = MP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Maximum-Channels = 2 Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 31800 Class = xstop: A, R ALCO ALTER ANAR CHAT CRIMI CULTS DRUGS GAMB HATE OB SC PORN RRATED I, 1 0 000 000 0 000 000 0 00 0 000 000 0 000 000 Our dictionary file (a concatenation of dictionary and dictionary.ascend2) has: ATTRIBUTE Class 25 string What is causing the Malformed request packet? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Attribute Number 79
Hello everyone, Found the following in the archive which solved the problem. # Some experimental attributes from RFC 2869: ATTRIBUTE Prompt 76 integer ATTRIBUTE Connect-Info77 string ATTRIBUTE Configuration-Token 78 binary ATTRIBUTE EAP-Message 79 binary ATTRIBUTE Signature 80 binary ATTRIBUTE Message-Authenticator 80 binary ATTRIBUTE Acct-Interim-Interval 85 integer ATTRIBUTE Ascend-Owner-IP-Addr86 ipaddr ATTRIBUTE NAS-Port-Id 87 string ATTRIBUTE Framed-Pool 88 string Thanks, William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of William Hernandez Sent: Monday, August 19, 2002 10:42 AM To: Radiator (Radiator) Subject: (RADIATOR) Attribute Number 79 Hello everyone, I'm testing our upgrade to 3.1 and I'm getting ERR: Attribute number 79 is not defined in your dictionary I get the error with the 'dictionary' file from the 3.1 release. At this point we're just testing with radpwtst so I didn't think it was a vendor specific attribute, but I also get the error with a concatenation of 'dictionary' and 'dictionary.usr' and 'dictionary.ascend2' (since we have both ascend and total control hardware). And I also get the error with the 'dictionary' file that we were using with Radiator 2.18.2. Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Simultaneous-use in 3.1
Hello everyone, I'm testing 3.1 using radpwtst. And I've noticed the message INFO: Access rejected for whr: Simultaneous-Use of 2 exceeded in the radius.log. The message is correct. The problem is that RADONLINE shows there are 3 logins. radpwtst -trace -s localhost -user whr -password x -auth_port 1812 -acct_port 1813 -secret x -dictionary /etc/raddb/dictionary.prw -nostop -nas_port=1234 radpwtst -trace -s localhost -user whr -password x -auth_port 1812 -acct_port 1813 -secret x -dictionary /etc/raddb/dictionary.prw -nostop -nas_port=1235 radpwtst -trace -s localhost -user whr -password x -auth_port 1812 -acct_port 1813 -secret x -dictionary /etc/raddb/dictionary.prw -nostop -nas_port=1236 Output of radwho.cgi whr 203.63.154.1 1234 1234 Mon Aug 19 15:37:18 2002 0 00:00:47 terminate session delete session whr 203.63.154.1 1236 1234 Mon Aug 19 15:37:38 2002 0 00:00:27 terminate session delete session whr 203.63.154.1 1235 1234 Mon Aug 19 15:37:30 2002 0 00:00:35 terminate session delete session Attached are the radius.cfg and the trace 4 log. Thanks in advance, William radius.log Description: Binary data radius.cfg Description: Binary data
(RADIATOR) Malformed request packet: Attribute 25 with length 1: ignored
Hello everyone, I've just installed Radiator 3.1 plus patches on RedHat 7.3. Our users are authenticating, but I'm getting the following on every request: Malformed request packet: Attribute 25 with length 1: ignored The trace 4 output has: Fri Aug 16 14:10:45 2002: DEBUG: User whr has content controls of xstop: A, R ALCO ALTER ANAR CHAT CRIMI CULTS DRUGS GAMB HATE OBSC PORN RRATED I, 1 Code: Access-Accept Identifier: 0 Authentic: 1234567890123456 Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 900 Service-Type = Framed-User Framed-Protocol = MP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Maximum-Channels = 2 Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 31800 Class = xstop: A, R ALCO ALTER ANAR CHAT CRIMI CULTS DRUGS GAMB HATE OB SC PORN RRATED I, 1 000 000 00 000 000 000 Our dictionary file (a concatenation of dictionary and dictionary.ascend2) has: ATTRIBUTE Class 25 string What is causing the Malformed request packet? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) send failed: Invalid argument
Hello everyone, Something strange occurred this week: If I'm logged in on home.prw.net I get the following: radpwtst -trace -s home.prw.net -user x -password x -auth_port 1812 -acct_port 1813 -secret x -dictionary /etc/raddb/dictionary.prw sending Access-Request... sendTo: send failed: Invalid argument No reply sending Accounting-Request Start... sendTo: send failed: Invalid argument No reply sending Accounting-Request Stop... sendTo: send failed: Invalid argument No reply Nothing has changed in Radiator 2.18.2 and both systems are running Linux 2.4.2-2. Radiator authenticates fine on home.prw.net so I don't think this is a Radiator problem and the same command run at www.prw.net works fine, but perhaps someone has seen this before and can provide me with a hint as to where to look. Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) VPN-Neighbor Attribute not in Accounting Log
Hugh,
The attributes are set in postauthhook.prw as follows:
$rp-add_attr('Class', $class);
($a,$b)=split(/=/,$ascend);
$rp-add_attr($a, $b);
($a,$b)=split(/=/,$hiper);
$rp-add_attr($a, $b);
Thanks in advance,
William
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Saturday, May 04, 2002 4:20 AM
To: William Hernandez; Radiator (Radiator)
Subject: Re: (RADIATOR) VPN-Neighbor Attribute not in Accounting Log
Hello William -
This looks to me like an accounting response being sent back to the NAS.
As usual, to be able to say anything more I will need to see a copy of
the
configuration file (no secrets) together with a trace 4 debug from
Radiator
showing what is happening.
regards
Hugh
On Sat, 4 May 2002 05:47, William Hernandez wrote:
Hello everyone,
I set the Class attribute and the VSA VPN-Neighbor attribute in a
postauthhook. And I can see that both attributes are being set in a
trace 4 log.
The problem is that I can see the Class attribute in the accounting
log file, but not the VPN-Neighbor attribute.
Here's an excerpt from the trace 4 log.
Code: Accounting-Response
Identifier: 229
Authentic: 20A177177^b11.A208195W132+136247
Attributes:
Session-Timeout = 50040
Class = xstop: R 25 110 I, R ANAR CHAT CRIMI DRUGS GAMB HATE
OBSC PORN RRATED I, 1
Ascend-IP-Direct = 208.249.78.41
VPN-Neighbor = 208.249.78.41
Any suggestions?
Thanks in advance,
William
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe
radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
radius.debug
Description: Binary data
radius.cfg
Description: Binary data
(RADIATOR) VPN-Neighbor Attribute not in Accounting Log
Hello everyone, I set the Class attribute and the VSA VPN-Neighbor attribute in a postauthhook. And I can see that both attributes are being set in a trace 4 log. The problem is that I can see the Class attribute in the accounting log file, but not the VPN-Neighbor attribute. Here's an excerpt from the trace 4 log. Code: Accounting-Response Identifier: 229 Authentic: 20A177177^b11.A208195W132+136247 Attributes: Session-Timeout = 50040 Class = xstop: R 25 110 I, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 208.249.78.41 VPN-Neighbor = 208.249.78.41 Any suggestions? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) DefaultSimultaneousUse in AuthBy RADIUS
Hello everyone, Can I use the DefaultSimultaneousUse parameter in an AuthBy RADIUS clause? If not, is there a workaround? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: PDF file for 2.18 Documentation
Hugh, Please ignore this message. I found the ref.html in the doc subdirectory. William -Original Message- From: William Hernandez Sent: Monday, April 22, 2002 11:24 AM To: Hugh Irvine ([EMAIL PROTECTED]) Subject: PDF file for 2.18 Documentation Hello Hugh, Would it be possible to download via ftp the 2.18.x Radiator Server Manual? Thanks in advance, William Hernández ESS/PR Webmasters San Juan, P.R. Tel: 787-723-5000 Fax: 787-722-6242 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: Reject access from specific Calling-Station-Id
Hello everyone, I haven't gotten any closer on this. Does anyone have any suggestions? Thanks in advance, William -Original Message- From: William Hernandez [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 11:34 AM To: Radiator (Radiator) Subject: RE: Reject access from specific Calling-Station-Id Hello everyone, I think I'm getting closer. I changed blockcli.prw to: username Calling-Station-Id = /^555/, Called-Station-Id = /111/, Auth-Type = Reject: Calling station not valid for 111 DEFAULT Auth-Type=Accept And in radius.cfg I changed ContinueWhileAccept to ContinueUntilReject. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... Rejected Reply-Message = Request Denied sending Accounting-Request Start... OK sending Accounting-Request Stop... OK # /var/log/radius.log: Wed Feb 20 10:56:57 2002: INFO: Access rejected for username: Calling station not valid for 111 # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=333 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 41580 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK It seems to work, but it means that I have to define all my users in the users file. Is there an easier way? Thanks in advance, William -Original Message- From: William Hernandez Sent: Monday, February 18, 2002 9:38 AM To: Radiator (Radiator) Subject: Reject access from specific Calling-Station-Id Hello everyone, We're trying to configure Radiator 2.18.2 to reject access to a specific Called-Station-Id when the Calling-Station-Id is in a specific range using various ideas picked up from the archives, but the following is not working for us. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 49920 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK Regards, William -- radius.cfg ... AuthBy FILE Identifier Check-CLI AcceptIfMissing Filename /etc/raddb/blockcli.prw /AuthBy ... Handler SessionDatabase prw-sessiondb AuthByPolicy ContinueWhileAccept AuthBy Check-CLI AuthBy Check-FILE AuthBy System PostAuthHook file:/etc/raddb/postauthhook.prw file: AcctLogFileName /var/log/radacct/detail PasswordLogFileName /var/log/radius.log ExcludeFromPasswordLog root /Handler ... -- End of radius.cfg - -- blockcli.prw DEFAULT Calling-Station-Id = /^555/, \ Called-Station-Id = /111/, \ Auth-Type = Reject: Calling station not valid for 111 -- End of blockcli.prw -- -- radius.log Mon Feb 18 09:08:36 2002: DEBUG: Packet dump: *** Received from 10.10.10.3 port 41637 Code: Access-Request Identifier: 126 Authentic: 1234567890123456 Attributes: User-Name = username Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = 14620823815824722144516413322817 41H30x Calling-Station-Id = 555 Called-Station-Id = 111 Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=surfea.net should be use d to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=prdigital.com should be used to handle this request Mon Feb 18 09:08:36
RE: (RADIATOR) RE: Reject access from specific Calling-Station-Id
Thanks for the suggestion Frank. I'm running 2.18.2 so I'll have to schedule an upgrade to 2.19 to try this out. Regards, William -Original Message- From: Frank Danielson [mailto:[EMAIL PROTECTED]] Sent: Friday, March 01, 2002 2:02 PM To: William Hernandez; Radiator (Radiator) Subject: RE: (RADIATOR) RE: Reject access from specific Calling-Station-Id If you want to block access for all users when that combination of Calling-Station-Id and Called-Station-Id is used, why not do it in a handler? Handler Calling-Station-Id = /^555/, Called-Station-Id = /111/ AuthBy INTERNAL AuthResult REJECT AcctStartResult ACCEPT AcctStopResult ACCEPT DefaultResult REJECT /AuthBy AcctLogFileName /var/log/radacct/detail /Handler Just put this before your other handlers so it will match first, see Section 6.16 in the manual for more info. Frank Danielson [Infrastructure Architect] wireless: 407.467.7832 wireline: 407.515.8633 Data On Air 301 E. Pine St. Suite 450 Orlando, Fl 32801 http://www.dataonair.com -Original Message- From: William Hernandez [mailto:[EMAIL PROTECTED]] Sent: Friday, March 01, 2002 8:28 AM To: Radiator (Radiator) Subject: (RADIATOR) RE: Reject access from specific Calling-Station-Id Hello everyone, I haven't gotten any closer on this. Does anyone have any suggestions? Thanks in advance, William -Original Message- From: William Hernandez [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 11:34 AM To: Radiator (Radiator) Subject: RE: Reject access from specific Calling-Station-Id Hello everyone, I think I'm getting closer. I changed blockcli.prw to: username Calling-Station-Id = /^555/, Called-Station-Id = /111/, Auth-Type = Reject: Calling station not valid for 111 DEFAULT Auth-Type=Accept And in radius.cfg I changed ContinueWhileAccept to ContinueUntilReject. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... Rejected Reply-Message = Request Denied sending Accounting-Request Start... OK sending Accounting-Request Stop... OK # /var/log/radius.log: Wed Feb 20 10:56:57 2002: INFO: Access rejected for username: Calling station not valid for 111 # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=333 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 41580 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK It seems to work, but it means that I have to define all my users in the users file. Is there an easier way? Thanks in advance, William -Original Message- From: William Hernandez Sent: Monday, February 18, 2002 9:38 AM To: Radiator (Radiator) Subject: Reject access from specific Calling-Station-Id Hello everyone, We're trying to configure Radiator 2.18.2 to reject access to a specific Called-Station-Id when the Calling-Station-Id is in a specific range using various ideas picked up from the archives, but the following is not working for us. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 49920 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK Regards, William -- radius.cfg ... AuthBy FILE Identifier Check-CLI AcceptIfMissing Filename /etc/raddb/blockcli.prw /AuthBy ... Handler SessionDatabase prw-sessiondb AuthByPolicy ContinueWhileAccept AuthBy Check-CLI AuthBy Check-FILE AuthBy System PostAuthHook file:/etc/raddb/postauthhook.prw file: AcctLogFileName /var/log/radacct/detail PasswordLogFileName /var/log/radius.log ExcludeFromPasswordLog root
