Re: [RADIATOR] Problems with Secret and SQLClientList
Hi Alan, > > > AFAIK most switching devices (including Cisco, commonly used here) > > > does not support the message-authenticator attribute. However the solution > > > above works now, thanks again! > > ? we use Cisco and have Message Authenticator enforcement turned on. > Hm, could you provide a reference? Only know that from WCS and APs, and for sure ACS/ISE, but not from the switching/routing products. Daniel ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Problems with Secret and SQLClientList
Hello Heikki, thanks so much for your answer. > > However, the secret does not work. When testing the authentification > > with NTRadPing, Radiator answers to my (known) client, nevertheless > > which secret I use. If I use "cisco", I get an answer, if I use > > "7jnasdfjksa" I also get the answer. What can cause Radiator not to > > check the secret sent among the request? > > the response from Radiator should always be Access-Reject and NTRadPing > should complain about bad response authenticator or something similar. > > The Authenticator field in the request is used to encrypt the User-Password > but it is not used to verify the request itself. Doh! Thanks for your hint. We indeed never checked the password at all. Thus the secret was not taken into consideration. Stupid mistake. As we are doing MAB authentication on switching devices, they usually send the MAC address of the attached host both as username and password. We thus changed the config like this: --- AuthSelect select `mac`, `vlanid` from view_mabhosts where mac=upper(%0) AND nas_ip="%c" AuthColumnDef 0, User-Password, check AuthColumnDef 1, Tunnel-Private-Group-ID, reply --- Thus the user password is checked, and requests from NAS with wrong secret are rejected, with "Bad Password" as message. > > For verifying the request you should configure your RADIUS clients to send > Message-Authenticator attribute. In addition, you can configure Radiator > with RequireMessageAuthenticator Client flag to require the clients to use > this attribute. AFAIK most switching devices (including Cisco, commonly used here) does not support the message-authenticator attribute. However the solution above works now, thanks again! Best regards Daniel ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Problems with Secret and SQLClientList
Hello, we are using the Radiator for RADIUS authentication of network clients. Our frontend writes the NAS clients to a database, where we have a view, which is then queried by Radiator. The view looks like this: --- schnipp --- mysql> select * from view_clients; ++++---++ | id | name | ip| secret | module | ++++---++ | 4 | test1| 146.140.16.XX | cisco| mab | | 2 | wlc001 | 192.168.135.254 | asdasdasd | eduroam | | 3 | wlc002 | 192.168.135.253 | asdasdasd| eduroam | | 2 | wlc001 | 192.168.135.254 | asdasdasd| mab | | 3 | wlc002 | 192.168.135.253 | asdasdasd| mab | +++-+--+-+ --- schnapp --- We then use the following ClientListSQL Statement to retrieve the clients: --- schnipp --- DBSource dbi:mysql:main DBUsername radiator DBAuth asdsadasdasdasdasd GetClientQuery SELECT `ip`, `secret`, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, `module` FROM `view_clients` RefreshPeriod 60 --- schnapp --- We thus read out the IP address, the secret and the module, which we use as identifier in the Handler: In general, this configuration is working fine. The Clients are retrieved correctly, requests from unknown clients are ignored and the Client-Identifier matching based on the module also works great. However, the secret does not work. When testing the authentification with NTRadPing, Radiator answers to my (known) client, nevertheless which secret I use. If I use "cisco", I get an answer, if I use "7jnasdfjksa" I also get the answer. What can cause Radiator not to check the secret sent among the request? Thanks in advance and best regards Daniel --- Daniel Herrmann Competence Center Lan (CC-LAN) Fraunhofer-Institut für Graphische Datenverarbeitung IGD Fraunhoferstr. 5 | 64283 Darmstadt | Germany Tel +49 6151 155-346 | Fax +49 6151 155-399 daniel.herrm...@igd.fraunhofer.de<mailto:daniel.herrm...@igd.fraunhofer.de> | www.igd.fraunhofer.de/<http://www.igd.fraunhofer.de/> ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler matching multiple Service-Types
Hello Hugh, Thank you for your answer, it works perfectly. Regards Daniel Am 06.05.2013 um 12:34 schrieb "Hugh Irvine" : > > Hello Daniel - > > Something like this should work: > > > > >….. > > > > > regards > > Hugh > > > On 6 May 2013, at 18:20, "Herrmann, Daniel" > wrote: > >> Hello, >> >> We are using Radiator as Radius-Server for various Switches. We have two >> different Handlers, one for Cisco and HP gears, and one for Extreme Switches. >> >> They are nearly identical, even the reply, except of the Service Type. Cisco >> Requests have the attribute Service-Type=Call-Check, whereas Extreme >> switches have Service-Type=Login-User set. >> >> Is there a way to write a handler matching both Service-Types without >> omitting the check? >> >> Best Regards >> Daniel >> >> --- >> Daniel Herrmann >> Competence Center Lan (CC-LAN) >> >> Fraunhofer-Institut für Graphische Datenverarbeitung IGD >> Fraunhoferstr. 5 | 64283 Darmstadt | Germany >> Tel +49 6151 155-346 | Fax +49 6151 155-399 >> daniel.herrm...@igd.fraunhofer.de | www.igd.fraunhofer.de/ >> >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Handler matching multiple Service-Types
Hello, We are using Radiator as Radius-Server for various Switches. We have two different Handlers, one for Cisco and HP gears, and one for Extreme Switches. They are nearly identical, even the reply, except of the Service Type. Cisco Requests have the attribute Service-Type=Call-Check, whereas Extreme switches have Service-Type=Login-User set. Is there a way to write a handler matching both Service-Types without omitting the check? Best Regards Daniel --- Daniel Herrmann Competence Center Lan (CC-LAN) Fraunhofer-Institut für Graphische Datenverarbeitung IGD Fraunhoferstr. 5 | 64283 Darmstadt | Germany Tel +49 6151 155-346 | Fax +49 6151 155-399 daniel.herrm...@igd.fraunhofer.de | www.igd.fraunhofer.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Interval synchronization
Hello, I'm trying to set up a configuration where I would have the statistical files generated at specific moments, instead of x minutes after the statup of the radiator. Example: I would like to have files created every 15 minutes, exactly at every 00, 15 and 45 minutes. The only option that I see to control this would be to start the radiator deamon exactly at the beginning of a period. Is there a simpler way to control this? Thanks, Daniel Duarte ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) defunct processes
