Re: [RADIATOR] Monitor radiator authentication response time
Thanks Heikki. Will let you know. Rohan On Thu, Mar 27, 2014 at 2:00 PM, Heikki Vatiainen wrote: > On 03/27/2014 05:27 AM, rohan.henry @cwjamaica.com wrote: > > > We use radlogin radius test tool. It sends auth request using username > > and password and measures the response time. > > > > http://www.iea-software.com/products/radlogin4.cfm > > > > But I want to monitor radius response time on Radius server that use NAS > > Port ID to authenticate users. > > Hello Rohan, > > is that the NAS-Port-Id attribute, number 87, in the dictionary? > > If so, I suggest you create a clause for the monitoring and > put AddToRequest NAS-Port-Id=something in the Client clause. The > incoming request from the test tool will be modified to include the said > attribute and value and the authentication should then succeed. > > Please let us know if this solves the problem. > > Thanks, > Heikki > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
On 03/27/2014 05:27 AM, rohan.henry @cwjamaica.com wrote: > We use radlogin radius test tool. It sends auth request using username > and password and measures the response time. > > http://www.iea-software.com/products/radlogin4.cfm > > But I want to monitor radius response time on Radius server that use NAS > Port ID to authenticate users. Hello Rohan, is that the NAS-Port-Id attribute, number 87, in the dictionary? If so, I suggest you create a clause for the monitoring and put AddToRequest NAS-Port-Id=something in the Client clause. The incoming request from the test tool will be modified to include the said attribute and value and the authentication should then succeed. Please let us know if this solves the problem. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
Heikki, We use radlogin radius test tool. It sends auth request using username and password and measures the response time. http://www.iea-software.com/products/radlogin4.cfm But I want to monitor radius response time on Radius server that use NAS Port ID to authenticate users. Rohan On Fri, Mar 21, 2014 at 2:33 PM, Heikki Vatiainen wrote: > On 03/19/2014 09:21 PM, rohan.henry @cwjamaica.com wrote: > > > How can I monitor Radiator's response time when using NAS Port ID > > instead of username for authentication? > > Hello Rohan, > > can you describe in more detail how the monitoring is done now? > > Thanks, > Heikki > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
On 03/19/2014 09:21 PM, rohan.henry @cwjamaica.com wrote: > How can I monitor Radiator's response time when using NAS Port ID > instead of username for authentication? Hello Rohan, can you describe in more detail how the monitoring is done now? Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Monitor radiator authentication response time
Hello, How can I monitor Radiator's response time when using NAS Port ID instead of username for authentication? Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
Hi Heikki, El 04/10/2012, a las 20:48, Heikki Vatiainen escribió: > On 10/04/2012 11:47 AM, Jesús Rodríguez wrote: > >> Is possible to use a value returned in an AuthSelect query in a >> subsequent ?. > > Yes. Instead of using 'check' as the type for AuthColumnDef, use > 'request'. That will put the retrieved value in the request for later > use. For the details, please see the reference manual section '5.31.11 > AuthColumnDef'. This is exactly what i needed, thanks!!. Regards. >> An example: >> >> >> AuthByPolicy ContinueWhileAccept >> AddToRequest X-pre-auth-required-result = 1 >> >> AuthSelect select >> validate_preauth('%{Calling-Station-Id}','',%0,'','','','','','','','','','',0,1,0,now()) >> AuthColumnDef 0, X-pre-auth-required-result, check >> >> >> In this case, the AuthSelect would return two values. The first one is used >> as check value. I would like to get the second returned value and use it in >> a subsequent within the same clause. Is possible to save >> the second value in a variable or pseudo-attribute and use it later on?. >> >> Thanks and regards. >> >> >> >> >> >> El 27/06/2012, a las 13:21, Jesús Rodríguez escribió: >> >>> -- Forwarded message -- >>> From: Heikki Vatiainen >>> Date: Sun, Jun 24, 2012 at 10:59 PM >>> Subject: Re: [RADIATOR] Authentication without check attributes >>> To: radiator@open.com.au >>> >>> >>> On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: >>> >>>> To authenticate a dsl pre-authentication request, i have to use a mysql >>>> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), >>>> with no check attributes or other values i can use as check parameters. >>>> >>>> How can i send the Accept or Reject based on the returned 1 or 0 values?. >>> >>> Try something like this: >>> >>> >>> AddToRequest X-pre-auth-required-result = 1 >>> >>> AuthSelect your-mysql-function >>> AuthColumnDef 0, X-pre-auth-required-result, check >>> ... >>> ... >>> >>> Here X-pre-auth-required-result is a local pseudo-attribute. You can >>> name it as you want, but the main thing is it will never come from the >>> NAS and has a fixed value you can compare against value returned from >>> MySQL function. >>> >>> Thanks, >>> Heikki >> ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