(RADIATOR) RE: Reject access from specific Calling-Station-Id
Hello everyone, I think I'm getting closer. I changed blockcli.prw to: username Calling-Station-Id = /^555/, Called-Station-Id = /111/, Auth-Type = Reject: Calling station not valid for 111 DEFAULT Auth-Type=Accept And in radius.cfg I changed ContinueWhileAccept to ContinueUntilReject. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... Rejected Reply-Message = Request Denied sending Accounting-Request Start... OK sending Accounting-Request Stop... OK # /var/log/radius.log: Wed Feb 20 10:56:57 2002: INFO: Access rejected for username: Calling station not valid for 111 # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=333 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 41580 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK It seems to work, but it means that I have to define all my users in the users file. Is there an easier way? Thanks in advance, William -Original Message- From: William Hernandez Sent: Monday, February 18, 2002 9:38 AM To: Radiator (Radiator) Subject: Reject access from specific Calling-Station-Id Hello everyone, We're trying to configure Radiator 2.18.2 to reject access to a specific Called-Station-Id when the Calling-Station-Id is in a specific range using various ideas picked up from the archives, but the following is not working for us. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 49920 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK Regards, William -- radius.cfg ... AuthBy FILE Identifier Check-CLI AcceptIfMissing Filename /etc/raddb/blockcli.prw /AuthBy ... Handler SessionDatabase prw-sessiondb AuthByPolicy ContinueWhileAccept AuthBy Check-CLI AuthBy Check-FILE AuthBy System PostAuthHook file:/etc/raddb/postauthhook.prw file: AcctLogFileName /var/log/radacct/detail PasswordLogFileName /var/log/radius.log ExcludeFromPasswordLog root /Handler ... -- End of radius.cfg - -- blockcli.prw DEFAULT Calling-Station-Id = /^555/, \ Called-Station-Id = /111/, \ Auth-Type = Reject: Calling station not valid for 111 -- End of blockcli.prw -- -- radius.log Mon Feb 18 09:08:36 2002: DEBUG: Packet dump: *** Received from 10.10.10.3 port 41637 Code: Access-Request Identifier: 126 Authentic: 1234567890123456 Attributes: User-Name = username Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = 14620823815824722144516413322817 41H30x Calling-Station-Id = 555 Called-Station-Id = 111 Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=surfea.net should be use d to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=prdigital.com should be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler should be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002: DEBUG: prw-sessiondb Deleting session for username
(RADIATOR) Reject access from specific Calling-Station-Id
Hello everyone, We're trying to configure Radiator 2.18.2 to reject access to a specific Called-Station-Id when the Calling-Station-Id is in a specific range using various ideas picked up from the archives, but the following is not working for us. # radpwtst -trace -s www -user username -password password -auth_port 1812 -acct_port 1813 -secret secret -dictionary /etc/raddb/dictionary.prw Calling-Station-Id=555 Called-Station-Id=111 sending Access-Request... OK Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 1200 Idle-Timeout = 1200 Session-Timeout = 49920 Class = xstop: A, R ANAR CHAT CRIMI DRUGS GAMB HATE OBSC PORN RRATED I, 1 Ascend-IP-Direct = 10.10.10.10 VPN-Neighbor = 10.10.10.10 sending Accounting-Request Start... OK sending Accounting-Request Stop... OK Regards, William -- radius.cfg ... AuthBy FILE Identifier Check-CLI AcceptIfMissing Filename /etc/raddb/blockcli.prw /AuthBy ... Handler SessionDatabase prw-sessiondb AuthByPolicy ContinueWhileAccept AuthBy Check-CLI AuthBy Check-FILE AuthBy System PostAuthHook file:/etc/raddb/postauthhook.prw file: AcctLogFileName /var/log/radacct/detail PasswordLogFileName /var/log/radius.log ExcludeFromPasswordLog root /Handler ... -- End of radius.cfg - -- blockcli.prw DEFAULT Calling-Station-Id = /^555/, \ Called-Station-Id = /111/, \ Auth-Type = Reject: Calling station not valid for 111 -- End of blockcli.prw -- -- radius.log Mon Feb 18 09:08:36 2002: DEBUG: Packet dump: *** Received from 10.10.10.3 port 41637 Code: Access-Request Identifier: 126 Authentic: 1234567890123456 Attributes: User-Name = username Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = 14620823815824722144516413322817 41H30x Calling-Station-Id = 555 Called-Station-Id = 111 Mon Feb 18 09:08:36 2002: DEBUG: PreClientHook: Looking for Connect-Speed Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=surfea.net should be use d to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=prwebtv.net should be us ed to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Realm=prdigital.com should be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Check if Handler should be used to handle this request Mon Feb 18 09:08:36 2002: DEBUG: Handling request with Handler '' Mon Feb 18 09:08:36 2002: DEBUG: prw-sessiondb Deleting session for username, 203.63. 154.1, 1234 Mon Feb 18 09:08:36 2002: DEBUG: do query is: delete from RADONLINE where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234 Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with username Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE ACCEPT: Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthFILE Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with username Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE looks for match with DEFAULT Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthUNIX looks for match with username Mon Feb 18 09:08:36 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSE SSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='username' Mon Feb 18 09:08:36 2002: Login OK: [username] (www) Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthUNIX ACCEPT: Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthFILE ACCEPT: Mon Feb 18 09:08:36 2002: DEBUG: Handling with Radius::AuthUNIX Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthUNIX looks for match with username Mon Feb 18 09:08:36 2002: Login OK: [username] (www) Mon Feb 18 09:08:36 2002: DEBUG: Radius::AuthUNIX ACCEPT: Mon Feb 18 09:08:36 2002: DEBUG: Processing PostAuthHook:prwpostauthhook Mon Feb 18 09:08:36 2002: DEBUG: prwpostauthhook: username is: username Mon Feb 18 09:08:36 2002: DEBUG: prwpostauthhook: Called-Station-Id is: 111 Mon Feb 18 09:08:36 2002: DEBUG: Query is: select USERNAME,TIMEBLOCK,CLASS,DISAB LETIME,DISABLECLASS from XSTOP where USERNAME='username' Mon Feb 18 09:08:36 2002: DEBUG: Retrieved timeblock Su0700-2300,Mo0700-2300,Tu0 700-2300,We0700-2300,Th0700-2300,Fr0700-2300,Sa0700-2300 for
(RADIATOR) AccountingHandled Question
Currently Radiator is configured to write accounting start/stop records to the detail file. The NAS retransmits accounting start/stop records if an acknowledgement is not received. In our particular setup an acknowledgement will never be sent to the NAS. Can I use AccountingHandled to eliminate from the detail file the retransmitted accounting start/stop records? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Multiple timestamp in the accounting record? (Part II)
Hello everyone, I found the following messages in the Radiator Archive and it appears to be basically the same situation that I'm encountering. We're running Radiator 2.18.2 and we proxy requests for a specific realm to another radius server. And the detail file has multiple timestamps in the same accounting record as described in the archive. However, I don't understand the solution for how to eliminate the multiple timestamps. Is a modification required in the dictionary file which currently has ATTRIBUTE Timestamp 103 integer? Do I remove this line from the dictionary file on the proxy server, but keep it on the main radius server? Thanks in advance, William Re: (RADIATOR) Multiple timestamp in the accounting record? Hello Hugh, Thanks a lot first, but I think I have found the reason. Anyway, I meant multiple timestamps in the same accounting record. It was because of attribute 103 (GRIC timestamp) in the Dictionary. Everytime the Radiator recieve a proxy request, the timestamp of of the accounting record in the previous Radius server get appended to the accounting record of the Radiator. Hence there have been more than one timestamp. Thanks a lot. Jason -- From: Hugh Irvine To: Cheung, Jason HC; Radiator mail list Subject: Re: (RADIATOR) Multiple timestamp in the accounting record? Date: Tuesday, December 21, 1999 10:52AM Hello Jason - On Mon, 20 Dec 1999, Cheung, Jason HC wrote: I am running the Radiator in a proxy mode and conducted a series of test. From the accounting records, there have been a number of accounting records with 2 or 3 timestamps appeared in the START and STOP tickets. Do you know what is causing this multiple timestamps ambiguity? Could you be more specific please? Do you mean multiple timestamps in the same accounting record? Or do you mean the same accounting record multiple times? And could you please send your configuration file (no secrets) together with a trace 4 debug demonstrating the problem. Also include a detailed description of the problem and your hardware and software platform. many thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Adding Attributes to detail file
Hello everyone,
How do I add attributes in a hook to the Accounting start/stop records
that appear in the detail file?
I've tried using
$p-add_attr('Connect-Speed',$ConnectSpeed{$connectspeed});
And even
$rp-add_attr('Connect-Speed',$ConnectSpeed{$connectspeed});
But I'm not getting the expected result in the detail file.
Thanks in advance,
William
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) shared secret
Hello everyone, We have Total Control NASes and the following works for us: set authentication primary_secret set accounting primary_secret You can't verify what you entered with show authentication show accounting Regards, William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Kaplan Sent: Friday, November 30, 2001 9:17 PM To: Radiator Subject: (RADIATOR) shared secret How do I setup a shared secret for acccounting. I have one for authentication, but feel I need to add one for accounting. I'm using Total Control Chassis. Andrew P. Kaplan Network Administrator CyberShore, Inc. http://www.cshore.com I couldn't give him advice in business and he couldn't give me advice in technology. --Linus Torvalds, about why he wouldn't be interested in meeting Bill Gates. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.298 / Virus Database: 161 - Release Date: 11/13/01 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AcctLogFileFormat
Thanks Hugh,
The following in radius.cfg:
AcctLogFileFormat %o %r User-Name = %U %r NAS-IP-Address =
%{NAS-I
P-Address} %r NAS-Identifier = %{NAS-Identifier} %r
Acct-Status-Type = %{Acc
t-Status-Type} %r Acct-Session-Id = %{Acct-Session-Id} %r
Acct-Del
ay-Time = %{Acct-Delay-Time} %r Acct-Authentic =
%{Acct-Authentic} %r Service-
Type = %{Service-Type} %r NAS-Port-Type = %{NAS-Port-Type}
%r NAS-Port
= %{NAS-Port} %r USR-Modem-Training-Time =
%{USR-Modem-Training-Time} %r
USR-Interface-Index = %{USR-Interface-Index} %r Chassis-Call-Slot
= %{Chassis-Ca
ll-Slot} %r Chassis-Call-Span = %{Chassis-Call-Span} %r
Chassis-Call-Cha
nnel = %{Chassis-Call-Channel} %r Unauthenticated-Time =
%{Unauthenticated
-Time} %r Calling-Station-Id = %{Calling-Station-Id} %r
Called-Station-I
d = %{Called-Station-Id} %r VPN-ID = %{VPN-ID} %r
Modulation-Type = %{Modu
lation-Type} %r Simplified-MNP-Levels = %{Simplified-MNP-Levels}
%r Simplifi
ed-V42bis-Usage = %{Simplified-V42bis-Usage} %r Connect-Speed =
%{Connect-Speed}%r Framed-Protocol = %{Framed-Protocol} %r
Framed-IP-Address = %{Framed-IP-
Address} %r VTS-Session-Key = %{VTS-Session-Key} %r
Call-Arrived-tim
e = %{Call-Arrived-time} %r Ascend-NAS-Port-Format =
%{Ascend-NAS-Port-Forma
t} %r Ascend-Multilink-ID = %{Ascend-Multilink-ID} %r
Ascend-Num-In-Mu
ltilink = %{Ascend-Num-In-Multilink} %r Acct-Link-Count =
%{Acct-Link-Count} %
r Acct-Multi-Session-Id = %{Acct-Multi-Session-Id} %r
Ascend-Modem-Por
tNo = %{Ascend-Modem-Portno} %r Ascend-Modem-SlotNo =
%{Ascend-Modem-Slotno} %r Timestamp = %{Timestamp}
got me the following line in the detail file:
Fri Nov 2 10:51:14 2001
User-Name = cummins-pr.com
NAS-IP-Address = 203.63.154.1
NAS-Identifier =
Acct-Status-Type = Stop
Acct-Session-Id = 1234
Acct-Delay-Time = 0
Acct-Authentic =
Service-Type = Framed-User
NAS-Port-Type = Async
NAS-Port = 1234
USR-Modem-Training-Time =
USR-Interface-Index =
Chassis-Call-Slot =
Chassis-Call-Span =
Chassis-Call-Channel =
Unauthenticated-Time =
Calling-Station-Id =
Called-Station-Id =
VPN-ID =
Modulation-Type =
Simplified-MNP-Levels =
Simplified-V42bis-Usage =
Connect-Speed =
Framed-Protocol =
Framed-IP-Address =
VTS-Session-Key =
Call-Arrived-time =
Ascend-NAS-Port-Format =
Ascend-Multilink-ID =
Ascend-Num-In-Multilink =
Acct-Link-Count =
Acct-Multi-Session-Id =
Ascend-Modem-PortNo =
Ascend-Modem-SlotNo =
Timestamp = 1004712674
Is there a way to suppress the printing of values that don't have
values?
