Re: (RADIATOR) (Radiator) Setting up radius.cfg for Groups
Your FAQ at: http://www.open.com.au/radiator/faq.html#1 says: 1. Is there a mailing list archive? Yes, here, with thanks to the courtesy of Richard Uren. The "here" hyperlink is broken, its written as: http://www.thesite.com.au/~radiator/>here, with thanks to the courtesy of Richard Uren. should be: http://www.thesite.com.au/~radiator/>here, with thanks to the courtesy of Richard Uren. Jim [EMAIL PROTECTED] === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (Radiator) Setting up radius.cfg for Groups
Hi Oliver. There are a number of problems with your config that are causing it to not produce the result you expect: 1. You have your Session-Timeout=30 as a check item. It should be a reply item (its something that gets sent back to the NAS, if the user auths OK) 2. You are using AuthByPolicy ContinueUntilAccept. That means that as soon as your AuthBy UNIX succeeds, Radiator will not continue on to look at your AuthBy FILE clauses. I would suggest instead that you use something like this: RewriteUsername s/^([^@]+).*/$1/ AcctLogFileName %L/detail AuthByPolicyContinueUntilAccept # AS you have it already, so it doesnt do auth Filename xyzzy # This is used to authenticate when you have Auth-Type=System Identifier System and in your xyzzy file: DEFAULT AuthType=System,Group=nodup,Simultaneous-Use=1 Session-Timeout=30 The result of this should be: 1. for authentication, SQL will do nothing, it will then hit FILE, which will then auth them with UNIX (and will check their password, group and sim-use limit). If UNIX auths them OK, it will add the Session-Timeout and accept them 2. For accounting it will hit SQL, save the accounting data and acknowledge immediately. Hope that helps. Cheers. On Jun 10, 4:28pm, O Stockhammer wrote: > Subject: Re: (RADIATOR) (Radiator) Setting up radius.cfg for Groups > > > I am having problems with this. The problem is that we are using SQL> for accounting only and for the actual authentication, > followed by a for secondary authentication. I am using an > AuthByPolicy of ContinueUntilAccept and have all the AuthBy's in one realm > called DEFAULT. > > I tried to use your method below in a number of configurations and > although it does seem to be going from the "xyzzy" file to the AuthBy Unix > file, it is not applying any of the group permissions to particular group > members. I am having quite a bit of difficulty testing this, and have > been using both Simulateous-Use=1 and Session-Timeout=30. > > What we want is to be able to set different permissions for particular > members of different groups. At the same time, we must be able to > use mySQL accounting. I do not know if all this is possible. I am > attaching our radius.cfg file again. This is including our current > configuration without the new clause you told me to insert > below. I am still alittle unclear as to where to put the new FILE> clause and the . Also, I will attach the rudimentary > "xyzzy" file that I was using? Am I missing anything? > > Oliver Stockhammer > Systems > Internet Channel > > On Wed, 9 Jun 1999, Mike McCauley wrote: > > > Hello Oliver. > > > > Its very difficult to distinguish between Unix groups of users using Handlers > > or Realm. Handler and realm only have the attributes of the incoming request to > > work with. I think the right answer for you is to set up a users file that > > authenticates through Unix, and uses check and reply items for each group. > > Something like this: > > > > > > > > Filename xyzzy > > > > > > > > # This one is used by AuthType=System > > > > Identifier System > > Filename /etc/passwd > > GroupFilename /etc/group > > > > > > And in the users file xyzzy: > > > > # Limit of 5 sim-use to anyone in group1 > > DEFAULT AuthType=System,Group=group1,Simultaneous-Use=5 > > > > # Limit of 2 sim-use for anyone in group2 > > DEFAULT AuthType=System,Group=group2,Simultaneous-Use=2 > > > > etc > > > > Hope that helps. > > > > Cheers. > > > > > > On Jun 8, 10:59am, O Stockhammer wrote: > > > Subject: (RADIATOR) (Radiator) Setting up radius.cfg for Groups > > > > > > > > > Hello, > > > With the flexibility of radiator, I wanted to know if you > > > suggested a method of implementing different session characteristics for > > > different unix group members. I know we have to use 'check items' but I > > > am unsure of how to insert them in the cfg file. > > > For example, we would like to use the 'maxsessions 1' for the > > > 'nodup' unix group, while everyone else coming in should be set to > > > 'maxsessions 5'. I am hoping to implement this in the radius.cfg file > > > using something like a tag. I am just unsure as to where this > > > info should go in the the actual file. > > > I have attached part of my current (rudimentary) radius.cfg file. > > > The way we are setup is t