Hi, Sorry for be to late to send you the conf file, I was in the middle of a migration without much time and the configuration is splited in a lot of parts, so I did join them to send to you. Let me know if you find something that can cause the defunts. thanks! On Nov 21, 2003, at 3:13 AM, Hugh Irvine wrote: Hello Daniel - I will need to see a copy of your configuration file (no secrets) together with a trace 4 debug showing what is happening. A process listing showing the defunct processes would also help. regards Hugh On 21/11/2003, at 10:15 AM, Daniel Bendersky wrote: Hi, I had some defunct processes in my servers. Currently I use radiator 3.6, prior to version 3.3, I never have seen this zombies. What I need to check in order to fix that? Thanks for any tip/help -- Saludos Daniel Bendersky. -- Daniel Bendersky Director de Operaciones y Tecnología [EMAIL PROTECTED] http://www.netline.cl NETLINEAv. Vitacura # 2939 of. 202 Oficina : +56 2 751 2600Las Condes, Santiago - CHILE Celular : +56 9 998 9122 Fax2mail : +56 2 751 2651 Voice2mail: +56 2 751 2618 "Success is a journey, not a destination" -- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. -- Saludos Daniel Bendersky. ------ Daniel Bendersky Director de Operaciones y Tecnología [EMAIL PROTECTED] http://www.netline.cl NETLINEAv. Vitacura # 2939 of. 202 Oficina : +56 2 751 2600Las Condes, Santiago - CHILE Celular : +56 9 998 9122 Fax2mail : +56 2 751 2651 Voice2mail: +56 2 751 2618 "Success is a journey, not a destination" -- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) defunct processes
Hi, I had some defunct processes in my servers. Currently I use radiator 3.6, prior to version 3.3, I never have seen this zombies. What I need to check in order to fix that? Thanks for any tip/help -- Saludos Daniel Bendersky. -- Daniel Bendersky Director de Operaciones y Tecnología [EMAIL PROTECTED] http://www.netline.cl NETLINEAv. Vitacura # 2939 of. 202 Oficina : +56 2 751 2600Las Condes, Santiago - CHILE Celular : +56 9 998 9122 Fax2mail : +56 2 751 2651 Voice2mail: +56 2 751 2618 "Success is a journey, not a destination" -- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) outsourcing and unterminated sessions
Hello, we have two servers running Radiator 3.6-1. Since outsourcing our NASes in some locations to two vendors, we've been having problems with unterminated calls. After examining packet dumps of the traffic from Vendor A, I've noticed that they are often sending duplicate accounting-start packets to us, with the second one coming 15 or 30 seconds after the first. They claim that this is normal behavior, as their network drops "low-priority" (their words) traffic (i.e. responses from our Radius servers) between their Radius proxies and their NASes during periods of peak utilization. The problem is, when one of our customers disconnects immediately after the session starts, our Radius servers have already terminated the session by the time that the retransmitted start packet comes in, so we see it as beginning a new session (interestingly, the stop packets do not seem to be retransmitted). Vendor A recommends that we work around this by starting sessions based on the access-request packet, rather than the accounting-start. I haven't been able to examine any packet dumps from Vendor B, as our customers use their phone numbers much less frequently, but they claim that the problem is occurring because their sub-vendors' NAS servers are sometimes rebooted or restarted, which causes all current sessions to be abandoned. Vendor B recommends that we start examining the Calling-Station-Id attributes that they are passing us and terminate any ongoing sessions that match the phone numbers being used for newly-started sessions. So, my questions are a) Based on others' experiences, are these explanations plausible/acceptable, or should we start looking for other vendors? b) Has anyone tried either of the "solutions" recommended above? In particular, the one recommended by Vendor B sounds like a good workaround -- has anyone done this in Radiator? Thanks in advance, Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Adding an attribute "Post Handler"
How would one go about adding an attribute in the Handler section. Say this for example: RewriteUsername s/^([^@]+).*/$1/ AddAttribute Customer-Identity="Widget Co" AuthBy Widget This way when I use the Realm DEFAULT that writes all accounting records to a database it would include a column "Customer-Identity" which is easier to produce reports on. This is possible? I know the AddAttribute only works pre-handlers. Cliff === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Dual Accounting Streams Possible?
I'm looking for a way to configure radiator to send a duplicate stream to another radius host, just for logging purposes only. Is there any easy way to accomplish this? I've search the archives for this list and only saw one thing similar but that was for Auth and I didn't quite understand it :-) Regards, Cliff === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Incorrect timestamp with portmasters
EMERALD
Wed May 1 17:35:30 2002: DEBUG: do query is: insert into Calls
(UserName, CallDate, AcctStatusType, AcctDelayTime, AcctInputOctets,
AcctOutputOctets, AcctSessionId, AcctSessionTim
e, NASIdentifier, NASPort, CallerID, ConnectInfo, FramedAddress)
values
('french', 'May 1, 2002 17:35', 3, 0, 127812, 177, '0002F9D4',
890, '203.220.248.113', 6347, '749464616', '1423
30749085202', '203.220.195.170')
This is one from our local portmaster;
Wed May 1 17:34:58 2002: DEBUG: Packet dump:
*** Received from 210.8.26.5 port 1026
Code: Accounting-Request
Identifier: 125
Authentic: <27><156>u8<153>=<10><217><136><28><160><6>2,<132>F
Attributes:
Acct-Session-Id = "15DF"
User-Name = "wells"
NAS-IP-Address = 210.8.26.5
NAS-Port = 37
NAS-Port-Type = Async
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Connect-Info = "48000 LAPM/V42BIS"
Called-Station-Id = "49691000"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 210.8.27.27
Acct-Delay-Time = 17230
Wed May 1 17:34:58 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed May 1 17:34:58 2002: DEBUG: Adding session for wells, 210.8.26.5, 37
Wed May 1 17:34:58 2002: DEBUG: Handling with Radius::AuthEMERALD
Wed May 1 17:34:58 2002: DEBUG: Handling accounting with Radius::AuthEMERALD
Wed May 1 17:34:58 2002: DEBUG: do query is: insert into Calls
(UserName, CallDate, AcctStatusType, AcctDelayTime, AcctSessionId,
NASIdentifier, NASPort, ConnectInfo, FramedAddres
s)
values
('wells', 'May 1, 2002 12:47', 1, 17230, '15DF', '210.8.26.5',
37, '49691000', '210.8.27.27')
Wed May 1 17:34:58 2002: DEBUG: Accounting accepted
Wed May 1 17:34:58 2002: DEBUG: Packet dump:
12:47 is when we rebooted the portmaster.
Regards
--
Daniel Lowe
Service Engineer
Mackay Computer Services
--
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
[no subject]
unsubscribe radiator === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) ClearNasQuery
Hi all,
I saw this behaviour yesterday: an Accounting-Start packet arrives with Id
=''.
First, SessionDatabase-SQL SDB1 deletes session (NAS-IP-Address,
Acct-Session-Id). OK as usual.
Then inserts the new session. OK. Finally, ClearNasQuery is executed and
deletes all the sessions
of that NAS, so new session doesn't appear on RADONLINE.
I wonder:
- criterion for ClearNasQuery to be executed (how NAS reboot is detected).
- sequence: ClearNasQuery first, then add session to radonline?
Tue Oct 23 13:26:29 2001: DEBUG: Packet dump:
*** Received from 192.168.116.64 port 32773
Code: Accounting-Request
Identifier: 94
Authentic: <198><193>RTz<241>D<192><165>1<239><201><239><179><27>O
Attributes:
NAS-IP-Address = w.x.y.z
Acct-Status-Type = Start
Acct-Session-Id = ""
NAS-Port-Type = Sync
Calling-Station-Id = "91..."
Called-Station-Id = "91..."