Thanks in advance,
William
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 02, 2001 12:10 AM
To: William Hernandez
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) AcctLogFileFormat
Hello William -
Hello everyone,
I have the following in radius.cfg:
AcctLogFileFormat \
%U \
%{NAS-IP-Address} \
%{NAS-Identifier} \
%{Acct-Status-Type} \
%{Acct-Session-Id} \
%{Acct-Delay-Time} \
%{Acct-Authentic} \
%{Service-Type} \
%{NAS-Port-Type} \
%{NAS-Port} \
%{USR-Modem-Training-Time} \
%{USR-Interface-Index} \
%{Chassis-Call-Slot} \
%{Chassis-Call-Span} \
%{Chassis-Call-Channel} \
%{Unauthenticated-Time} \
%{Calling-Station-Id} \
%{Called-Station-Id} \
%{VPN-ID} \
%{Modulation-Type} \
%{Simplified-MNP-Levels} \
%{Simplified-V42bis-Usage} \
%{Connect-Speed} \
%{Framed-Protocol} \
%{Framed-IP-Address} \
%{VTS-Session-Key} \
%{Call-Arrived-time} \
%{Timestamp}
I tested with:
radpwtst -trace -s www.prw.net -user
[EMAIL PROTECTED] -password somepassword -auth_port
1812 -acct_port 1813 -secret somesecret -dictionary
/etc/raddb/dictionary.prw
And I get the following in the accounting detail file:
Thu Nov 1 17:39:17 2001
User-Name = [EMAIL PROTECTED]
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = 1234
Acct-Status-Type = Start
Timestamp = 1004650757
cummins-pr.com 203.63.154.1 Stop 1234 0 Framed-User Async
1234
1004650762
The desired change in the accounting detail file was to simply
output the User-Name without the domain, i.e., User-Name =
cummins-pr.com.
Where did I
(RADIATOR) AcctLogFileFormat
Hello everyone,
I have the following in radius.cfg:
AcctLogFileFormat \
%U \
%{NAS-IP-Address} \
%{NAS-Identifier} \
%{Acct-Status-Type} \
%{Acct-Session-Id} \
%{Acct-Delay-Time} \
%{Acct-Authentic} \
%{Service-Type} \
%{NAS-Port-Type} \
%{NAS-Port} \
%{USR-Modem-Training-Time} \
%{USR-Interface-Index} \
%{Chassis-Call-Slot} \
%{Chassis-Call-Span} \
%{Chassis-Call-Channel} \
%{Unauthenticated-Time} \
%{Calling-Station-Id} \
%{Called-Station-Id} \
%{VPN-ID} \
%{Modulation-Type} \
%{Simplified-MNP-Levels} \
%{Simplified-V42bis-Usage} \
%{Connect-Speed} \
%{Framed-Protocol} \
%{Framed-IP-Address} \
%{VTS-Session-Key} \
%{Call-Arrived-time} \
%{Timestamp}
I tested with:
radpwtst -trace -s www.prw.net -user
[EMAIL PROTECTED] -password somepassword -auth_port
1812 -acct_port 1813 -secret somesecret -dictionary
/etc/raddb/dictionary.prw
And I get the following in the accounting detail file:
Thu Nov 1 17:39:17 2001
User-Name = [EMAIL PROTECTED]
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = 1234
Acct-Status-Type = Start
Timestamp = 1004650757
cummins-pr.com 203.63.154.1 Stop 1234 0 Framed-User Async
1234
1004650762
The desired change in the accounting detail file was to simply
output the User-Name without the domain, i.e., User-Name =
cummins-pr.com.
Where did I go wrong?
Thanks in advance,
William
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Multiple Accounting Stop Records
Hello everyone, After some checking we've found out that the TotalControls cannot be configured to not retransmit accounting records. The problem is that we have these multiple stop records in the detail file which create a billing problem for us. Right now I run a perl script to cleanup the detail file, but I'm wondering whether the following will work. The idea is to only write to the accounting detail files the accounting start records and the accounting stop records that have an Acct-Delay-Time of 0. All other accounting requests would be ignored. Right now I use Handlers. In this setup I would replace each Handler in my current radius.cfg with 3 Handlers. This would be a one time pain, but I wouldn't have to run the perl script and everything would be right in the radius.cfg. Here goes: Handler Realm=domain.com Request-Type=Access-Request as before.with the AcctLogFileName line removed /Handler Handler Realm=domain.com Request-Type=Accounting-Request Acct-Status-Type=1 AcctLogFileName /var/log/radacct/detail /Handler Handler Realm=domain.com Request-Type=Accounting-Request Acct-Status-Type=2 Acct-Delay-Time=0 AcctLogFileName /var/log/radacct/detail /Handler Does it make sense? Do I need an AuthBy clause if I'm only handling Accounting-Request? Thanks in advance, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 7:43 PM To: William Hernandez; Radiator Subject: Re: (RADIATOR) Multiple Accounting Stop Records Hello William - What you are seeing is NAS retransmissions because the NAS has not received an Accounting-Response in reply to an Accounting-Request (or possibly a NAS bug). The radius retransmission timeout on the NAS must be set to 60 seconds if that is what you are seeing in the log file. Note that it is pretty simple to recognise the retransmissions simply by the fact that the Acct-Delay-Time is not 0. In other words, the first transmission of an accounting packet will have an Acct-Delay-Time of 0, the second will have an Acct-Delay-Time of whatever the radius retry timeout is set on the NAS, the third will have an Acct-Delay-Time of twice the radius retry timeout, etc. etc. The way to find out what is happening is to check a trace 4 debug from Radiator to verify that the first accounting packet in the series is indeed being replied to, and then use your favourite packet sniffer along the transmission path back to the NAS to verify whether the reply is getting back to the NAS. In our experience the vast majority of problems like this are the direct result of saturated links somewhere in the transmission path that cause packets to be dropped. hth Hugh On Tuesday 28 August 2001 04:04, William Hernandez wrote: We're having a problem with multiple accounting stop records. The stop records have exactly a 1 minute difference between them, ..i.e, a stop record at 09:00:00 is followed by another stop record at 09:00:01. We starting seeing these multiple accounting stop records about a month ago. This coincides with some changes we made to our systems, namely, upgrading to RedHat 7.1, upgrading to Radiator 2.18.1, and switching to TotalControl (HiperArc) NASes. I need help determining why we're getting there multiple stop records. Everything was working fine with Radiator 2.16 and with the Ascend Maxes we were previously using. I found some messages in the archives about Acct-Delay-Time, but they're rather old and had to do with Radiator 2.14 and MAXes. The manual seems to indicate that the default value of Acct-Delay-Time is 0, but as you can see from the accounting log the second stop record has a value of 60 which is exactly the 1 minute difference between stop records that we're seeing. In this a Radiator problem or a Total Control problem or should I be looking elsewhere. Thanks in advance. William Hernández ESS/PR Webmasters San Juan, P.R. Tel: 787-723-5000 Fax: 787-722-6242 -From the dictionary file-- ATTRIBUTE Acct-Delay-Time 41 integer -From the Accounting detail file--- Wed Aug 15 08:59:29 2001 User-Name = pijuan NAS-IP-Address = 208.249.78.12 NAS-Identifier = 208.249.78.12 Acct-Status-Type = Stop Acct-Session-Id = 35455064 Acct-Delay-Time = 0 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = Async NAS-Port = 549 USR-Modem-Training-Time = 17 USR-Interface-Index = 1805 Chassis-Call-Slot = 3 Chassis-Call-Span = 2 Chassis-Call-Channel = 37 Unauthenticated-Time = 4 Calling-Station-Id = Called-Station-Id = 6419000 VPN-ID = 0 Modulation-Type = v90Digital Simplified-MNP-Levels = ccittV42 Simplified-V42bis-Usage = ccittV42bis Connect-Speed
(RADIATOR) AuthSQL looks for match
Hello everyone, We have users that will be handled by the handler clause Handler Called-Station-Id=/5050$/. Some accounts will be assigned an IP address that is found in the users file. All users will be authenticated against Platypus. We're testing using: radpwtst -trace -s www.prw.net -user cumminspr -password mypassword -auth_port 1812 - noacct -secret mysecret -dictionary /etc/raddb/dictionary.prw Called-Station-Id =6415050 There's a problem in Fri Oct 5 15:03:26 2001: DEBUG: Query is: select password, active, timeleft, bl ockuser, guarantor from customer where username='cumminspr' and active='Y' Fri Oct 5 15:03:26 2001: DEBUG: Radius::AuthSQL looks for match with cumminspr@ prdigital.com In the first line there's a username='cumminspr' which is what I expect to see in '%u'. However, the AuthSQL says that it's looking for '[EMAIL PROTECTED]' and fails. Where did I go wrong? Thanks in advance, William Using Radiator 2.18.2 on RH 7.1. --- Users file [EMAIL PROTECTED] Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.280, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0, Idle-Timeout = 0 -- radius.cfg AuthBy FILE Identifier Check-FILE Filename /etc/raddb/users NoDefaultIfFound /AuthBy AuthBy SQL Identifier prdigital-plat DBSourcedbi:Sybase:database=prdigital DBUsername* DBAuth* AuthSelect select password, active, timeleft, blockuser, guarantor \ from customer where username='%u' and active='Y' AuthColumnDef 0, User-Password, check AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit = 900 NoDefault /AuthBy Handler Called-Station-Id=/5050$/ RewriteUsername s/(.*)/$1\@prdigital.com/ SessionDatabase prdigital-sessiondb AuthByPolicy ContinueUntilLastAuthBy AuthBy Check-FILE AuthBy prdigital-plat PostAuthHook file:/etc/raddb/setSessionTimeout AcctLogFileName /var/log/radacct/prdigital/detail PasswordLogFileName /var/log/radacct/prdigital/radius.log ExcludeFromPasswordLog root /Handler --- Here's a trace 4 . Fri Oct 5 15:00:19 2001: INFO: Server started: Radiator 2.18.2 on www.prw.net Fri Oct 5 15:00:23 2001: INFO: Trace level changed to 4 Fri Oct 5 15:00:23 2001: INFO: Trace level increased to 4 Fri Oct 5 15:03:25 2001: DEBUG: Packet dump: *** Received from 208.249.78.3 port 50990 Code: Access-Request Identifier: 250 Authentic: 1234567890123456 Attributes: User-Name = cumminspr Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = 215138169156243$1445164133228174 1H30x Called-Station-Id = 6415050 Fri Oct 5 15:03:25 2001: DEBUG: Check if Handler Realm=surfea.net should be use d to handle this request Fri Oct 5 15:03:25 2001: DEBUG: Check if Handler Realm=prwebtv.net should be us ed to handle this request Fri Oct 5 15:03:25 2001: DEBUG: Check if Handler Realm=prdigital.com should be used to handle this request Fri Oct 5 15:03:25 2001: DEBUG: Check if Handler Called-Station-Id=/5050$/ shou ld be used to handle this request Fri Oct 5 15:03:25 2001: DEBUG: Handling request with Handler 'Called-Station-I d=/5050$/' Fri Oct 5 15:03:25 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED] Fri Oct 5 15:03:25 2001: DEBUG: prdigital-sessiondb Deleting session for cummin spr, 203.63.154.1, 1234 Fri Oct 5 15:03:25 2001: DEBUG: do query is: delete from RADONLINE where NASIDE NTIFIER='203.63.154.1' and NASPORT=01234 Fri Oct 5 15:03:25 2001: DEBUG: Handling with Radius::AuthFILE Fri Oct 5 15:03:25 2001: DEBUG: Radius::AuthFILE looks for match with cumminspr @prdigital.com Fri Oct 5 15:03:25 2001: DEBUG: Radius::AuthFILE ACCEPT: Fri Oct 5 15:03:25 2001: DEBUG: Handling with Radius::AuthSQL Fri Oct 5 15:03:26 2001: DEBUG: Handling with Radius::AuthSQL Fri Oct 5 15:03:26 2001: DEBUG: Query is: select password, active, timeleft, bl ockuser, guarantor from customer where username='cumminspr' and active='Y' Fri Oct 5 15:03:26 2001: DEBUG: Radius::AuthSQL looks for match with cumminspr@ prdigital.com Fri Oct 5 15:03:26 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Fri Oct 5 15:03:26 2001: DEBUG: Processing PostAuthHook:setSessionTimeout Fri Oct 5 15:03:26 2001: DEBUG: setSessionTimeout: username is: cumminspr@prdig ital.com Fri Oct 5 15:03:26 2001:
(RADIATOR) Identifier in Handler
Hello everyone, We use handlers in our radius.cfg such as Handler Realm=prdigital.com Identifier prdigital SessionDatabase prw-sessiondb AuthBy prdigital-plat PostAuthHook file:/etc/raddb/setSessionTimeout AcctLogFileName /var/log/radacct/prdigital/detail PasswordLogFileName /var/log/radacct/prdigital/radius.log ExcludeFromPasswordLog root /Handler which worked fine when we had users logging is as [EMAIL PROTECTED]. Now we can also have users logging in as wbprdigital.com which I also want to fall into the above Handler. We need to add some reply items to these users so in the users file I have: wbprdigital.com Auth-Type = prdigital Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.280, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0, Idle-Timeout = 0 The problem is that Radiator doesn't use the Identifier in the Handler clause. So there's probably a workaround. Isn't there? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Framed-IP of 0.0.0.0
Thanks everyone.