Re: (RADIATOR) (Radiator) Setting up radius.cfg for Groups
I am having problems with this. The problem is that we are using for accounting only and for the actual authentication, followed by a for secondary authentication. I am using an AuthByPolicy of ContinueUntilAccept and have all the AuthBy's in one realm called DEFAULT. I tried to use your method below in a number of configurations and although it does seem to be going from the "xyzzy" file to the AuthBy Unix file, it is not applying any of the group permissions to particular group members. I am having quite a bit of difficulty testing this, and have been using both Simulateous-Use=1 and Session-Timeout=30. What we want is to be able to set different permissions for particular members of different groups. At the same time, we must be able to use mySQL accounting. I do not know if all this is possible. I am attaching our radius.cfg file again. This is including our current configuration without the new clause you told me to insert below. I am still alittle unclear as to where to put the new clause and the . Also, I will attach the rudimentary "xyzzy" file that I was using? Am I missing anything? Oliver Stockhammer Systems Internet Channel On Wed, 9 Jun 1999, Mike McCauley wrote: > Hello Oliver. > > Its very difficult to distinguish between Unix groups of users using Handlers > or Realm. Handler and realm only have the attributes of the incoming request to > work with. I think the right answer for you is to set up a users file that > authenticates through Unix, and uses check and reply items for each group. > Something like this: > > > > Filename xyzzy > > > > # This one is used by AuthType=System > > Identifier System > Filename /etc/passwd > GroupFilename /etc/group > > > And in the users file xyzzy: > > # Limit of 5 sim-use to anyone in group1 > DEFAULT AuthType=System,Group=group1,Simultaneous-Use=5 > > # Limit of 2 sim-use for anyone in group2 > DEFAULT AuthType=System,Group=group2,Simultaneous-Use=2 > > etc > > Hope that helps. > > Cheers. > > > On Jun 8, 10:59am, O Stockhammer wrote: > > Subject: (RADIATOR) (Radiator) Setting up radius.cfg for Groups > > > > > > Hello, > > With the flexibility of radiator, I wanted to know if you > > suggested a method of implementing different session characteristics for > > different unix group members. I know we have to use 'check items' but I > > am unsure of how to insert them in the cfg file. > > For example, we would like to use the 'maxsessions 1' for the > > 'nodup' unix group, while everyone else coming in should be set to > > 'maxsessions 5'. I am hoping to implement this in the radius.cfg file > > using something like a tag. I am just unsure as to where this > > info should go in the the actual file. > > I have attached part of my current (rudimentary) radius.cfg file. > > The way we are setup is to have all accounting go to mySQL and > > authentication first goes off of a UNIX master.passwd file and then to a > > users file. Ipass will be a future consideration. > > Thanks for your help. > > > > Oliver Stockhammer > > Systems > > Internet Channel > > > > [ Attachment (text/plain): "radius.cfg.partial" 6571 bytes > > Character set: US-ASCII > > Partial radius.cfg > > Encoded with "base64" ] > >-- End of excerpt from O Stockhammer > > > > -- > Mike McCauley [EMAIL PROTECTED] > Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW > 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au > Phone +61 3 9598-0985 Fax +61 3 9598-0955 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > NT, Rhapsody > LogStdout PidFile /var/log/radius/radiator.pid LogDir /var/log/radius DbDir /usr/local/etc/radiusDB #SnmpgetProg/usr/bin/snmpget # This clause defines a single client to listen to Secret NasType TotalControl # This is on of the USR racks at oldslip for accting only. Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl
Re: (RADIATOR) (Radiator) Setting up radius.cfg for Groups