Connect-Info = "<0><0><250>"
NAS-Port = 0
Acct-Authentic = RADIUS
User-Name = "[EMAIL PROTECTED]"
Acct-Multi-Session-Id = "40F90207"
Acct-Link-Count = 1
Timestamp = 1003835834
Acct-Delay-Time = 0
Tue Oct 23 13:26:29 2001: DEBUG: Check if Handler . should be used to
handle this request
Tue Oct 23 13:26:29 2001: DEBUG: Handling request with Handler
Tue Oct 23 13:26:29 2001: DEBUG: SDB1 Adding session for [EMAIL PROTECTED], w.x.y.z, 0
Tue Oct 23 13:26:29 2001: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='w.x.y.z' and ACCTSESSIONID=''
Tue Oct 23 13:26:29 2001: DEBUG: do query is: insert into RADONLINE (...)
Tue Oct 23 13:26:29 2001: DEBUG: SDB1 Deleting all sessions for 62.14.16.25
Tue Oct 23 13:26:29 2001: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='w.x.y.z'
..
Tue Oct 23 13:26:29 2001: DEBUG: Accounting accepted
This is my definition:
AddQuery insert into RADONLINE (...) values (...)
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountNasSessionsQuery select ACCTSESSIONID from RADONLINE where NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE where
USERNAME='%n'
DeleteQuery delete from RADONLINE where NASIDENTIFIER='%N' and
ACCTSESSIONID='%{Acct-Session-Id}'
DBAuth ...
DBSource dbi:Oracle:...
DBUsername ...
FailureBackoffTime 10
Identifier SDB1
Timeout 30
Thanks,
Daniel Terán.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) vendor_code size?
I believe vendor_code size represents size of vendor_id ? I am not quite sure myself but I came accross this dictionary file that required to have vendor_code size defined in the dictionary file. Daniel Jung System Administrator GMO inc On Mon, 3 Sep 2001, Hugh Irvine wrote: > > Hello Daniel - > > I don't understand the question, sorry. > > Could you explain what you mean by vendor_code size? > > thanks > > Hugh > > > At 16:40 +0900 01/9/3, daniel wrote: > >Hi all, > > > >Anyone know the vendor_code size for RedBack and Merit? > >I know vendor ids for RedBack and Merit? I am not talking about > >vendor code I see in the mailing list. ie, vendor code for Merit > >is 61 and RedBack is 2352. > > > >Thanks in advance. > > > > > >Daniel Jung > > > >System Administrator GMO inc > > > >=== > >Archive at http://www.open.com.au/archives/radiator/ > >Announcements on [EMAIL PROTECTED] > >To unsubscribe, email '[EMAIL PROTECTED]' with > >'unsubscribe radiator' in the body of the message. > > -- > > NB: I am travelling this week, so there may be delays in our correspondence. > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) vendor_code size?
Hi all, Anyone know the vendor_code size for RedBack and Merit? I know vendor ids for RedBack and Merit? I am not talking about vendor code I see in the mailing list. ie, vendor code for Merit is 61 and RedBack is 2352. Thanks in advance. Daniel Jung System Administrator GMO inc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Pseudo-Request-Source ?
Thanks Hugh. I was not able to find that attribute in standard dictionary file. May be it is vendor specific. Daniel Jung System Administrator GMO inc On Thu, 30 Aug 2001, Hugh Irvine wrote: > > Hello Daniel - > > I can't find any attribute like that. > > You can tell whether the requests were proxied by checking which Client > clause received the request, either in a Handler, or in a user definition. > > hth > > Hugh > > > On Wednesday 29 August 2001 23:55, daniel wrote: > > Hi all, > > > > Does anyone know Pseudo-Request-Source Attribute mean ? > > As I heard it, it is the source IP where packets were sent from. > > > > Is there a way for me to tell whether packets received were proxied > > or not in the access-request ? > > > > > > Thanks for your help. > > > > Daniel Jung > > > > System Administrator GMO inc > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Pseudo-Request-Source ?
Hi all, Does anyone know Pseudo-Request-Source Attribute mean ? As I heard it, it is the source IP where packets were sent from. Is there a way for me to tell whether packets received were proxied or not in the access-request ? Thanks for your help. Daniel Jung System Administrator GMO inc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Platypus and Radiator
Can someone please help
I am currently trying to set up a MAX 3000 unit to
do it's authentication via radiator running on an NT4 box. We also use platypus
ISP version 3.0 (build 582-pu).
I have used the example platypus.cfg file in the
goodies directory to get started. When trying to dial into the max, radiator
gives out the following error;
Fri Jun 15 09:54:52 2001: INFO: Server started:
Radiator 2.18.1 on server.mcs.net.au (DEMO)Fri Jun 15 09:56:12 2001: DEBUG:
Packet dump:*** Received from 210.8.26.6 port 1026
Code:
Accounting-RequestIdentifier: 220Authentic:
C<0><195><144>T<229>W-<236>c<187>9<223><251><142>>Attributes: NAS-IP-Address
= 210.8.26.6 NAS-Port = 20108 NAS-Port-Type =
Async Acct-Status-Type = Stop Acct-Delay-Time =
0 Acct-Session-Id = "361110318" Ascend-Disconnect-Cause =
sessFailSecurity Ascend-Connect-Progress =
prIPNCPOpened Ascend-Xmit-Rate = 50667 Ascend-Data-Rate =
28800 Ascend-PreSession-Time = 35 Ascend-Pre-Input-Octets =
257 Ascend-Pre-Output-Octets = 252 Ascend-Pre-Input-Packets =
12 Ascend-Pre-Output-Packets = 13 Ascend-Modem-PortNo =
27 Ascend-Modem-SlotNo = 2 Called-Station-Id =
"49694000"
Fri Jun 15 09:56:12 2001: DEBUG: Handling request
with Handler 'Realm=DEFAULT'Fri Jun 15 09:56:12 2001: DEBUG: Deleting
session for , 210.8.26.6, 20108Fri Jun 15 09:56:12 2001: DEBUG: do query is:
insert into radiusdat
(username, callstart, callend, sessid )
values
('', 'Jun 15, 2001 09:56', 'Jun 15, 2001 09:56',
'361110318' )
Fri Jun 15 09:56:12 2001: ERR: do failed for
'insert into radiusdat
(username, callstart, callend, sessid )
values
('', 'Jun 15, 2001 09:56', 'Jun 15, 2001 09:56',
'361110318' )': [Microsoft][ODBC SQL Server Driver][SQL Server]View 'radiusdat'
is not updatable because a column of the view is derived or constant.
(SQL-37000)[Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could
not be prepared. (SQL-37000)(DBD: st_prepare/SQLPrepare err=-1)Fri Jun 15
09:56:12 2001: ERR: do failed for 'insert into radiusdat
(username, callstart, callend, sessid )
values
('', 'Jun 15, 2001 09:56', 'Jun 15, 2001 09:56',
'361110318' )': [Microsoft][ODBC SQL Server Driver][SQL Server]View 'radiusdat'
is not updatable because a column of the view is derived or constant.