Given that we don't use FramedGroupBaseAddress in our Client
clauses, and given that the problem has been reported with
Radiator out of the picture, I'll conclude that this is a NAS
issue.
However, before I close this issue does it make sense to write a
PostAuthHook that would check FRAMEDIPADDRESS and if matches
0.0.0.0 change the Accept to a Reject and basically force the
user to reconnect and expect (hope) the NAS will generate a
correct IP the second time around.
Below is a trace 4. It seems that the 0.0.0.0 address occurs when
Framed-Protocol=MP or Framed-Protocol=MPP. But I'll have to check
more cases to say for sure.
Thanks in advance,
William
Mon Aug 27 14:22:24 2001: DEBUG: Packet dump:
*** Received from 208.249.78.9 port 1028
Code: Accounting-Request
Identifier: 18
Authentic:
(196208254x23924323522#196x16613818215
Attributes:
User-Name = horizonmm.com
NAS-IP-Address = 208.249.78.9
NAS-Port = 10207
Ascend-NAS-Port-Format = 3
NAS-Port-Type = Sync
Acct-Status-Type = Start
Acct-Delay-Time = 0
Acct-Session-Id = 364406391
Acct-Authentic = RADIUS
Ascend-Multilink-ID = 1309213583
Ascend-Num-In-Multilink = 2
Acct-Link-Count =
Acct-Multi-Session-Id = 4e09038f
Ascend-Modem-PortNo = 31
Ascend-Modem-SlotNo = 9
Calling-Station-Id = 7879778517
Called-Station-Id = 6419200
Framed-Protocol = MP
Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
Realm=surfea.net should be use
d to handle this request
Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
Realm=prwebtv.net should be us
ed to handle this request
Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
Realm=holaplaneta.net should b
e used to handle this request
Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
Realm=prdigital.com should be
used to handle this request
Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler
Called-Station-Id=/5050$/ shou
ld be used to handle this request
Mon Aug 27 14:22:24 2001: DEBUG: Check if Handler should be used
to handle this
request
Mon Aug 27 14:22:24 2001: DEBUG: Handling request with Handler ''
Mon Aug 27 14:22:24 2001: DEBUG: prw-sessiondb Adding session for
horizonmm.com,
208.249.78.9, 10207
Mon Aug 27 14:22:24 2001: DEBUG: do query is: delete from
RADONLINE where NASIDE
NTIFIER='208.249.78.9' and NASPORT=010207
Mon Aug 27 14:22:24 2001: DEBUG: do query is: insert into
RADONLINE (USERNAME, N
ASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('horizonmm.com', '208.249.78.9', 010207,
'364406391', 99893
6544, '0.0.0.0', 'Sync', '')
Mon Aug 27 14:22:24 2001: DEBUG: Handling with Radius::AuthFILE
Mon Aug 27 14:22:24 2001: DEBUG: Processing
PostAuthHook:setSessionTimeout
Mon Aug 27 14:22:24 2001: DEBUG: setSessionTimeout: username is:
horizonmm.com
Mon Aug 27 14:22:24 2001: DEBUG: setSessionTimeout:
Called-Station-Id is: 641920
0
Mon Aug 27 14:22:24 2001: DEBUG: Query is: select
USERNAME,TIMEBLOCK,CLASS,DISAB
LETIME,DISABLECLASS from XSTOP where USERNAME='horizonmm.com'
Mon Aug 27 14:22:24 2001: DEBUG: Accounting accepted
Mon Aug 27 14:22:24 2001: DEBUG: Packet dump:
*** Sending to 208.249.78.9 port 1028
Code: Accounting-Response
Identifier: 18
Authentic:
(196208254x23924323522#196x16613818215
Attributes:
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 12, 2001 7:35 PM
To: William Hernandez; Radiator
Subject: Re: (RADIATOR) Framed-IP of 0.0.0.0
Hello William -
The only way to understand what is happening is to look at a
trace 4 debug
from Radiator to see in what circumstances this occurs. As it is
the NAS that
sends the accounting packets that are used to maintain the
session database,
it is highly likely that this is a NAS issue.
Note that we have seen similar behaviour occassionally when it is
Radiator
allocating the addresses, and one work-around is to send a copy
of the
address in a Class attribute and use a PreClientHook to restore
it.
Obviously if it is the NAS that is allocating the addresses, you
will need to
check with the NAS vendor if there is a fix for the problem.
regards
Hugh
On Thursday 13 September 2001 00:16, William Hernandez wrote:
Hello everyone,
We're using 2.18.2. Recently we started to see FRAMEDIPADDRESS
of
0.0.0.0 in RADONLINE. These records create a problem when
checking for Simultaneous-Use. Is this a problem with the
Ascend
NASes that we use?
Thanks in advance,
William
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS
server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS
X.
-
Nets: internetwork inventory and management - graphical,
extensible,
flexible
(RADIATOR) Framed-IP of 0.0.0.0
Hello everyone, We're using 2.18.2. Recently we started to see FRAMEDIPADDRESS of 0.0.0.0 in RADONLINE. These records create a problem when checking for Simultaneous-Use. Is this a problem with the Ascend NASes that we use? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Interpreting Accounting-Response
Hello everyone, I'm trying to trace a problem that causes multiple accounting stop records to be written to my /var/log/radacct/detail. The following is an excerpt from Trace 4. I don't know how to interpret the Accounting-Response. I see an Identifier that matches the Identifier in the Accounting-Request, and an Authentic that matches the Authentic in the Accounting-Request. But there are no Attributes. Is the Accounting-Response an accept, a reject, or something else? Thanks in advance, William Mon Aug 27 14:21:28 2001: DEBUG: Packet dump: *** Received from 208.249.78.11 port 1813 Code: Accounting-Request Identifier: 48 Authentic: 235208?i20214167135O26225231226?K( Attributes: User-Name = angelmoran NAS-IP-Address = 208.249.78.11 NAS-Identifier = 208.249.78.11 Acct-Status-Type = Stop Acct-Session-Id = 19726770 Acct-Delay-Time = 0 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = Async NAS-Port = 309 USR-Modem-Training-Time = 19 USR-Interface-Index = 1565 Chassis-Call-Slot = 2 Chassis-Call-Span = 2 Chassis-Call-Channel = 53 Unauthenticated-Time = 4 Calling-Station-Id = Called-Station-Id = 6415050 VPN-ID = 0 Modulation-Type = v90Digital Simplified-MNP-Levels = ccittV42SREJ Simplified-V42bis-Usage = ccittV42bis Connect-Speed = 50666_BPS Framed-Protocol = PPP Framed-IP-Address = 66.110.2.6 VTS-Session-Key = 127260s153\2039203158207U16428K205 Call-Arrived-time = 178478142 Call-Lost-time = 178482088 Acct-Session-Time = 3927 Acct-Terminate-Cause = User-Request Disconnect-Reason = 8 Speed-Of-Connection = 50666 Acct-Input-Octets = 790359 Acct-Output-Octets = 5495203 Acct-Input-Packets = 11831 Acct-Output-Packets = 14021 Mon Aug 27 14:21:28 2001: DEBUG: Check if Handler Realm=surfea.net should be used to handle this request Mon Aug 27 14:21:28 2001: DEBUG: Check if Handler Realm=prwebtv.net should be used to handle this request Mon Aug 27 14:21:28 2001: DEBUG: Check if Handler Realm=holaplaneta.net should be used to handle this request Mon Aug 27 14:21:28 2001: DEBUG: Check if Handler Realm=prdigital.com should be used to handle this request Mon Aug 27 14:21:28 2001: DEBUG: Check if Handler Called-Station-Id=/5050$/ should be used to handle this request Mon Aug 27 14:21:28 2001: DEBUG: Handling request with Handler 'Called-Station-Id=/5050$/' Mon Aug 27 14:21:28 2001: DEBUG: Rewrote user name to [EMAIL PROTECTED] Mon Aug 27 14:21:28 2001: DEBUG: prdigital-sessiondb Deleting session for angelmoran, 208.249.78.11, 309 Mon Aug 27 14:21:28 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='208.249.78.11' and NASPORT=0309 Mon Aug 27 14:21:28 2001: DEBUG: Handling with Radius::AuthSQL Mon Aug 27 14:21:28 2001: DEBUG: Handling accounting with Radius::AuthSQL Mon Aug 27 14:21:28 2001: DEBUG: Processing PostAuthHook:setSessionTimeout Mon Aug 27 14:21:28 2001: DEBUG: setSessionTimeout: username is: [EMAIL PROTECTED] Mon Aug 27 14:21:28 2001: DEBUG: setSessionTimeout: Called-Station-Id is: 6415050 Mon Aug 27 14:21:28 2001: DEBUG: Accounting accepted Mon Aug 27 14:21:28 2001: DEBUG: Packet dump: *** Sending to 208.249.78.11 port 1813 Code: Accounting-Response Identifier: 48 Authentic: 235208?i20214167135O26225231226?K( Attributes: Mon Aug 27 14:22:28 2001: DEBUG: Packet dump: *** Received from 208.249.78.11 port 1813 Code: Accounting-Request Identifier: 74 Authentic: 195161215Y134159n2k142131!6Y189236 Attributes: User-Name = angelmoran NAS-IP-Address = 208.249.78.11 NAS-Identifier = 208.249.78.11 Acct-Status-Type = Stop Acct-Session-Id = 19726770 Acct-Delay-Time = 60 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = Async NAS-Port = 309 USR-Modem-Training-Time = 19 USR-Interface-Index = 1565 Chassis-Call-Slot = 2 Chassis-Call-Span = 2 Chassis-Call-Channel = 53 Unauthenticated-Time = 4 Calling-Station-Id = Called-Station-Id = 6415050 VPN-ID = 0 Modulation-Type = v90Digital Simplified-MNP-Levels = ccittV42SREJ Simplified-V42bis-Usage = ccittV42bis Connect-Speed = 50666_BPS Framed-Protocol = PPP Framed-IP-Address = 66.110.2.6 VTS-Session-Key = 127260s153\2039203158207U16428K205 Call-Arrived-time = 178478142 Call-Lost-time = 178482088 Acct-Session-Time = 3927 Acct-Terminate-Cause = User-Request Disconnect-Reason = 8 Speed-Of-Connection = 50666 Acct-Input-Octets = 790359 Acct-Output-Octets = 5495203 Acct-Input-Packets = 11831 Acct-Output-Packets = 14021 Mon Aug 27
(RADIATOR) Lost connection to MySQL
We're occasionally getting the following message on terminal screens where root is logged in: DBD::mysql::st execute failed: Lost connection to MySQL server during query at /usr/lib/perl5/site_perl/5.6.0/Radius/SqlDb.pm line 202. We're using Radiator 2.18.2 on RH Linux 7.1. Is this simply an INFO type message or do we have a real problem here? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Multiple Accounting Stop Records