On 10/04/2012 11:47 AM, Jesús Rodríguez wrote: > Is possible to use a value returned in an AuthSelect query in a > subsequent ?. Yes. Instead of using 'check' as the type for AuthColumnDef, use 'request'. That will put the retrieved value in the request for later use. For the details, please see the reference manual section '5.31.11 AuthColumnDef'. Thanks, Heikki > An example: > > > AuthByPolicy ContinueWhileAccept > AddToRequest X-pre-auth-required-result = 1 > > AuthSelect select > validate_preauth('%{Calling-Station-Id}','',%0,'','','','','','','','','','',0,1,0,now()) > AuthColumnDef 0, X-pre-auth-required-result, check > > > In this case, the AuthSelect would return two values. The first one is used > as check value. I would like to get the second returned value and use it in a > subsequent within the same clause. Is possible to save the > second value in a variable or pseudo-attribute and use it later on?. > > Thanks and regards. > > > > > > El 27/06/2012, a las 13:21, Jesús Rodríguez escribió: > >> -- Forwarded message -- >> From: Heikki Vatiainen >> Date: Sun, Jun 24, 2012 at 10:59 PM >> Subject: Re: [RADIATOR] Authentication without check attributes >> To: radiator@open.com.au >> >> >> On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: >> >>> To authenticate a dsl pre-authentication request, i have to use a mysql >>> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), >>> with no check attributes or other values i can use as check parameters. >>> >>> How can i send the Accept or Reject based on the returned 1 or 0 values?. >> >> Try something like this: >> >> >>AddToRequest X-pre-auth-required-result = 1 >> >>AuthSelect your-mysql-function >>AuthColumnDef 0, X-pre-auth-required-result, check >>... >> ... >> >> Here X-pre-auth-required-result is a local pseudo-attribute. You can >> name it as you want, but the main thing is it will never come from the >> NAS and has a fixed value you can compare against value returned from >> MySQL function. >> >> Thanks, >> Heikki > > > > > > Jesus Rodriguez > VozTelecom Sistemas, S.L. > jes...@voztele.com > http://www.voztele.com > Tel. 902360305 > - > > > > > -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
Hi Heikki and all, Is possible to use a value returned in an AuthSelect query in a subsequent ?. An example: AuthByPolicy ContinueWhileAccept AddToRequest X-pre-auth-required-result = 1 AuthSelect select validate_preauth('%{Calling-Station-Id}','',%0,'','','','','','','','','','',0,1,0,now()) AuthColumnDef 0, X-pre-auth-required-result, check In this case, the AuthSelect would return two values. The first one is used as check value. I would like to get the second returned value and use it in a subsequent within the same clause. Is possible to save the second value in a variable or pseudo-attribute and use it later on?. Thanks and regards. El 27/06/2012, a las 13:21, Jesús Rodríguez escribió: > ------ Forwarded message -- > From: Heikki Vatiainen > Date: Sun, Jun 24, 2012 at 10:59 PM > Subject: Re: [RADIATOR] Authentication without check attributes > To: radiator@open.com.au > > > On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: > >> To authenticate a dsl pre-authentication request, i have to use a mysql >> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), >> with no check attributes or other values i can use as check parameters. >> >> How can i send the Accept or Reject based on the returned 1 or 0 values?. > > Try something like this: > > >AddToRequest X-pre-auth-required-result = 1 > >AuthSelect your-mysql-function >AuthColumnDef 0, X-pre-auth-required-result, check >... > ... > > Here X-pre-auth-required-result is a local pseudo-attribute. You can > name it as you want, but the main thing is it will never come from the > NAS and has a fixed value you can compare against value returned from > MySQL function. > > Thanks, > Heikki Jesus Rodriguez VozTelecom Sistemas, S.L. jes...@voztele.com http://www.voztele.com Tel. 902360305 - ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