(SQL-37000)[Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could
not be prepared. (SQL-37000)(DBD: st_prepare/SQLPrepare err=-1)Fri Jun 15
09:56:12 2001: DEBUG: do query is: update appdata set date='Jun 15, 2001 09:56'
where name='Last Radius'
Fri Jun 15 09:56:13 2001: DEBUG: Accounting
acceptedFri Jun 15 09:56:13 2001: DEBUG: Packet dump:*** Sending to
210.8.26.6 port 1026 Code:
Accounting-ResponseIdentifier: 220Authentic:
C<0><195><144>T<229>W-<236>c<187>9<223><251><142>>Attributes:
Looking into the platypus database there is no
radiusdat table that I can see
This is my current cfg file
#plat.cfg
ForegroundLogStdoutTrace 4AuthPort 1645AcctPort 1646LogDir .DbDir .
## DBSource dbi:ODBC:Radiator# DBUsername x# DBAuth x#
Secret x DupInterval
0
# Change DBSource, DBUsername, DBAuth for your
database # See the reference
manual DBSource dbi:ODBC:Radiator DBUsername xx DBAuth x
# The basic PLATPYPUS module will
# insert values for #
username, callstart, callend, sessid # into the table
'radiusdat' # You can log additional data from each Stop
by # adding AcctColumnDef lines like this, if
you # have additional columns in your accounting
table # As an example, here are some additional fields
# that you might have added by following the #
Instructions in the Platypus Help file under # 'Importing
Additional Radius Information' # #AcctColumnDef
data_in,Acct-Input-Octets,integer #AcctColumnDef
data_out,Acct-Output-Octets,integer #AcctColumnDef
ipaddress,Framed-IP-Address
# You can optionally fetch your own
# additional columns from the user # database
when you fetch the password # in a similar way to AuthSQL. In
this # example, you define an additional column in
the # customer table called # maxsessions, which
(if not NULL) will be used to # set Simultaneous-Use for the
user. AuthSelect # is the SQL required to select _additional_
columns # from customer, so the comma is
required# AuthSelect ,maxsessions# AuthColumnDef
0,Simultaneous-Use,check
# If you also
need to add extra check and reply items, # Platypus has a RadiusNT
compatibility package # that does allow you to set up per-user and
per-service # reply items. If you want to use that, then you #
should use AuthBy EMERALD instead. See emerald.cfg # If you dont want
to use it, you can put generic check and # reply items in a separate
users file:# AuthByPolicy ContinueWhileAccept# # # Put a DEFAULT user in the
Re: (RADIATOR) ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute/Describe)
Hello everybody, I've got the same error for ages. It happens when Radiator is (re)started and tries to query BD for the first-second time. For example: Thu May 3 19:46:50 2001: INFO: Server started: Radiator 2.17.1 on elektra.jazzlab.com Thu May 3 19:47:49 2001: DEBUG: Reclaiming expired leases Thu May 3 19:47:49 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY < 988912069 Thu May 3 19:47:49 2001: ERR: do failed for 'update RADPOOL set STATE=0 where state!=0 and EXPIRY < 988912069': ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute) Thu May 3 19:48:49 2001: DEBUG: Reclaiming expired leases Thu May 3 19:48:49 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY < 988912129 Thu May 3 19:49:49 2001: DEBUG: Reclaiming expired leases Thu May 3 19:49:49 2001: DEBUG: do query is: update RADPOOL set STATE=0 where state!=0 and EXPIRY < 988912189 Thu May 3 19:50:11 2001: DEBUG: Packet dump: *** Received from 10.9.10.200 port 49152 Code: Access-Request Identifier: 9 Authentic: <233><174>&H<10><153><3>%<167>]<5>C<136><236>#3 Attributes: User-Name = "usuario1isp@clienteisp" CHAP-Password = "<1><241><237>ow<189><248>KO<127>G5<194>mB<244><200>" Acct-Session-Id = "4258" NAS-IP-Address = x.x.x.x Shasta-SGROUP = "Shasta 5000: iSOS (tm), 2.1(14)" Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "9" Called-Station-Id = "9" Thu May 3 19:50:11 2001: DEBUG: Rewrote user name to usuario1isp@clienteisp Thu May 3 19:50:11 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu May 3 19:50:11 2001: DEBUG: SDB1 Deleting session for usuario1isp@clienteisp, x.x.x.x, Thu May 3 19:50:11 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='x.x.x.x' and ACCTSESSIONID='4258' Thu May 3 19:50:11 2001: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='x.x.x.x' and ACCTSESSIONID='4258'': ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute) ...-- My scenario: Radiator 2.17.1 in Linux (2.2.14 or 2.4.1) and Oracle 8.1.6 in Linux 2.4.1(PC) or Solaris 2.6 (Ultra-60). I think it's a problem related with SQL Oracle Libraries but it only happens at the beginning (not after) and it seems not to be serious. Bye, Daniel. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) IdenticalClients
Hi, I have to add lots of IdenticalClients and I was wondering if it is possible to do something like /24? Example, IdenticalClients *.*.*.0/24 According to the Doc, I can only do ip space ip. Thanks in advance. Daniel === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Bad LDAP Result
Hi all,
While I was testing 'searchFilter' function like mentioned last week (Julio
Prada`s posts),
something strange happened and I still don't know what. This was my cfg
file (Radiator 2.17.1):
AuthDN ...
AuthPassword ...
BaseDN ...
Host ...
Identifier ID_1
PasswordAttr password
Port ...
SearchFilter (&(login=%{User-Name})(callingId=%{Calling-Station-Id}))
UsernameAttr login
DupInterval 0
Secret ...
StatusServerShowClientDetails
AcctLogFileName %L/detail
AuthBy ID_1
PasswordLogFileName %L/password
RejectHasReason
I wanted to simulate pre-authentication feature so I sent this
Access-Request
with 'radpwtst' GUI (version 2.18):
Mon Mar 19 16:24:50 2001: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1025
Code: Access-Request
Identifier: 164
Authentic: 1234567890123456
Attributes:
User-Name = "91291"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 12345
Called-Station-Id = "91291"
Calling-Station-Id = "94703"
NAS-Port-Type = Async
User-Password = "<187>4<204><168><187><215>M<208><18>N<222>D9%<208><12>"
It worked when the password was true. When wasn`t, this output happened:
Mon Mar 19 16:24:50 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Mar 19 16:24:50 2001: DEBUG: Deleting session for 91291, 203.63.154.1,
12345
Mon Mar 19 16:24:50 2001: DEBUG: Handling with Radius::AuthLDAP2
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got password: i2p
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with 91291000
0
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got password: i2p
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got password: i2p
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT1
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got password: i2p
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT2
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got password: i2p
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT3
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got password: i2p
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 looks for match with DEFAULT4
Mon Mar 19 16:24:50 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
Mon Mar 19 16:24:50 2001: DEBUG: Connecting to ...
Mon Mar 19 16:24:50 2001: DEBUG: LDAP got result for login=91291...
[..]
And it grew, grew, grew .
Coud someone explain why?
Thanks in advance...