We're having a problem with multiple accounting stop records. The stop records have exactly a 1 minute difference between them, .i.e, a stop record at 09:00:00 is followed by another stop record at 09:00:01. We starting seeing these multiple accounting stop records about a month ago. This coincides with some changes we made to our systems, namely, upgrading to RedHat 7.1, upgrading to Radiator 2.18.1, and switching to TotalControl (HiperArc) NASes. I need help determining why we're getting there multiple stop records. Everything was working fine with Radiator 2.16 and with the Ascend Maxes we were previously using. I found some messages in the archives about Acct-Delay-Time, but they're rather old and had to do with Radiator 2.14 and MAXes. The manual seems to indicate that the default value of Acct-Delay-Time is 0, but as you can see from the accounting log the second stop record has a value of 60 which is exactly the 1 minute difference between stop records that we're seeing. In this a Radiator problem or a Total Control problem or should I be looking elsewhere. Thanks in advance. William Hernández ESS/PR Webmasters San Juan, P.R. Tel: 787-723-5000 Fax: 787-722-6242 -From the dictionary file-- ATTRIBUTE Acct-Delay-Time 41 integer -From the Accounting detail file--- Wed Aug 15 08:59:29 2001 User-Name = pijuan NAS-IP-Address = 208.249.78.12 NAS-Identifier = 208.249.78.12 Acct-Status-Type = Stop Acct-Session-Id = 35455064 Acct-Delay-Time = 0 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = Async NAS-Port = 549 USR-Modem-Training-Time = 17 USR-Interface-Index = 1805 Chassis-Call-Slot = 3 Chassis-Call-Span = 2 Chassis-Call-Channel = 37 Unauthenticated-Time = 4 Calling-Station-Id = Called-Station-Id = 6419000 VPN-ID = 0 Modulation-Type = v90Digital Simplified-MNP-Levels = ccittV42 Simplified-V42bis-Usage = ccittV42bis Connect-Speed = 48000_BPS Framed-Protocol = PPP Framed-IP-Address = 63.124.21.132 VTS-Session-Key = W228|171292442322022464;208219132 173 Call-Arrived-time = 177418488 Call-Lost-time = 177425969 Acct-Session-Time = 7464 Acct-Terminate-Cause = User-Request Disconnect-Reason = 8 Speed-Of-Connection = 48000 Acct-Input-Octets = 1050588 Acct-Output-Octets = 2531954 Acct-Input-Packets = 7333 Acct-Output-Packets = 7891 Timestamp = 997880369 Wed Aug 15 09:00:29 2001 User-Name = pijuan NAS-IP-Address = 208.249.78.12 NAS-Identifier = 208.249.78.12 Acct-Status-Type = Stop Acct-Session-Id = 35455064 Acct-Delay-Time = 60 Acct-Authentic = RADIUS Service-Type = Framed-User NAS-Port-Type = Async NAS-Port = 549 USR-Modem-Training-Time = 17 USR-Interface-Index = 1805 Chassis-Call-Slot = 3 Chassis-Call-Span = 2 Chassis-Call-Channel = 37 Unauthenticated-Time = 4 Calling-Station-Id = Called-Station-Id = 6419000 VPN-ID = 0 Modulation-Type = v90Digital Simplified-MNP-Levels = ccittV42 Simplified-V42bis-Usage = ccittV42bis Connect-Speed = 48000_BPS Framed-Protocol = PPP Framed-IP-Address = 63.124.21.132 VTS-Session-Key = W228|171292442322022464;208219132 173 Call-Arrived-time = 177418488 Call-Lost-time = 177425969 Acct-Session-Time = 7464 Acct-Terminate-Cause = User-Request Disconnect-Reason = 8 Speed-Of-Connection = 48000 Acct-Input-Octets = 1050588 Acct-Output-Octets = 2531954 Acct-Input-Packets = 7333 Acct-Output-Packets = 7891 Timestamp = 997880369 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy PLATYPUS Query
We're testing AuthBy PLATYPUS and I'm getting the following: Thu Jul 26 11:42:47 2001: DEBUG: Handling with Radius::AuthPLATYPUS Thu Jul 26 11:42:47 2001: DEBUG: Query is: select password, active, timeleft, blockuser, guarantor from customer where username='[EMAIL PROTECTED]' This appears to be using username='%u' in the query. Can I use AuthSelect in AuthBy PLATYPUS or should I use AuthBy SQL instead? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) AuthBy PLATYPUS Query
OK, I've switched to AuthBy SQL since the AuthSelect in AuthBy PLATYPUS seems to do an append to the default select. I test with: radpwtst -trace -s www.prw.net -user [EMAIL PROTECTED] -password userpw -auth_port 1812 -noacct -secret prwradius -dictionary /etc/raddb/dictionary and get the following error: Thu Jul 26 13:49:35 2001: ERR: Bad attribute=value pair: Y Thanks in advance, William - Attachments: adius.log -- Thu Jul 26 13:49:19 2001: INFO: Server started: Radiator 2.18.2 on www.prw.net Thu Jul 26 13:49:22 2001: INFO: Trace level changed to 4 Thu Jul 26 13:49:22 2001: INFO: Trace level increased to 4 Thu Jul 26 13:49:35 2001: DEBUG: Packet dump: *** Received from 208.249.78.3 port 36427 Code: Access-Request Identifier: 34 Authentic: 1234567890123456 Attributes: User-Name = [EMAIL PROTECTED] Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = 14620823815824722144516413322817 41H30x Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=surfea.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=prwebtv.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=holaplaneta.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=prwebtv.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=holaplaneta.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=prdigital.com should beused to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Handling request with Handler 'Realm=prdigital.com' Thu Jul 26 13:49:35 2001: DEBUG: prw-sessiondb Deleting session for [EMAIL PROTECTED], 203.63.154.1, 1234 Thu Jul 26 13:49:35 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT01234 Thu Jul 26 13:49:35 2001: DEBUG: Handling with Radius::AuthSQL Thu Jul 26 13:49:35 2001: DEBUG: Handling with Radius::AuthSQL Thu Jul 26 13:49:35 2001: DEBUG: Query is: select password, active, timeleft, blockuser, guarantor from customer where username='user' Thu Jul 26 13:49:35 2001: ERR: Bad attribute=value pair: Y Thu Jul 26 13:49:35 2001: DEBUG: Radius::AuthSQL looks for match with [EMAIL PROTECTED] Thu Jul 26 13:49:35 2001: DEBUG: Radius::AuthSQL ACCEPT: Thu Jul 26 13:49:35 2001: DEBUG: Access accepted for [EMAIL PROTECTED] Thu Jul 26 13:49:35 2001: DEBUG: Packet dump:Thu Jul 26 13:49:35 2001: DEBUG: Access accepted for [EMAIL PROTECTED] Thu Jul 26 13:49:35 2001: DEBUG: Packet dump: *** Sending to 208.249.78.3 port 36427 Code: Access-Accept Identifier: 34 Authentic: 1234567890123456 Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 900 - Attachments: adius.cfg -- AuthBy SQL Identifier prdigital-plat DBSourcedbi:Sybase:database=plat DBUsername DBAuth AuthSelect select password, active, timeleft, blockuser, guarantor \ from customer where username='%U' AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit = 900 /AuthBy # This clause handles users who login as [EMAIL PROTECTED] Handler Realm=prdigital.com SessionDatabase prw-sessiondb AuthBy prdigital-plat AcctLogFileName /var/log/radacct/prdigital/detail PasswordLogFileName /var/log/radacct/prdigital/radius.log ExcludeFromPasswordLog root /Handler # This clause handles prdigital.com users who login without the domain Handler Called-Station-Id=/5050$/ # The following line adds prdigital.com to username RewriteUsername s/(.*)/$1\@prdigital.com/ SessionDatabase prdigital-sessiondb AuthBy prdigital-plat AcctLogFileName /var/log/radacct/prdigital/detail PasswordLogFileName /var/log/radacct/prdigital/radius.log ExcludeFromPasswordLog root /Handler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of William Hernandez Sent: Thursday, July 26, 2001 12:16 PM To: Radiator Subject: (RADIATOR) AuthBy PLATYPUS Query We're testing AuthBy PLATYPUS and I'm getting the following: Thu Jul 26 11:42:47 2001: DEBUG: Handling with Radius::AuthPLATYPUS Thu Jul 26 11:42:47 2001: DEBUG: Query is: select password, active, timeleft, blockuser, guarantor from customer where username='[EMAIL PROTECTED]' This appears to be using username='%u' in the query. Can I use
RE: (RADIATOR) AuthBy PLATYPUS Query
OK, I've switched to AuthBy SQL since the AuthSelect in AuthBy PLATYPUS seems to do an append to the default select. I test with: radpwtst -trace -s www.prw.net -user [EMAIL PROTECTED] -password userpw -auth_port 1812 -noacct -secret prwradius -dictionary /etc/raddb/dictionary and get the following error: Thu Jul 26 13:49:35 2001: ERR: Bad attribute=value pair: Y - Attachments: adius.log -- Thu Jul 26 13:49:19 2001: INFO: Server started: Radiator 2.18.2 on www.prw.net Thu Jul 26 13:49:22 2001: INFO: Trace level changed to 4 Thu Jul 26 13:49:22 2001: INFO: Trace level increased to 4 Thu Jul 26 13:49:35 2001: DEBUG: Packet dump: *** Received from 208.249.78.3 port 36427 Code: Access-Request Identifier: 34 Authentic: 1234567890123456 Attributes: User-Name = [EMAIL PROTECTED] Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = 14620823815824722144516413322817 41H30x Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=surfea.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=prwebtv.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=holaplaneta.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=prwebtv.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=holaplaneta.net should be used to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Check if Handler Realm=prdigital.com should beused to handle this request Thu Jul 26 13:49:35 2001: DEBUG: Handling request with Handler 'Realm=prdigital.com' Thu Jul 26 13:49:35 2001: DEBUG: prw-sessiondb Deleting session for [EMAIL PROTECTED], 203.63.154.1, 1234 Thu Jul 26 13:49:35 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT01234 Thu Jul 26 13:49:35 2001: DEBUG: Handling with Radius::AuthSQL Thu Jul 26 13:49:35 2001: DEBUG: Handling with Radius::AuthSQL Thu Jul 26 13:49:35 2001: DEBUG: Query is: select password, active, timeleft, blockuser, guarantor from customer where username='user' Thu Jul 26 13:49:35 2001: ERR: Bad attribute=value pair: Y Thu Jul 26 13:49:35 2001: DEBUG: Radius::AuthSQL looks for match with [EMAIL PROTECTED] Thu Jul 26 13:49:35 2001: DEBUG: Radius::AuthSQL ACCEPT: Thu Jul 26 13:49:35 2001: DEBUG: Access accepted for [EMAIL PROTECTED] Thu Jul 26 13:49:35 2001: DEBUG: Packet dump:Thu Jul 26 13:49:35 2001: DEBUG: Access accepted for [EMAIL PROTECTED] Thu Jul 26 13:49:35 2001: DEBUG: Packet dump: *** Sending to 208.249.78.3 port 36427 Code: Access-Accept Identifier: 34 Authentic: 1234567890123456 Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Idle-Limit = 900 - Attachments: adius.cfg -- AuthBy SQL Identifier prdigital-plat DBSourcedbi:Sybase:database=plat DBUsername DBAuth AuthSelect select password, active, timeleft, blockuser, guarantor \ from customer where username='%U' AddToReply Service-Type = Framed-User, \ Framed-Protocol = PPP, \ Framed-IP-Netmask = 255.255.255.255, \ Framed-Compression = Van-Jacobson-TCP-IP, \ Ascend-Idle-Limit = 900 /AuthBy # This clause handles users who login as [EMAIL PROTECTED] Handler Realm=prdigital.com SessionDatabase prw-sessiondb AuthBy prdigital-plat AcctLogFileName /var/log/radacct/prdigital/detail PasswordLogFileName /var/log/radacct/prdigital/radius.log ExcludeFromPasswordLog root /Handler # This clause handles prdigital.com users who login without the domain Handler Called-Station-Id=/5050$/ # The following line adds prdigital.com to username RewriteUsername s/(.*)/$1\@prdigital.com/ SessionDatabase prdigital-sessiondb AuthBy prdigital-plat AcctLogFileName /var/log/radacct/prdigital/detail PasswordLogFileName /var/log/radacct/prdigital/radius.log ExcludeFromPasswordLog root /Handler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of William Hernandez Sent: Thursday, July 26, 2001 12:16 PM To: Radiator Subject: (RADIATOR) AuthBy PLATYPUS Query We're testing AuthBy PLATYPUS and I'm getting the following: Thu Jul 26 11:42:47 2001: DEBUG: Handling with Radius::AuthPLATYPUS Thu Jul 26 11:42:47 2001: DEBUG: Query is: select password, active, timeleft, blockuser, guarantor from customer where username='[EMAIL PROTECTED]' This appears to be using username='%u' in the query. Can I use AuthSelect in AuthBy PLATYPUS
(RADIATOR) No such attribute Called-Station-ID
Hello everyone, I'm tyring to do some testing of my radius.cfg where I have: Handler Called-Station-ID=/5050$/ ... /Handler I'm getting the above message No such attribute Called-Station-ID using: radpwtst -trace -s www.domain.com -user foo -password foo -auth_port 1812 -noacct -secret foo -dictionary /etc/raddb/dictionary Called-Station-ID=6415050 What am I doing wrong? Thanks in advance. William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Framed-Protocol on Ascend/3COM