Hello Oliver. Its very difficult to distinguish between Unix groups of users using Handlers or Realm. Handler and realm only have the attributes of the incoming request to work with. I think the right answer for you is to set up a users file that authenticates through Unix, and uses check and reply items for each group. Something like this: Filename xyzzy # This one is used by AuthType=System Identifier System Filename /etc/passwd GroupFilename /etc/group And in the users file xyzzy: # Limit of 5 sim-use to anyone in group1 DEFAULT AuthType=System,Group=group1,Simultaneous-Use=5 # Limit of 2 sim-use for anyone in group2 DEFAULT AuthType=System,Group=group2,Simultaneous-Use=2 etc Hope that helps. Cheers. On Jun 8, 10:59am, O Stockhammer wrote: > Subject: (RADIATOR) (Radiator) Setting up radius.cfg for Groups > > > Hello, > With the flexibility of radiator, I wanted to know if you > suggested a method of implementing different session characteristics for > different unix group members. I know we have to use 'check items' but I > am unsure of how to insert them in the cfg file. > For example, we would like to use the 'maxsessions 1' for the > 'nodup' unix group, while everyone else coming in should be set to > 'maxsessions 5'. I am hoping to implement this in the radius.cfg file > using something like a tag. I am just unsure as to where this > info should go in the the actual file. > I have attached part of my current (rudimentary) radius.cfg file. > The way we are setup is to have all accounting go to mySQL and > authentication first goes off of a UNIX master.passwd file and then to a > users file. Ipass will be a future consideration. > Thanks for your help. > > Oliver Stockhammer > Systems > Internet Channel > > [ Attachment (text/plain): "radius.cfg.partial" 6571 bytes > Character set: US-ASCII > Partial radius.cfg > Encoded with "base64" ] >-- End of excerpt from O Stockhammer -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) (Radiator) Setting up radius.cfg for Groups
Hello, With the flexibility of radiator, I wanted to know if you suggested a method of implementing different session characteristics for different unix group members. I know we have to use 'check items' but I am unsure of how to insert them in the cfg file. For example, we would like to use the 'maxsessions 1' for the 'nodup' unix group, while everyone else coming in should be set to 'maxsessions 5'. I am hoping to implement this in the radius.cfg file using something like a tag. I am just unsure as to where this info should go in the the actual file. I have attached part of my current (rudimentary) radius.cfg file. The way we are setup is to have all accounting go to mySQL and authentication first goes off of a UNIX master.passwd file and then to a users file. Ipass will be a future consideration. Thanks for your help. Oliver Stockhammer Systems Internet Channel LogStdout PidFile /var/log/radius/radiator.pid LogDir /var/log/radius DbDir /usr/local/etc/radiusDB #SnmpgetProg/usr/bin/snmpget # This clause defines a single client to listen to Secret NasType TotalControl # This is on of the USR racks at oldslip for accting only. Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret NasType TotalControl Secret IgnoreAcctSignature NasType TotalControl # For testing: this allows us to honour requests from radpwtst # on the same host. Secret mysecret DupInterval 0 RewriteUsername s/^([^@]+).*/$1/ AcctLogFileName %L/detail AuthByPolicyContinueUntilAccept DBSourcedbi:mysql:Radiator DBUsername root DBAuth # an empty AuthSelect turns off auth AuthSelect AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef CLIENT_ID,Client-Id AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACTUAL_TIME,Timestamp,integer-date AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NAS_IDENTIFIER,Client-Id AcctColumnDef NAS_IP_ADDRESS,NAS-IP-Address AcctColumnDef NAS_PORT,NAS-Port,integer AcctColumnDef NAS_PORT_TYPE,NAS-Port-Type AcctColumnDef ACCTAUTHENTIC,Acct-Authentic AcctColumnDef SERVICE_TYPE,Service-Type AcctColumnDef USR_MODEM_TIME,USR-Modem-Training-Time,integer AcctColumnDef USR_INTERFACE,USR-Interface-Index,integer AcctColumnDef USR_CHASSIS_SLOT,Chassis-Call-Slot,integer AcctColumnDef USR_CHASSIS_SPAN,Chassis-Call-Span,integer AcctColumnDef USR_CHASSIS_CHANNEL,Chassis-Call-Channel,integer AcctColumnDef USR_UNAUTH_TIME,Unauthenticated-Time,integer AcctColumnDef CALLING_STATION_ID,Calling-Station-Id AcctColumnDef CALLED_STATION_ID,Called-Station-Id AcctColumnDef USR_MODULATION_TYPE,Modulation-Type AcctColumnDef USR_SMNP_LEVELS,Simplified-MNP-Levels AcctColumnDef USR_SimplifiedV42BIS_USAGE,Simplified-V42bis-Usage AcctColumnDef USR_CONNECT_SPEED,Connect-Speed AcctColumnDef FRAMED_PROTOCOL,Framed-Protocol AcctColumnDef FRAMED_IP_ADDRESS,Framed-IP-Address AcctColumnDef USR_MP_MRRU,MP-MRRU,integer AcctColumnDef ACCTLINKCOUNT,Acct-Link-Count,integer AcctColumnDef ACCTMULTISESSION_ID,Acct-Multi-Session-Id Identifier System Filename /usr/local/etc/radiusDB/master.passwd Match ^([^:]*):([^:]*) GroupFilename /usr/local/etc/radiusDB/group # The filename defaults to %D/users Filename %D/users Filename %D/users1 # # Debug #