Daniel Terán.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SessionDatabase question
Chris M wrote: > > >> The only problem I forsee is, how do I make the SessionDatabase > >> high-availability? In other words, is there a way to replicate > >> the DB INSERTs and DELETEs so that auth or acct radiator > >> processes talking to MySQL can have entries simultaneously > >> made in SessionDatabases on two different machines? Since > >> MySQL doesn't have any replication features built in, how do > >> people accomplish this syncing? > >> > > > > The simplest thing to do is just use a single SQL host, but use a > > high-availability multi-processor machine with hot-swap RAID disks. This is > > usually *much* easier to do than trying to replicate databases. > > > > hth > > > > Hugh > > I certainly agree and do this, however, there is always going to be the need > to reboot the machine. Linux and other Unices still require reboots once a > month. Ummm, why? I've got Linux systems that go a year or more without rebooting, and without trouble. Are you experiencing memory leaks in yours that're causing troubles? The ONLY reason I ever reboot my production servers is if I need to move them to a new UPS, or (rarely) to update the kernel for one reason or another. -- - Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) radwho.cgi
Hi, No I meant radwho.cgi. I am trying to check users connection in real-time. If you have multiple radius servers, how would you implement it ? I will be using DBM format file. Daniel On Wed, 14 Feb 2001, Hugh Irvine wrote: > > Hello Daniel - > > At 15:46 +0900 01/2/14, daniel wrote: > >hi, > > > >Just wondering if it is possible to use radwho.cgi with multiple > >accounting servers. I am thinking about using DBM instead of SQL. > > > > Do you mean radacct.cgi? radwho.cgi is used in conjunction with the > session database. > > hth > > Hugh > > -- > > NB: I am travelling this week, so there may be delays in our correspondence. > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) radwho.cgi
hi, Just wondering if it is possible to use radwho.cgi with multiple accounting servers. I am thinking about using DBM instead of SQL. Daniel === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
No Subject
Hi everyone, I wonder if we could use the value obtained by LimitQuery in the AuthPORTLIMITCHECK clause. I'm not sure if it's possible to write something like this: SessionLimit 20 --> default CountQuery select COUNT(*) from RADONLINE where LimitQuery select LIMIT from ... ClassForSessionLimit premium, x --> x is the value of LimitQuery ClassForSessionLimit medium, y --> y = f(x), for example: 75% of x Can Radiator do this without using hooks? Thanks, Daniel Terán === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) bad description of info
Hi, We have 2.16.3 radiator running in production environment. When user enters bad password, the info I get from the radius log looks like this. Tue Nov 28 17:53:11 2000: INFO: Access rejected for im115889: NAS-Address-Port-List: port 229 is not within an allowable port range for 210.172.169.66 port 229 is in the allowable range for this nas. I tested using radping and it gives this error when I enter bad passwd or port is really out of range. I believe if user enters bad passwd it should give info like "bad password" and "not allowable port range". Is there a patch for this? Thanks in advance. Daniel Jung System Administrator InterQ Inc === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco NAS preauthentication
Hello, I'm interested in Nortel NAS (CVX) preauthentication. I can receive preAuth-Request with DNIS and secret but I don´t know exactly which attributes to reply. I would also appreciate some kind of help. Thanks, Daniel. Hi all, We are implementing preauthentication. The Cisco NAS is sending the DNIS as the User-Name. The cisco documentation mentions the attribute cisco-avpair = "preauth:username=" Can someone tell me how to access this attribute. I would appreciate it if someone has an example on how to do the preauthentication and the subsequent authentication. Regards, Lisa === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Best way to check Called-Station-Id
Hi all, I want to set Calling-Station-Id in my user database (SQL, LDAP, etc.) from a list of phone-numbers (i.e., more than one). How can I insert this attribute and check it in the AuthBy clause? I've read this post in the mailing list: <<<<<<<<<<<<< On May 10, 2:04pm, Dialup USA Sales Dept wrote: > Subject: calling-station id attribute > I have to add a large amount of numbers to the Calling-Station-Id attribute. > > It would be nice if you could have this attribute call a file in which you > can place all > the numbers in it, one per line that you want to allow access from. > > Would it significantly slow down radius server if I were to add 50-75 > numbers to > that one line in the format of /1234567|7654321|2343243|2343423/ I dont think it will slow it down much. The regexp code in perl is pretty good. Careful examiniation of the numbers may allow you to find some patterns that can be expressed with a simpler regexp. For example, if they all start with a common prefix, you could do something like this: /^123(111|222|333|444|555)/ >>>>>>>>>> Is this the right way? Thanks, Daniel Terán. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Timeout with Radiator 2.16.1 while accessing Oracle 8.1.6
Hello again, I've downloaded patches-2.16.3 (updated, thank you very much) and it seems to look ok by the moment. My Radiator don´t die Thanks again. Daniel. Hello Daniel - Mike has put the patches up in the download area. You will need both radiusd and SqlDb.pm. Please let us know how you get on. regards Hugh === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Timeout with Radiator 2.16.1 while accessing Oracle 8.1.6
Hi,
I'm testing Radiator with SQL (Oracle 8.1.6) and something strange happens.