Hugh, I think dictionary.ascend2 has both MP and MPP. I don't recall why we used MP instead of MPP, but our problem is that either way the TotalControl returns an error. TotalControl apparently only accepts Framed-Protocol=PPP. Right now Framed-Protocol=XXX is setup in the users file. Is there a way to conditionally generate a Framed-Protocol=XXX based on a particular Client and particular User? Thanks in advance. William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 12:01 PM To: William Hernandez; Radiator Subject: Re: (RADIATOR) Framed-Protocol on Ascend/3COM Hello William - You will need to have a look at a trace 4 debug from Radiator to see what attributes are actually in the requests from the TotalControl. My reading of the standard Radiator dictionary shows the value as MPP. You will need to find out from your vendor what the correct reply attributes should be. hth Hugh At 11:26 AM -0400 6/18/01, William Hernandez wrote: Hello everyone, We are having problems with the Radius setup of multilink PPP connections. Generally we set them up with Framed-Protocol = MP which is an Ascend specific attribute. Those connections fail on the TotalControl. Monitoring Radius we get the following on those accounts: Framed-Protocol = UNKNOWN Would there be a way to define MPP connections on Radius that is compatible between Ascend and 3Com ? Thanks in advance, William === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Important - How to do Block Time users
Thanks Hugh,
I changed to:
AuthColumnDef 0, Time, request
But I'm still not getting anything in my PostAuthHook with:
my $p=${$_[0]};
my $timeblock=$p-get_attr('Time');
Thanks in advance,
William
Thu Apr 26 10:18:17 2001: DEBUG: Packet dump:
*** Received from 208.249.78.6 port 4346
Code: Access-Request
Identifier: 122
Authentic: 1234567890123456
Attributes:
User-Name = whr
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
User-Password =
14620823815824722144516413322817
41H30x
Thu Apr 26 10:18:17 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Apr 26 10:18:17 2001: DEBUG: Deleting session for whr,
203.63.154.1, 1234
Thu Apr 26 10:18:17 2001: DEBUG: do query is: delete from
RADONLINE where NASIDE
NTIFIER='203.63.154.1' and NASPORT=01234
Thu Apr 26 10:18:17 2001: DEBUG: Handling with Radius::AuthFILE
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthFILE looks for match
with whr
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthFILE looks for match
with DEFAULT
Thu Apr 26 10:18:17 2001: DEBUG: Handling with Radius::AuthUNIX
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthUNIX looks for match
with whr
Thu Apr 26 10:18:17 2001: DEBUG: Query is: select NASIDENTIFIER,
NASPORT, ACCTSE
SSIONID from RADONLINE where USERNAME='whr'
Thu Apr 26 10:18:17 2001: Login OK: [whr] (home)
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthUNIX ACCEPT:
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthFILE ACCEPT:
Thu Apr 26 10:18:17 2001: DEBUG: Handling with Radius::AuthUNIX
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthUNIX looks for match
with whr
Thu Apr 26 10:18:17 2001: Login OK: [whr] (home)
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthUNIX ACCEPT:
Thu Apr 26 10:18:17 2001: DEBUG: Handling with Radius::AuthSQL
Thu Apr 26 10:18:17 2001: DEBUG: Handling with Radius::AuthSQL
Thu Apr 26 10:18:17 2001: DEBUG: Query is: select TIMEBLOCK from
XSTOP where USE
RNAME='whr'
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthSQL looks for match
with whr
Thu Apr 26 10:18:17 2001: DEBUG: Radius::AuthSQL ACCEPT:
Thu Apr 26 10:18:17 2001: ERR: Invalid timeblock for user whr
Thu Apr 26 10:18:17 2001: DEBUG: Access accepted for whr
Thu Apr 26 10:18:17 2001: DEBUG: Packet dump:
*** Sending to 208.249.78.6 port 4346
Code: Access-Accept
Identifier: 122
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = Van-Jacobson-TCP-IP
Ascend-Idle-Limit = 900
-Original Message-
From: Hugh Irvine [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 26, 2001 1:49 AM
To: William Hernandez; Radiator
Subject: Re: (RADIATOR) Important - How to do Block Time users
Hello William -
On Thursday 26 April 2001 01:25, William Hernandez wrote:
Hello everyone,
I'm trying to follow Hugh's tips, but I'm doing something
wrong.
In my radius.cfg I have:
AuthBy SQL
Identifier TimeBlock-SQL
DBSource*
DBUsername*
DBAuth*
AuthSelect select TIMEBLOCK from XSTOP where
USERNAME='%n'
AuthColumnDef 0, Time, check
This is the problem, as you are trying to do a check with this
query. If you
want to store the value as an attribute called Time in the
request packet,
you would do this:
AuthColumnDef 0, Time, request
/AuthBy
Realm DEFAULT
AuthBy Check-FILE
AuthBy System
# This AuthBy will check the Time check-item
AuthBy TimeBlock-SQL
# This hook calculates the session-timeout
PostAuthHook file:/etc/raddb/setSessionTimeout
AcctLogFileName /var/log/radacct/detail
PasswordLogFileName /var/log/radius.log
ExcludeFromPasswordLog root
/Realm
In my PostAuthHook I have:
my $timeblock=$p-get_attr('Time');
See above, until you store the value from the database in the
request packet,
this won't work ($p is a pointer to the current request packet).
The problem is $timeblock is coming back an empty string. I
can't
get the value to the PostAuthHook.
The ERR: Invalid timeblock for user whr in the radius.log
comes
from the PostAuthHook.
A Trace 4 radius.log shows:
Wed Apr 25 11:05:31 2001: DEBUG: Packet dump:
*** Received from 208.249.78.6 port 4319
Code: Access-Request
Identifier: 196
Authentic: 1234567890123456
Attributes:
User-Name = whr
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
User-Password =
14620823815824722144516413322817
41H30x
Wed Apr 25 11:05:31 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Apr 25 11:05:31 2001: DEBUG: Deleting session for whr,
203.63.154.1, 1234
Wed Apr 25 11:05:31 2001: DEBUG: do query is: delete from
RADONLINE where NASIDE
NTIFIER
RE: (RADIATOR) Important - How to do Block Time users
Interesting. Basically, you included the AuthBy SQL logic right
into the hook.
Did you decide on this solution because the AuthBy SQL clause in
radius.cfg didn't work as expected?
Thanks for your help,
William
-Original Message-
From: ganbold [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 25, 2001 9:25 PM
To: William Hernandez
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Important - How to do Block Time users
Hi,
I solved it in following way. Below is PostAuthHook script.
# CheckBlockTimeLeft
#
# PostAuthHook to check time left for a block user
# by verifying the Session-Timeout attribute
#
sub
{
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $result = ${$_[2]};
my $name = $p-get_attr('User-Name');
my $timeoutxx = 0;
use DBI;
my ($dsn)=DBI:mysql:radius:localhost;
my ($namex)=xxx;
#my ($password11)=xxx;
my ($dbh,$sth);
my (@ary);
$dbh=DBI-connect($dsn,$namex,xxx,{RaiseError=1});
my ($sth)=$dbh-prepare (qq{
SELECT USERNAME,TIMELEFT FROM SUBSCRIBERS
WHERE USERNAME='$name'
});
$sth-execute();
while(my $hash_ref=$sth-fetchrow_hashref())
{
print join (\t,$hash_ref-{USERNAME},$hash_ref-{TIMELEFT}).
\n;
$timeoutxx = $hash_ref-{TIMELEFT};
}
$sth-finish();
$dbh-disconnect();
if (($result == $main::ACCEPT) ($timeoutxx = 0))
{
main::log($main::LOG_DEBUG, User $name has no time
left);
if($timeoutxx0){
$dbh=DBI-connect($dsn,$namex,xxx,{RaiseError=1});
my ($sth)=$dbh-prepare (qq{
UPDATE SUBSCRIBERS SET TIMELEFT=0 WHERE USERNAME='$name'
});
$sth-execute();
$sth-finish();
$dbh-disconnect();
}
#${$_[2]} = $main::REJECT;
if($p-code eq 'Access-Request'){
$rp-delete_attr('Filter-Id');
$rp-delete_attr('Session-Timeout');
$rp-delete_attr('Framed-Protocol');
$rp-delete_attr('Service-Type');
$rp-delete_attr('Framed-MTU');
$rp-delete_attr('Framed-Compression');
$rp-set_code('Access-Reject');
$rp-change_attr('Reply-Message','Prepaid time limit
reached!');
$p-{Client}-replyTo($rp,$p);
}
if($p-code eq 'Accounting-Request'){
$rp-set_code('Accounting-Response');
$p-{Client}-replyTo($rp,$p);
}
}
return;
}
#
HTH,
Ganbold Ts.
- Original Message -
From: William Hernandez [EMAIL PROTECTED]
To: Radiator [EMAIL PROTECTED]
Sent: Wednesday, April 25, 2001 11:25 PM
Subject: RE: (RADIATOR) Important - How to do Block Time users
Hello everyone,
I'm trying to follow Hugh's tips, but I'm doing something
wrong.
In my radius.cfg I have:
AuthBy SQL
Identifier TimeBlock-SQL
DBSource*
DBUsername*
DBAuth*
AuthSelect select TIMEBLOCK from XSTOP where
USERNAME='%n'
AuthColumnDef 0, Time, check
/AuthBy
Realm DEFAULT
AuthBy Check-FILE
AuthBy System
# This AuthBy will check the Time check-item
AuthBy TimeBlock-SQL
# This hook calculates the session-timeout
PostAuthHook file:/etc/raddb/setSessionTimeout
AcctLogFileName /var/log/radacct/detail
PasswordLogFileName /var/log/radius.log
ExcludeFromPasswordLog root
/Realm
In my PostAuthHook I have:
my $timeblock=$p-get_attr('Time');
The problem is $timeblock is coming back an empty string. I
can't
get the value to the PostAuthHook.
The ERR: Invalid timeblock for user whr in the radius.log
comes
from the PostAuthHook.
A Trace 4 radius.log shows:
Wed Apr 25 11:05:31 2001: DEBUG: Packet dump:
*** Received from 208.249.78.6 port 4319
Code: Access-Request
Identifier: 196
Authentic: 1234567890123456
Attributes:
User-Name = whr
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
User-Password =
14620823815824722144516413322817
41H30x
Wed Apr 25 11:05:31 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Apr 25 11:05:31 2001: DEBUG: Deleting session for whr,
203.63.154.1, 1234
Wed Apr 25 11:05:31 2001: DEBUG: do query is: delete from
RADONLINE where NASIDE
NTIFIER='203.63.154.1' and NASPORT=01234
Wed Apr 25 11:05:31 2001: DEBUG: Handling with Radius::AuthFILE
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthFILE looks for
match
with whr
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthFILE looks for
match
with DEFAULT
Wed Apr 25 11:05:31 2001: DEBUG: Handling with Radius::AuthUNIX
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthUNIX looks for
match
with whr
Wed Apr 25 11:05:31 2001: DEBUG: Query is: select
NASIDENTIFIER,
NASPORT, ACCTSE
SSIONID from RADONLINE where USERNAME='whr'
Wed Apr 25 11:05:31 2001: Login OK: [whr] (home)
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthUNIX ACCEPT:
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthFILE ACCEPT:
Wed Apr 25 11:05:31 2001: ERR: Invalid timeblock for user whr
Wed Apr 25 11:05:31 2001: DEBUG
RE: (RADIATOR) Important - How to do Block Time users
Hello everyone,
I'm trying to follow Hugh's tips, but I'm doing something wrong.
In my radius.cfg I have:
AuthBy SQL
Identifier TimeBlock-SQL
DBSource*
DBUsername*
DBAuth*
AuthSelect select TIMEBLOCK from XSTOP where
USERNAME='%n'
AuthColumnDef 0, Time, check
/AuthBy
Realm DEFAULT
AuthBy Check-FILE
AuthBy System
# This AuthBy will check the Time check-item
AuthBy TimeBlock-SQL
# This hook calculates the session-timeout
PostAuthHook file:/etc/raddb/setSessionTimeout
AcctLogFileName /var/log/radacct/detail
PasswordLogFileName /var/log/radius.log
ExcludeFromPasswordLog root
/Realm
In my PostAuthHook I have:
my $timeblock=$p-get_attr('Time');
The problem is $timeblock is coming back an empty string. I can't
get the value to the PostAuthHook.
The ERR: Invalid timeblock for user whr in the radius.log comes
from the PostAuthHook.
A Trace 4 radius.log shows:
Wed Apr 25 11:05:31 2001: DEBUG: Packet dump:
*** Received from 208.249.78.6 port 4319
Code: Access-Request
Identifier: 196
Authentic: 1234567890123456
Attributes:
User-Name = whr
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
User-Password =
14620823815824722144516413322817
41H30x
Wed Apr 25 11:05:31 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Apr 25 11:05:31 2001: DEBUG: Deleting session for whr,
203.63.154.1, 1234
Wed Apr 25 11:05:31 2001: DEBUG: do query is: delete from
RADONLINE where NASIDE
NTIFIER='203.63.154.1' and NASPORT=01234
Wed Apr 25 11:05:31 2001: DEBUG: Handling with Radius::AuthFILE
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthFILE looks for match
with whr
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthFILE looks for match
with DEFAULT
Wed Apr 25 11:05:31 2001: DEBUG: Handling with Radius::AuthUNIX
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthUNIX looks for match
with whr
Wed Apr 25 11:05:31 2001: DEBUG: Query is: select NASIDENTIFIER,
NASPORT, ACCTSE
SSIONID from RADONLINE where USERNAME='whr'
Wed Apr 25 11:05:31 2001: Login OK: [whr] (home)
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthUNIX ACCEPT:
Wed Apr 25 11:05:31 2001: DEBUG: Radius::AuthFILE ACCEPT:
Wed Apr 25 11:05:31 2001: ERR: Invalid timeblock for user whr
Wed Apr 25 11:05:31 2001: DEBUG: Access accepted for whr
Wed Apr 25 11:05:31 2001: DEBUG: Packet dump:
*** Sending to 208.249.78.6 port 4319
Code: Access-Accept
Identifier: 196
Authentic: 1234567890123456
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = Van-Jacobson-TCP-IP
Ascend-Idle-Limit = 900
Any help would be appreciated.
Thanks in advance,
William
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Access Rejected for Simultaneous-Use
Thanks Hugh, this worked fine. However, I have Trace set to 3 so that I can see the INFO messages and now if a user enters an incorrect password and is over the user count we see an INFO: Access rejected for ticket:Simultaneous-Use of 2 exceeded but we no longer see the log for Login incorrect I would like to see both. And if I had to choose I would prefer the Login incorrect if that occurred first. Is there another parameter for this or is the only solution to set Trace to 2, but then I wouldn't see the INFO messages at all? Thanks in advance, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 02, 2000 7:06 AM To: William Hernandez Subject: RE: (RADIATOR) Access Rejected for Simultaneous-Use Hello William - At 17:31 -0400 1/12/00, William Hernandez wrote: Does the NoDefaultIfFound parameter go in the AuthBy FILE block or the AuthBY UNIX block or in both blocks? In every block in which you want an explicit reject to override a DEFAULT entry. hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Access Rejected for Simultaneous-Use
Hugh, it seems the defaults are basically what I currently have. I don't understand how that would repress the INFO message when the password is incorrect. tia, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Monday, December 04, 2000 9:57 AM To: William Hernandez; Radiator Subject: RE: (RADIATOR) Access Rejected for Simultaneous-Use Hello William - At 9:26 -0400 4/12/00, William Hernandez wrote: Thanks Hugh, this worked fine. However, I have Trace set to 3 so that I can see the INFO messages and now if a user enters an incorrect password and is over the user count we see an INFO: Access rejected for ticket:Simultaneous-Use of 2 exceeded but we no longer see the log for Login incorrect I would like to see both. And if I had to choose I would prefer the Login incorrect if that occurred first. Is there another parameter for this or is the only solution to set Trace to 2, but then I wouldn't see the INFO messages at all? You can also use the new AuthLog clause(s) in Radiator 2.17.1. hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
FW: (RADIATOR) Access Rejected for Simultaneous-Use
Does the NoDefaultIfFound parameter go in the AuthBy FILE block or the AuthBY UNIX block or in both blocks? Thanks in advance. William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Friday, November 17, 2000 7:25 PM To: William Hernandez; Radiator Subject: Re: (RADIATOR) Access Rejected for Simultaneous-Use Hello William - On Sat, 18 Nov 2000, William Hernandez wrote: Our user "ticket" has Simultaneous-Use set to 5. Yesterday afternoon "ticket" tried to login but entered his password incorrectly. The access request was denied because of Login incorrect. However, an INFO statement was also created in radius.log referring to "Simultaneous-Use of 1 exceeded". Thu Nov 16 19:09:46 2000: Login incorrect: [ticket/center] (max1) Thu Nov 16 19:09:46 2000: INFO: Access rejected for ticket:Simultaneous-Use of 1 exceeded I would expect Radiator to stop authenticating when a "Login incorrect" was detected. But regardless it appears that the INFO statement is incorrect since user "ticket" has a Simultaneous-Use=5. Is there something in my radius.cfg that's causing this? I suspect this is because you have DEFAULT users configured. The trace file shows that the password check failed, then you went on to check two DEFAULT users, the second of which was accepted. If you want to alter this behaviour, you should use the NoDefaultIfFound parameter in the AuthBy. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. t.log
(RADIATOR) Access Rejected for Simultaneous-Use
Our user "ticket" has Simultaneous-Use set to 5. Yesterday afternoon "ticket" tried to login but entered his password incorrectly. The access request was denied because of Login incorrect. However, an INFO statement was also created in radius.log referring to "Simultaneous-Use of 1 exceeded". Thu Nov 16 19:09:46 2000: Login incorrect: [ticket/center] (max1) Thu Nov 16 19:09:46 2000: INFO: Access rejected for ticket:Simultaneous-Use of 1 exceeded I would expect Radiator to stop authenticating when a "Login incorrect" was detected. But regardless it appears that the INFO statement is incorrect since user "ticket" has a Simultaneous-Use=5. Is there something in my radius.cfg that's causing this? Thanks in advance. William t.log
(RADIATOR) Session Database Logic
Hello everyone, I was using a modification to AuthGeneric.pm that uses finger to count simultaneous-user, but had to trash it because the output of finger truncates the user name and because we have valid user names in the format [EMAIL PROTECTED] I rewrote it to use snmpwalk, but had to trash that also because response times were too slow and I was getting too many timeouts. So now we're considering AuthbySQL. The following excerpt is from the archives. I'd like to go over this because we are thinking about using AuthSQL (with mySQL), but I have hesitated because I didn't fully understand how Radiator went about checking the integrity/consistency of the database. And it is also not clear, why the users session is deleted before a SELECT query is made on the RADONLINE table. What happens is this. When Radiator receives an Access-Request, it first of all does some housekeeping and deletes any old session database record for that NAS and Port number. This is because we might have missed a Stop record, and also because by definition there cannot be an existing session for that NAS and Port combination. We have users that have a Simultaneous-Use of more that 1. In that case, isn't it possible to have existing multiple records in the database with a the same NASIDENTIFIER and NASPORT, but with different ACCTSESSIONID (I'm thinking that ACCTSESSIONID is the same as the SessionID reported with finger. Is that correct?)? Secondly, Radiator verifies the session database to check on simultaneous use limits. Thirdly, only if there are already the maximum number of simultaneous sessions for the user will Radiator then go and check with the NAS(s) whether the sessions in the session database are still present. How does the RADONLINE table get rebuilt after a disconnection? During the time a connection was not available only Simultaneous-Use would be affected? During the time a connection was not avaiable does Radiator then directly poll "all" of the NASIDENTIFIER/NASPORT combinations (using finger for example)? Thanks in advance. William === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) NAS names
Hello everyone, I'm working on a hook where I need the name of the NASs on our system. The following seems to work: keys(%Radius::Client::clients) because in radius.cfg I have a CLIENT clause for each NAS. The problem is I'm now proxying to another radiator server to authenticate a specific realm and on that server the radius.cfg does not have CLIENT clauses for each NAS. Is there a way to get NAS names when there aren't any CLIENTs in radius.cfg? Thanks in advance. William === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Checking simultaneous-use with multiple realms
Hello everyone, Our users login using "[EMAIL PROTECTED]". I rewrite the username without the "realm1.com" and then forward the request to realm1.com for authentication. My problem is that I also have a "[EMAIL PROTECTED]" who is not being allowed access because the system detects that "userx" is already logged in, i.e., simultaneous-use of 1 would be exceeded if the login were allowed. Should I stop rewriting "[EMAIL PROTECTED]" as "userx"? Thanks in advance. William Hernandez === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) No such user
Hello everyone, Last evening at about 9:00pm (which is prime time with many users logging in) our primary radius server apparently started timing out and requests were being passed along to our secondary radius server (both are running Radiator 2.15). In the radius.log of out backup radius server we started seeing messages such as : Mon Aug 21 21:01:02 2000: INFO: Access rejected for hma: No such user Our NASes (Ascend max) have a timeout of 40 seconds which seems to be a long time and we would expect to rarely have requests passed on to the secondary server. However, the timeout interval was being reached. As a corrective message we stopped/started radiusd on the secondary server and this brought things back to normal, i.e., the "no such user" messages stopped. Note that INFO messages did not appear in the log of the primary server and we didn't have to reset radiusd on the primary server nor were the NASes reset. Has anyone experienced this type of behavior? What can be occurring on our primary server to cause timeouts? And why were we getting "no such user" messages? Thanks in advance. William Hernández radius.cfg
(RADIATOR) Ascend-Client-Gateway
Hello everyone, We would like to assign the value of "Ascend-Client-Gateway" in the users file dynamically via a script, e.g., Ascend-Client-Gateway=`/usr/local/bin/setgw`. Has anyone done this before? Did it work? Is there a better way? Thanks in advance, William Hernández === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Simultaneous-use in 2.15
Hugh, The AuthByPolicy of ContinueUntilAccept clause was in the radius.cfg file from early attempts at setting up the cfg file. I have removed it. We want to accomplish checking of simultaneous use across all of our NAS'S. All of our users have an UNIX login entry in /etc/passwd|shadow. Our users can select options that allow simultaneous use. In this case the user will also have an entry in /etc/raddb/users. For example, toledo-carazo.com Auth-Type = "System", Simultaneous-Use = 2 Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, Ascend-Idle-Limit = 1200 herculespr.net Auth-Type = "System", Simultaneous-Use = 2 Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Address = 208.249.80.161, Framed-IP-Netmask = 255.255.255.248, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, NAS-Port-Type = ISDN-Sync, Ascend-Route-IP=Route-IP-Yes, Ascend-Idle-Limit = 0 For the above users upto 2 users may simultaneously login into any of the 12 NAS'S that are currently available. Simultaneous use is not per NAS, i.e., simultaneous use must be checked for on all 12 of the NAS'S. Thanks for your help, William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 20, 2000 3:48 AM To: William Hernandez; Radiator Subject: RE: (RADIATOR) Simultaneous-use in 2.15 Hello William - Thanks for sending the log file. The log shows that the user is indeed being rejected by the first AuthBy clause, but your configuration file has an AuthByPolicy of ContinueUntilAccept, so it goes on to the next AuthBy clause which then accepts the user. Radiator is doing exactly what it has been configured to do. I think you will need to explain what it is you are trying to accomplish so I can make some sensible suggestions. regards Hugh On Thu, 20 Jul 2000, William Hernandez wrote: Hugh, I've attached an excerpt from our radius.log file. The use "hmcalixto" was already logged in on max3 at Wed Jul 19 12:11:59 2000: Login OK: [hmcalixto] (max3) Thanks in advance. William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 18, 2000 7:32 PM To: William Hernandez; Radiator Subject: Re: (RADIATOR) Simultaneous-use in 2.15 Hello William - I will need to see a trace 4 debug as well as what you have sent this time. thanks Hugh On Wed, 19 Jul 2000, William Hernandez wrote: Hello everyone, I'm having problems getting the simultaneous-use check item to work. I've tried using the internal SessionDatabase and an external SessionDatabase (using mysql), but Radiator doesn't report a rejection on a second login session either way. I've attached my radius.cfg. Some sample entries from my users file are: company1.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Address = 208.249.79.226, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, NAS-Port-Type = ISDN-Sync, Ascend-Route-IP=Route-IP-Yes, Ascend-Idle-Limit = 0 company2.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.227, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0 DEFAULT Hint="LOCAL", Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 DEFAULT Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 Thanks in advance. William Hernández Content-Type: application/octet-stream; name="radius.cfg" Content-Transfer-Encoding: 7bit Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. Content-Type: application/octet-stream; name="radius.log" Content-Transfer-Encoding: quoted-printable Con
RE: (RADIATOR) Simultaneous-use in 2.15