After accessing DB (with or ), Radiator dies
and this message appears (in 10 seconds like say sessiondatabase tag below):
timeout at /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 226
###The logfile looks like:
*** Received from 127.0.0.1 port 61711
Packet length = 79
Code: Access-Request
Identifier: 66
Authentic: 1234567890123456
Attributes:
User-Name = "NOVVISPA1"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Framed-IP-Address = 255.255.255.254
User-Password = "<156>I<234><202><242><132><29><145>#N<222>D9%<208><12>"
Mon Nov 6 12:16:34 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Nov 6 12:16:34 2000: DEBUG: SDB1 Deleting session for NOVVISPA1,
203.63.154.1, 1234
Mon Nov 6 12:16:34 2000: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='203.63.154.1' and NASPORT=01234
Mon Nov 6 12:16:34 2000: DEBUG: Handling with Radius::AuthFILE
Mon Nov 6 12:16:34 2000: DEBUG: Radius::AuthFILE looks for match with NOVVISPA1
Mon Nov 6 12:16:34 2000: DEBUG: Radius::AuthFILE ACCEPT:
Mon Nov 6 12:16:34 2000: DEBUG: Access accepted for NOVVISPA1
Mon Nov 6 12:16:34 2000: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 61711
Code: Access-Accept
Identifier: 66
Authentic: 1234567890123456
Attributes:
#And the config file:
Filename %D/users
SessionDatabase SDB1
DupInterval 0
Secret xxx
StatusServerShowClientDetails
DBSource dbi:Oracle:radius
DBUsername x
DBAuth x
AddQuery insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,
ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, DNIS)
values ('%u', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}', %{Timestamp},
'%{Framed-IP-Address}', '%{NAS-Port-Type}', '%{Service-Type}',
'%{Called-Station-Id}')
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountNasSessionsQuery select ACCTSESSIONID from RADONLINE where
NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE
where USERNAME='%n'
DeleteQuery delete from RADONLINE where NASIDENTIFIER='%N' and
NASPORT=0%{NAS-Port}
FailureBackoffTime 15
Identifier SDB1
Timeout 10
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) DBType
I noticed that radiator 2.15.3 complains if I do not have DBType DB_File in my AuthBy DBFILE. This is the warning I got. WARNING: Could not open user database file '/usr/local/radius/users-members.db' in Radius::AuthDBFILE: No such file or directory Is this normal behaviour? Daniel Jung System Administrator InterQ Inc === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) About using Handler
Hi HUgh, I tested regexp and non-regexp part separetely and they work fine. But, when I put them together it doesn't. Here is exact configuration and I'm testing with radpwtst -secret something -s radiatortest -user pm023345 -password something -nas_ip_address radiatortest.interq.or.jp -nas_port 12455 I have radiatortest in my client list and have DefaultRealm set to test.interq.or.jp Thanks Daniel Jung System Administrator InterQ Inc On Fri, 6 Oct 2000, Hugh Irvine wrote: > > Hello Daniel - > > On Fri, 06 Oct 2000, daniel wrote: > > Hi, > > > > While using Handler , > > > > > > > > > > > > I try using above Check items in Handler but it didn't work as expected. > > Here is what I am trying to do. > > > I want to check if the username matches the expression and is from > > Certain Realm, use following method. > > I expected this work without a problem but instead this Handler is > > igonred and goes to . I tried testing without the User-Name check > > item and it worked. Can you not combine regular expression and non-regular > > expression in the Handler? > > > > Yes you can mix regexp and non-regexp in the same Handler, but you should test > the regexp part on its own first to make sure it is doing what you expect. > > hth > > Hugh > > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) About using Handler
Hi, While using Handler , I try using above Check items in Handler but it didn't work as expected. Here is what I am trying to do. I want to check if the username matches the expression and is from Certain Realm, use following method. I expected this work without a problem but instead this Handler is igonred and goes to . I tried testing without the User-Name check item and it worked. Can you not combine regular expression and non-regular expression in the Handler? Thanks in advance. Daniel Jung System Administrator InterQ Inc === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Replying to accounting records
Just out of curiousity, do you see any performance changes in speed when you are using radiators with AuthBy RADIUS? > Hi, > > I've got a bit of a problem with replies to accounting records, which I'm a > bit stumped over. > > Basically we implemented a new configuration recently where a Radiator > server receives accounting requests, and proxies them to another Radiator > server and then another Radiator server (yes, three Radiators involved). > Previously the first Radiator server used to deal with the accounting > requests itself. > > Apparently (I've yet to dig up conclusive logs) the first Radiator server > used to reply to the accounting packets and include all the attributes that > where in the original packet and put them in the Accounting-Response packet. > I'm now currently filtering out the "alive" packets at the second Radiator > proxy using this handler: > > > > > > > which is just replying to the "alive" packets. > > The first Radiator proxy used to use the AuthBy FILE method of > authenticating users before we changed it to an AuthBy RADIUS > > I'm just trying to work out whether this would have spat back all the > attributes in say, an "alive" packet in the Accounting-Response packet, or > whether I'm being told the wrong thing by the people that are now missing > these attributes. > > Hope this makes sense. > > Andrew > > > Andrew Pollock Systems Integrator > [EMAIL PROTECTED] http://www.asiaonline.net/ > Phone: +61 2 6267 5610 > Fax: +61 2 6200 2700 > > Asia Online > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) SNMP error
No and netstat -a | grep 161 gets nothing. On Sat, 30 Sep 2000, Hugh Irvine wrote: > > Hello Daniel - > > On Fri, 29 Sep 2000, daniel wrote: > > While I was trying to use SNMP, I get the following error > > > > Thu Sep 28 18:40:07 2000: ERR: Could not open SNMP Agent port 161 on > > 0.0.0.0: Destination addres s required > > I tried using Bind IP option but still got the same error. > > > > Have you got some other process on port 161 already? > > hth > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Sending account packets only ?
Hi, I was wondering if there is a way I can proxy only accounting packets based on users name using Realm instead of Handler ? I'm running 2.16.1 on Solaris 2.7. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) SNMP error
While I was trying to use SNMP, I get the following error Thu Sep 28 18:40:07 2000: ERR: Could not open SNMP Agent port 161 on 0.0.0.0: Destination addres s required I tried using Bind IP option but still got the same error. I'm using radiator 2.16.1 under Solaris 2.7 Thanks in advance === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy RADIUS
Hi, I'm testing AuthBy RADIUS and I get the following errors like three times in a row. After the third restart, the radiusd process just dies. Fri Sep 29 17:27:01 2000: DEBUG: Check if Handler should be used to handle this request Fri Sep 29 17:27:01 2000: DEBUG: Handling request with Handler '' Fri Sep 29 17:27:01 2000: DEBUG: Rewrote user name to pm067786 Fri Sep 29 17:27:01 2000: DEBUG: Deleting session for pm067786, 127.0.0.1, 0 Fri Sep 29 17:27:01 2000: DEBUG: Handling with Radius::AuthRADIUS Fri Sep 29 17:27:02 2000: INFO: Server started: Radiator 2.16.1 Also, is anyone using failover by AuthBy RADIUS? Does it work well? Thanks in advance === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) compatability w/Megapop
Camil Samaha wrote: > > Hello, > > We have just installed radiator 2.16.1 on a Windows 2000 > Server and it works like a champ. But we did run into one > problem. Radiator was ignoring accounting requests coming > from MegaPOP radius servers and was loging "Bad > authenticator in request" messages. We first made sure that > the shared secrets were correct and then added the > IgnoreAcctSignature parameter. That worked fine and radiator > started accepting the accounting requests. > > But the problem is that it does not appear that the remote > megapop servers are recognizing the accounting replies. > Radiator is sending the replies (according to the logs) but > the remote server keeps on resending the requests until it > gives up. That adds several duplicate accounting records to > our database (w/ different AcctDelayTime values). I just > received an email from Megapop support staff claiming that > they have seen this behavior with Radiator running on NT or > 2000. They use RADIUS 2.1. Has anyone else run across this? > Is there a patch or fix? Any suggestions are welcome. I ran into this same set of symptoms working with Radiator and an Ascend NAS. The problem did turn out to be incorrect shared secrets, even though I was sure previously I didn't have that problem. The IgnoreAcctSignature is NOT a good solution to your problem, as messages sent back to the NAS are not recognized. Unless there's a way to make the NAS (or MegaPOP in this case) also ignore the accounting signature, it's not going to work. Obviously, they're not going to want to turn off those signatures, either. My suggestion is to recheck the shared secret they have set up for accounting. It's possible that it is different from the shared secret for authentication. I recall making sure both secrets were set to the same value on the NAS, whereupon my problem with this issue went away. Dan -- - Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: [(RADIATOR) Multithreaded radiator.]
Robin Gruyters wrote: > > On Mon, Jun 12, 2000 at 01:03:41PM -0400, Dave Kitabjian wrote: > > Thanks, all, for your suggestions. > > > > This looks like it will be exactly what we need. Only problem is, I > > can't get it to work. The only difference I see is that we are using > > ports 1812/1813, not 1645/1646. > > > > I changed my config file to: > > AuthPort1812 > > AcctPort > > > > Then I HUPped radiator. According to the logfile, it did, indeed, appear > > to ignore accounting requests. However, it showed the following in the > > log file right after the HUP: > > > > Mon Jun 12 12:47:43 2000: WARNING: Unknown service name > > > > Furthermore, when I attempt to start a second instance of Radiator with: > > AuthPort > > AcctPort1813 > > > > it fails to start with a message: > > > > # perl /usr/bin/radiusd -config_file /usr/nc_acct.cfg > > Could not bind accounting socket: Address already in use at > > /usr/bin/radiusd line 386. > > > > Can someone offer further assistance? This IS supposed to work on the > > same server, correct? Do I need to wait a while for the Accounting port > > to free up? > > > > Thanks. > > > > Dave > What i had found out is that you can't HUP it. you have to kill the process to > get the correct port binds working... > > (kill -9 && /usr/bin/radiusd -config_file >/usr/nc_acct.cfg) In general, ALWAYS try kill without the -9 on ANY program. Give the program a chance to gracefully catch a shutdown signal and clean up. If you do a kill -9, programs can wind up leaving data files mangled. I've most often used Radiator set up to run from inittab. In that config, to restart it, you just do a kill on the radiusd, and it reappears automatically thanks to inittab. -- - Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) trying to use hooks getProfiles
John Hough wrote: > > Hello, > > Our main need for this revolves around the following attributes. > > For the Tigris > > ACC-Ip-Pool-Name="" > ACC-DNS-Server-Pri=xxx.xxx.xxx.xxx > ACC-DNS-Server-Sec=xxx.xxx.xxx.xxx > > For the Ascend > > Ascend-Assign-IP-Pool=xx > Ascend-Client-Primary-DNS=xxx.xxx.xxx.xxx > Ascend-Client-Secondary-DNS=xxx.xxx.xxx.xxx > > My original thought was to put both of them into the user profile and then > strip out the other vendor's attribute from the reply. If it was going to > the Tigris strip everything out starting with Ascend, and to the Ascend > strip everything out starting with ACC. This way it would be portable, and > if we mixed up our equipment even more it would be replicatable.. hi John, et. al., The Profiles stuff started out from a request from one of my clients. For their project, we needed a way to specify sets of attributes for user groups, and at the same time had a need to support several NAS types. The ultimate form of the new profile mechanism permits this, and does it in a rather elegant way. Using the Identifier tags in clients, we were able to clearly identify groups of NAS servers (both types, and wholesale dialup vendors). The profile tags on the user accounts permit differing actions for different users. For example, a user who hasn't paid can be retagged with a different profile (e.g. "notpaid") and filters can be added to the attributes sent to the NAS so the user can ONLY access the ISP's website to do something about their non-payment. There are lots of other uses (my client has many user groups, each defined to get different things). For your simpler case, you should be able to define a pseudo-attribute for Profile set equal to "dialup", then use the ProfileDefs stuff to select among NAS types. While this wastes half the power of the feature, it sets you up well for using the other part (storing profile names in the user database) should you ever get to the point where you need that. My client generously agreed to allow the custom changes made for them to be made available to all. This was the largest, but not the only, piece donated back to the Radiator effort after the project completed. As a result of the project, we have two servers running Linux which serve a user base of almost a million subscribers, with something like 4 million authentication transactions a day. The new servers replaced servers running another, less-flexible Radius product. > -Original Message- > From: Hugh Irvine [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 01, 2000 12:17 AM > To: John Hough > Cc: Jeremy C. Reed; [EMAIL PROTECTED] > Subject: Re: (RADIATOR) trying to use hooks getProfiles > > Hello John, 'lo Jeremy - > > On Thu, 01 Jun 2000, John Hough wrote: > > Hugh, > > > > Back several months ago we had this same discussion and I passed our > > emails on to Jeremy (He works for me). Our configuration has several > > hundred realms on a centralized Radius server, we support local > > authentication via flat file and proxying the radius request to remote > > servers for some of our dealers. In this scenario would your > > recommendation still apply or is it back to the tag as in the > > emails that we had discussed this. Being able to support several > > different NAS devices is appealing to us, especially if we can provide > > support for their Vendor attributes as needed based on where the request > > is coming from.. > > > > If you want to return different attributes to different types of NAS > equipment, > then using the Client Identifier tag is a good way of doing it. As mentioned > previously, the example getProfile/replaceProfile hooks were developed for a > specific purpose, and that was to translate a per-user symbolic Profile name > to > a per-NAS-specific set of attributes. > > In your scenario above, it is not clear to me how you intend to supply the > per-user Profile name if you want to use the example hooks directly. And in > any > case, it may very well be that you will need to come up with a different > approach and develop hooks of your own to address your own requirements. > > Perhaps you can clarify your requirements? > > thanks > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubsc
Re: (RADIATOR) return different attributes per NAS
"Jeremy C. Reed" wrote: > > Can anyone give me any pointers on setting up Radiator so that it will > return different vendor specific information per NAS? > > Or maybe on stripping atributes that aren't required (or conflict) for a > NAS? > > (We are trying to use both Tigris and TNT.) For one of my clients, a new custom set of extensions were added to Radiator. These extensions create the concept of a profile. A profile is simply a text string identifier. During this development I asked OSC to add a Client Identifier as well. The combination of the profile and client identifier selects the set of attributes returned to the user. I designed this system in this way because my client uses dialup services from multiple vendors. Some of those vendors use Ascend, others use other types. Since packet filtering options were a key requirement for my client, and since the attributes for that facility are per-vendor, we needed a good way to solve this problem. The changes and extensions made were graciously donated by my client back to OSC to be made available for other users to enjoy. The mechanisms may not line up exactly with your needs, but from what you've said so far, they may well line up quite well. Might want to check them out. -- ----- Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Coordinating multiple radiator instances
Dave Kitabjian wrote: > > We will be bringing a couple more Radiators online to work in parallel > to our main one. I could use some guidance here: > > 1) logfile - Since they all write atomically, could they all share the > same logfile if it resides on a common NFS volume? Is there a non-NFS > way to do this? Explore using syslog to do the logging from Radiator. Syslog is designed to do the type of multi-system/cross-system logging you're asking about. Be sure you enable the syslog daemon on the receiving system to listen on the syslog port for incoming data (newer systems ship with this disabled, since folks were causing DoS attacks by flooding peoples' syslog daemons. Be sure you've firewalled your logging server from the outside world!). > > 2) SessionDatabase - To have them all share the same SessionDatabase > (which is the only useful scenario, right?), the DB would also have to > sit on something in common like NFS? Other options? A shared SQL server would do nicely. > > I believe my boss will not want the NFS option because it will create a > single point-of-failure, defeating much of our purpose behind having > multiple servers. Any comments? I recommend against NFS in general, as file locking and contention issues have been problematic in cases. Using Syslog for logging, and SQLNet or similar for your session database will help. Sooner or later, you'll need to have a common authentication database. That might be replicated across servers, or on a common server. Same goes for logging and session database. A common way to deal with the issues is to use simple servers to run Radiator (i.e. CPU, memory, some disk), then have a beefier machine for your database (perhaps multiple processors, RAID array, etc.). -- ----- Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) advice requested on high availability configuration