Hugh, I've attached an excerpt from our radius.log file. The use "hmcalixto" was already logged in on max3 at Wed Jul 19 12:11:59 2000: Login OK: [hmcalixto] (max3) Thanks in advance. William -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 18, 2000 7:32 PM To: William Hernandez; Radiator Subject: Re: (RADIATOR) Simultaneous-use in 2.15 Hello William - I will need to see a trace 4 debug as well as what you have sent this time. thanks Hugh On Wed, 19 Jul 2000, William Hernandez wrote: Hello everyone, I'm having problems getting the simultaneous-use check item to work. I've tried using the internal SessionDatabase and an external SessionDatabase (using mysql), but Radiator doesn't report a rejection on a second login session either way. I've attached my radius.cfg. Some sample entries from my users file are: company1.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Address = 208.249.79.226, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, NAS-Port-Type = ISDN-Sync, Ascend-Route-IP=Route-IP-Yes, Ascend-Idle-Limit = 0 company2.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.227, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0 DEFAULT Hint="LOCAL", Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 DEFAULT Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 Thanks in advance. William Hernández Content-Type: application/octet-stream; name="radius.cfg" Content-Transfer-Encoding: 7bit Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. radius.log
(RADIATOR) Simultaneous-use in 2.15
Hello everyone, I'm having problems getting the simultaneous-use check item to work. I've tried using the internal SessionDatabase and an external SessionDatabase (using mysql), but Radiator doesn't report a rejection on a second login session either way. I've attached my radius.cfg. Some sample entries from my users file are: company1.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Address = 208.249.79.226, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, NAS-Port-Type = ISDN-Sync, Ascend-Route-IP=Route-IP-Yes, Ascend-Idle-Limit = 0 company2.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.227, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0 DEFAULT Hint="LOCAL", Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 DEFAULT Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 Thanks in advance. William Hernández radius.cfg
(RADIATOR) radpwtst output
Hello everyone. We would like the output of "radpwtst" to output to the screen all the reply-items in the users file. For example, #radpwtst -s localhost -user whr -password whr -auth_port 1812 -acct_port 1813 -secret prwradius -dictionary /etc/raddb/dictionary.ascend2 would output Service-Type = Framed-User Framed-Protocol = MP Framed-IP-Address = 208.249.80.177 Framed-IP-Netmask = 255.255.255.252 Framed-Compression = Van-Jacobson-TCP-IP Ascend-Maximum-Channels = 4 NAS-Port-Type = ISDN-Sync Ascend-Route-IP = Route-IP-Yes Ascend-Idle-Limit = 0 Some of this output appears in the log file when "trace 4" is set in the radius.cfg. Thanks in advance, whr === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Password Log File Format
Attached are the requested files. - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "William Hernandez" [EMAIL PROTECTED]; "Radiator" [EMAIL PROTECTED] Sent: Thursday, June 08, 2000 7:46 PM Subject: Re: (RADIATOR) Password Log File Format Hello William - Thanks for that, but in addition to the radpwtst line, I also need a copy of your configuration file (no secrets) and a trace 4 debug showing what happens. thanks Hugh On Thu, 08 Jun 2000, William Hernandez wrote: In the testing phase I'm using: radpwtst -s localhost -user whr -password whr -auth_port 1812 -noacct -s ecret secret -dictionary /etc/raddb/dictionary.ascend2 Thanks in advance, whr - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "William Hernandez" [EMAIL PROTECTED]; "Radiator" [EMAIL PROTECTED] Sent: Wednesday, June 07, 2000 6:51 PM Subject: Re: (RADIATOR) Password Log File Format Hello William - On Thu, 08 Jun 2000, William Hernandez wrote: OK, I have the password log the way I want it. It now looks like this: Wed Jun 7 11:01:47 2000: Login incorrect: [whr/whr] (203.63.154.1) Wed Jun 7 11:01:55 2000: Login OK: [whr] (203.63.154.1) I'm still in the testing phase, but I would like to have the nasname instead of the IP address in the log file. What attribute are you using to log with? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. radius.cfg radius.log
Re: (RADIATOR) Password Log File Format
In the testing phase I'm using: radpwtst -s localhost -user whr -password whr -auth_port 1812 -noacct -s ecret secret -dictionary /etc/raddb/dictionary.ascend2 Thanks in advance, whr - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "William Hernandez" [EMAIL PROTECTED]; "Radiator" [EMAIL PROTECTED] Sent: Wednesday, June 07, 2000 6:51 PM Subject: Re: (RADIATOR) Password Log File Format Hello William - On Thu, 08 Jun 2000, William Hernandez wrote: OK, I have the password log the way I want it. It now looks like this: Wed Jun 7 11:01:47 2000: Login incorrect: [whr/whr] (203.63.154.1) Wed Jun 7 11:01:55 2000: Login OK: [whr] (203.63.154.1) I'm still in the testing phase, but I would like to have the nasname instead of the IP address in the log file. What attribute are you using to log with? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Password Log File Format
OK, I have the password log the way I want it. It now looks like this: Wed Jun 7 11:01:47 2000: Login incorrect: [whr/whr] (203.63.154.1) Wed Jun 7 11:01:55 2000: Login OK: [whr] (203.63.154.1) I'm still in the testing phase, but I would like to have the nasname instead of the IP address in the log file. My portlist files looks like this: # This file contains a list of permitted port ranges for various NASs # You can refer to such a file with the NAS-Address-Port-List check item # The format is: #NAS-name-or-IP firstsport-lastport # NAS-name-or-IP can be a DNS name or an IP address. Firstport and # lastport are the first an last permitted port of a range of ports # permitted on that NAS. You can have multiple entries for the same NAS #203.63.154.1 1200-1201 #203.63.154.1 1230-1234 #203.63.154.2 1-10 #your.nas.com 1-30 max1.prw.net1-9 max2.prw.net1-9 max3.prw.net1-9 max4.prw.net1-9 max5.prw.net1-9 max6.prw.net1-9 max7.prw.net1-9 max8.prw.net1-9 max9.prw.net1-9 max10.prw.net 1-9 max11.prw.net 1-9 max12.prw.net 1-9 I've also modified the DEFAULT entry in the users file as follows: DEFAULT Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900, NAS-Address-Port-List = /etc/raddb/portlist I'm confused here. Is the item I want in the password file coming from the portlist file? If this is correct is there a default portlist file, so that I don't have to modify all the entries in the users file? Thanks in advance. whr - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "William Hernandez" [EMAIL PROTECTED]; "Radiator" [EMAIL PROTECTED] Sent: Wednesday, May 31, 2000 5:28 PM Subject: Re: (RADIATOR) Password Log File Format Hello William - On Wed, 31 May 2000, William Hernandez wrote: The format of the PasswordLogFile is time:username:entered_password:correct_password:result. Is there a way to change this format? I would like the system to only log failures using the format time:username:entered_password. The format used to log the passwords is defined in the code, so you would have to change it in the following module: "Radius/Handler.pm". The routine you want is "logPassword" (the last routine in the module). regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Password Log File Format
The format of the PasswordLogFile is time:username:entered_password:correct_password:result. Is there a way to change this format? I would like the system to only log failures using the format time:username:entered_password. Thanks in advance. whr === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Compatibility with Livingston
Hello everyone - Below is my current setup after making recommended changes. What I want to happen is the following: if the user is in the users file then if the entry has a password then use it for authentication else use UNIX (/etc/shadow) else use UNIX (/etc/shadow) Thanks in advance. whr Start Cut here for radius.cfg - --- # livingCompat.cfg # # This is a simple Radiator config file that allows you # to continue using a bog standard Livingston or # similar users file with Radiator, It implements the # Auth-Type="System" check item by using AuthBy UNIX # # You will probably want to change the definitions of # DbDir, LogDir and the Filename parameters # # Author: Mike McCauley ([EMAIL PROTECTED]) # Copyright (C) 1997 Open System Consultants # $Id: livingCompat.cfg,v 1.3 1999/07/12 02:01:35 mikem Exp $ LogStdout Trace 4 PidFile /tmp/radiusd.pid AuthPort1812 AcctPort1813 LogDir /var/log/radacct DbDir /etc/raddb LogFile /var/log/radius.log DbDir /etc/raddb LogFile /var/log/radius.log DictionaryFile /etc/raddb/dictionary.ascend2 FingerProg /usr/bin/finger SnmpgetProg /usr/bin/snmpget RewriteUsername tr/[A-Z]/[a-z]/ # This clause defines a single client to listen to # You will probably want to change localhost and mysecret # to suit your site. Client localhost Secret mysecret /Client Client DEFAULT Secret mysecret DupInterval 0 FramedGroupBaseAddress 10.0.0.1 FramedGroupBaseAddress 10.0.1.1 FramedGroupBaseAddress 10.0.2.1 FramedGroupMaxPortsPerClassC 20 /Client # This clause means we will handle any realm that arrives Realm DEFAULT AuthByPolicy ContinueUntilAccept AuthBy Check-FILE AuthBy System # Log accounting to the detail file in LogDir AcctLogFileName /var/log/detail.log PasswordLogFileName /var/log/radius.log ExcludeFromPasswordLog root /Realm # This clause defines an AuthBy FILE with Identifier Check-FILE AuthBy FILE Identifier Check-FILE Filename /etc/raddb/users /AuthBy # This clause defines an authorization method that will be used # by any users in the database with Auth-Type="System". It will # match the "Identifier System" AuthBy UNIX Identifier System Filename /etc/shadow /AuthBy - --- End Cut here for radius.cfg Start Cut here for users - --- company1.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Address = 208.249.79.226, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, NAS-Port-Type = ISDN-Sync, Ascend-Route-IP=Route-IP-Yes, Ascend-Idle-Limit = 0 company2.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.227, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0 DEFAULT Hint="LOCAL", Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 DEFAULT Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 - --- End Cut here for users Messages at startup: Fri May 26 09:06:33 2000: WARNING: Could not find an AuthBy clause with Identi fier for AuthBy Check-FILE Fri May 26 09:06:33 2000: WARNING: Could not find an AuthBy clause with Identi fier for AuthBy System Fri May 26 09:06:33 2000: DEBUG: Reading users file /etc/raddb/users Fri May 26 09:06:33 2000: DEBUG: Reading group file /etc/group Starting radiusd www:/etc/raddb# Fri May 26 09:06:33 2000: INFO: Server started: Radiator 2.15 A password check gives me the following for user "whr" (this user is not in the users file and should be authenticated against /etc/shadow): Fri May 26 09:24:07 2000: DEBUG: Rewrote user name to whr Fri May 26 09:24:07 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT' Fri May 26 09:24:07 2000: DEBUG: Deleting session for whr, 203.63.154.1, 1234 Fri May 26 09:24:07 2000: INFO: Access rejected for whr: Fri May 26 09:24:07 2000: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1324 Code: Access-Reject Identifier: 217 Authentic: 1234567890123456 Attributes: Reply-Message =
Re: (RADIATOR) Compatibility with Livingston
Hello everyone, please ignore my previous post. I didn't see that the AuthBy clauses that were at the end of the radius.cfg file had to be at the beginning. It seems to be doing what I expected now I have to find out why I'm getting the following message: sending Accounting-Request Start... No reply sending Accounting-Request Stop... No reply Thanks in advance. whr Start Cut here for radius.cfg - # livingCompat.cfg # # This is a simple Radiator config file that allows you # to continue using a bog standard Livingston or # similar users file with Radiator, It implements the # Auth-Type="System" check item by using AuthBy UNIX # # You will probably want to change the definitions of # DbDir, LogDir and the Filename parameters # # Author: Mike McCauley ([EMAIL PROTECTED]) # Copyright (C) 1997 Open System Consultants # $Id: livingCompat.cfg,v 1.3 1999/07/12 02:01:35 mikem Exp $ LogStdout Trace 4 PidFile /tmp/radiusd.pid AuthPort1812 AcctPort1813 LogDir /var/log/radacct DbDir /etc/raddb LogFile /var/log/radius.log DbDir /etc/raddb LogFile /var/log/radius.log DictionaryFile /etc/raddb/dictionary.ascend2 FingerProg /usr/bin/finger SnmpgetProg /usr/bin/snmpget RewriteUsername tr/[A-Z]/[a-z]/ # This clause defines a single client to listen to # You will probably want to change localhost and mysecret # to suit your site. Client localhost Secret mysecret /Client Client DEFAULT Secret mysecret DupInterval 0 FramedGroupBaseAddress 10.0.0.1 FramedGroupBaseAddress 10.0.1.1 FramedGroupBaseAddress 10.0.2.1 FramedGroupMaxPortsPerClassC 20 /Client # This clause defines an AuthBy FILE with Identifier Check-FILE AuthBy FILE Identifier Check-FILE Filename /etc/raddb/users /AuthBy # This clause defines an authorization method that will be used # by any users in the database with Auth-Type="System". It will # match the "Identifier System" AuthBy UNIX Identifier System Filename /etc/shadow /AuthBy # This clause means we will handle any realm that arrives Realm DEFAULT AuthByPolicy ContinueUntilAccept AuthBy Check-FILE AuthBy System # Log accounting to the detail file in LogDir AcctLogFileName /var/log/detail.log PasswordLogFileName /var/log/radius.log ExcludeFromPasswordLog root /Realm - End Cut here for radius.cfg Start Cut here for users - company1.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = MP, Framed-IP-Address = 208.249.79.226, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Maximum-Channels = 2, NAS-Port-Type = ISDN-Sync, Ascend-Route-IP=Route-IP-Yes, Ascend-Idle-Limit = 0 company2.com Auth-Type = "System" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 208.249.79.227, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 0 DEFAULT Hint="LOCAL", Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 DEFAULT Auth-Type = "System", Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP, Ascend-Idle-Limit = 900 - End Cut here for users === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