Jay West wrote: > > Hugh wrote... > > I would be inclined to put a UDP redirector in front of your Radiator > hosts to > > transparently handle any number of hosts at a single IP address. > > No problem, basically the cisco can do this - on later releases of IOS you > can specify load balancing between multiple radius hosts. If you're dealing with a single (or small number) of privately owned NAS boxes, doing the load balancing work in the NAS boxes works. When you get to the point of using dialup wholesalers, the stand-alone load balancers which can spread UDP traffic to multiple hosts becomes an interesting solution. > > >Then I would > > put my SQL database on a dual-port RAID box and have both servers access > the > > same database. I would also have a single session database for multiple > logon > > restriction. > > This is a major no-no for high availability. It's a glaring single point of > failure. We're hard over on not having any single points of failure, > especially with our authentication services. It's true that having a single > sql box with two separate dual channel controller cards going to drives that > mirror from one controller to the other is a good thing. But there are more > frequent problems that can be encountered than disk/controller failures. > Someone pulls an ethernet cable. The video card or motherboard dies causing > the system to die, the OS crashes, etc. There just has to be a better way of > handling the back end. You've got a few choices here. 1. Buy a fault tolerant box, such as Stratus Computer. No single points of failure. 2. Build based on clustered technology: multiple servers, multiported RAID arrays. Expensive, but workable. 2. Replicate your databases. Keep one server as a master, and clone out your database to other servers. > > > And no, there are no problems with multiple radiator machines querying a > single > > database. > > What I meant by that last question was slightly different. Here's what I was > thinking. Set the cisco to do round-robbin between the two different radius > servers - thus load balancing. Each subsequent aaa request would go to the > other radius server. Both radius servers would be configured to try one sql > database (on sql machine1) and then another sql database (on sql machine2). > This would be accomplished I believe in the radius config file. I seem to > recall seeing that the radius config file can contain multiple authbySQL's > (or in my case multiple authbyRADMIN's) for a single realm and thus radius > would try one and then the next. If it didn't get a response from one, it > would start using the other one until it didn't get a response from that one > and then would move back to the first. At least, I seem to remember it being > documented that way - I haven't tried it. This would seem to solve all my > problems except I have two concerns. First, would it not be possible that > one of the sql machines might go down, and one of the radius servers sees it > so it switches to the other sql machine. Then say the failed sql machine was > only down a split second and came back up before the next radius server > tried to authenticate. Then you would have each radius machine talking to > two different sql servers. This isn't that bad except for two items - I > suspect your "users online" database would be messed up, and if you were > trying to do simultaneous login checking it would be REALLY messed up. There > are other scenarios I can think of that would cause the two radius machines > to each be looking at a different sql server. > > I can't seem to get my head around this problem - but there just has to be a > way :) Any advice is most appreciated! > > Jay West > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- - Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Spam email via Radiator list?
Rather than setting majordomo in the way you suggest, I would like to see it set up as I set lists I host and manage... namely a requirement that only those who are subscribed to the list are able to post to the list. I can supply configuration details for that capability. At times it presents a few issues, but I've had zero spam on the lists I manage. Folks have tried to post spam, but it doesn't go through. Dan -- ----- Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) assigning fixed ip
Froilan Mendoza wrote: > > Hello. > > How can one assign a specific IP address to a specific username. I > already did this to ther users file: > > username Password="mypass" > Framed-Protocol = PPP, > Framed-IP-Address = 192.168.0.1 > ... > ... > > I still however can't get this IP when trying to dialup You need to check your NAS configs. Also, be sure to send Framed-Netmask or Framed-IP-Netmask (whichever is in your dictionary) set to 255.255.255.255, at least if it's an Ascend. They populate host routes for every dialup user in the routing table of the NAS. If the netmask is wrong, the box gets confused. -- ----- Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radius Droping realms
I've seen a problem where radius will just stop authenticating a single realm. Once I restart radius, the realm will authenticate. Anyone know of a fix for this problem? Dan Morgan === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) newbie questions
Brian Keefe wrote: > > #1. Does Radius support returning an IP address to the NAS to limit where a > dialup client can go? Radius itself will send attributes to the NAS. Depending on NAS type, the Ascend-Data-Filter attribute will permit you to set up filters in the NAS to limit the dialup users to specific destination IP addresses and ports. > > #2. If #1 is true, can Radius return a url rather than an IP address? Don't think so. You'd be programming the NAS, which would have to understand addresses, not services. > > #3. If we want to limit how much time a client is allowed to be connected, > do we tell the NAS once or does the Radius server have to perform a callback > to the NAS after the timeperiod is up? You can specify the timeouts. If you're working with your own NAS, you'll find the attribute information for your NAS in the documentation. If you're interfacing to a dialup wholesaler, ask them for details on what attributes should be used for the NAS boxes they use. Dan -- ----- Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranth.com === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AcctSessionTime Overflow.
Sifting through the account records for last month I noticed that in some instances the AcctSessionTime is abnormally large(2 years). There is no consistency with what NAS generates these extremely large numbers. Could anyone enlighten me with what may be going on? Dan Morgan Senior Programmer Rocky Mountain Communications [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: IMPORTANT - Re: Logging to Syslog
Well, it was a good try... However, the -r has been on all along to allow logging the syslog output of the MAX6000. Since I work with RedHat a lot (and with routers or other devices near it) I was well aware of the -r switch. I also use ipchains (ip firewall filtering) in the server. I do permit ALL traffic from the loopback address (which is, I assume, what the Syslog libary would be using) and syslog specifically from the MAX 6000. I will turn on an explicit filter to allow syslog from the local IP address, too, just to be sure. Dan Hugh Irvine wrote: > > Hello Dan - > > On Thu, 23 Dec 1999, Daniel Senie wrote: > > Hugh Irvine wrote: > > > > > > Hello Dan - > > > > > > On Mon, 20 Dec 1999, Daniel Senie wrote: > > > > I have the following in my radius.cfg: > > > > > > > > > > > > Facility local1 > > > > Trace 4 > > > > > > > > > > > > Nothing gets logged. > > > > > > > > > > Check your syslog.conf to make sure you have a local1 defined. > > > > > > > From syslog.conf file. Note that the MAX6000 stuff comes through just > > fine. > > > > local0.*/var/log/max6000 > > local1.*/var/log/rad > > > > Well, after a remarkable amount of messing around, we have discovered what is > going on (thanks Mike!). Here is the entry from the FAQ: > > 66. Why doesn't my syslog logging from Radiator work on Red Hat 6.1 and similar >platforms? > >Recent versions of Linux syslogd do not by default listen to the UDP port >that the Perl >Sys::Syslog module uses. In order to let Radiator and other Perl >sysloggers work, you need to restart syslogd with the -r flag. > > hth > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > NT, Rhapsody -- - Daniel Senie[EMAIL PROTECTED] Amaranth Networks Inc.http://www.amaranthnetworks.com === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