Hi Heikki, On Sun, Jun 24, 2012 at 10:59 PM, Heikki Vatiainen wrote: > On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: > >> To authenticate a dsl pre-authentication request, i have to use a mysql >> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), >> with no check attributes or other values i can use as check parameters. >> >> How can i send the Accept or Reject based on the returned 1 or 0 values?. > > Try something like this: > > > AddToRequest X-pre-auth-required-result = 1 > > AuthSelect your-mysql-function > AuthColumnDef 0, X-pre-auth-required-result, check > ... > ... > > Here X-pre-auth-required-result is a local pseudo-attribute. You can > name it as you want, but the main thing is it will never come from the > NAS and has a fixed value you can compare against value returned from > MySQL function. Thanks for your reply. This should do the trick!. Regards. Saludos JesusR. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: > To authenticate a dsl pre-authentication request, i have to use a mysql > function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), > with no check attributes or other values i can use as check parameters. > > How can i send the Accept or Reject based on the returned 1 or 0 values?. Try something like this: AddToRequest X-pre-auth-required-result = 1 AuthSelect your-mysql-function AuthColumnDef 0, X-pre-auth-required-result, check ... ... Here X-pre-auth-required-result is a local pseudo-attribute. You can name it as you want, but the main thing is it will never come from the NAS and has a fixed value you can compare against value returned from MySQL function. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Authentication without check attributes
Hello, To authenticate a dsl pre-authentication request, i have to use a mysql function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), with no check attributes or other values i can use as check parameters. How can i send the Accept or Reject based on the returned 1 or 0 values?. Thanks and regards. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication type not support - HELP
Hi, > I'm getting the following error relating to REJECT: Authentication type not > supported. > Can anyone point me in the right direction as to what I have done wrong? you've tried to use HOTP for an MSCHAPv2 challenge method...which, as Hugh says isnt possible. the debug log tries to help > Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP REJECT: Authentication > type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by > HOTP: mreeves [mreeves] it might be good if the type was mentioned in the debug to clear any doubts...but HOTP only does RFC 4226 authenticationso really needs the password given to it there and then. you need to use another Auth methodif you've got need for both one-time and mschapv2 stuff then you'll need to eg define another handler thats looking for that type of authentication and dealing with it (then theres the issue of which types of backend authentication can be used with MSCHAPv2) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication type not support - HELP
Hello Matthew - I don't think you have done anything wrong - but the debug shows the client is sending an MSCHAP-V2 request, which as you can see is not supported by the AuthBy SQLHOTP clause. regards Hugh On 13 Sep 2010, at 15:57, Matthew Reeves-Hairs wrote: > Hi, > I'm getting the following error relating to REJECT: Authentication type not > supported. > Can anyone point me in the right direction as to what I have done wrong? > > Thanks > > Matthew > > Mon Sep 13 21:53:29 2010: DEBUG: Packet dump: > *** Received from 192.168.100.1 port 51172 > > Packet length = 151 > 01 6c 00 97 3e 13 28 89 b3 8c c6 d7 2d 89 cc 86 > 10 23 9c a1 06 06 00 00 00 02 07 06 00 00 00 01 > 01 09 6d 72 65 65 76 65 73 1a 18 00 00 01 37 0b > 12 73 8a 8f 3f b6 f3 31 18 b9 6d 7e 4d 50 ff fa > 4a 1a 3a 00 00 01 37 19 34 44 00 0d 3a 4e 7c 0b > 1e bd 2f 6c 71 51 0a 3d b3 5f 5a 00 00 00 00 00 > 00 00 00 37 a4 37 43 1a c1 8d eb 59 4e eb 47 7f > 9a 09 1c bf 5f 2e 90 1e b4 e5 9f 1f 10 32 31 37 > 2e 33 36 2e 32 35 34 2e 32 30 39 20 06 6c 32 74 > 70 05 06 00 00 00 00 > Code: Access-Request > Identifier: 108 > Authentic: ><19>(<137><179><140><198><215>-<137><204><134><16>#<156><161> > Attributes: > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "mreeves" > MS-CHAP-Challenge = s<138><143>?<182><243>1<24><185>m~MP<255><250>J > MS-CHAP2-Response = > D<0><13>:N|<11><30><189>/lqQ<10>=<179>_Z<0><0><0><0><0><0><0><0>7<164>7C<26><193><141><235>YN<235>G<127><154><9><28><191>_.<144><30><180><229><159> > Calling-Station-Id = "217.36.254.209" > NAS-Identifier = "l2tp" > NAS-Port = 0 > > Mon Sep 13 21:53:29 2010: DEBUG: Handling request with Handler > 'Realm=DEFAULT', Identifier '' > Mon Sep 13 21:53:29 2010: DEBUG: Deleting session for mreeves, > 192.168.100.1, 0 > Mon Sep 13 21:53:29 2010: DEBUG: Handling with Radius::AuthSQLHOTP: > Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP looks for match with > mreeves [mreeves] > Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP REJECT: Authentication > type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by > HOTP: mreeves [mreeves] > Mon Sep 13 21:53:29 2010: DEBUG: AuthBy SQLHOTP result: REJECT, > Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is > supported by HOTP > Mon Sep 13 21:53:29 2010: INFO: Access rejected for mreeves: Authentication > type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP > Mon Sep 13 21:53:29 2010: DEBUG: Packet dump: > *** Sending to 192.168.100.1 port 51172 > > Packet length = 36 > 03 6c 00 24 95 0b c5 e9 09 d5 b6 10 e2 79 9d 7c > 7f 57 82 c1 12 10 52 65 71 75 65 73 74 20 44 65 > 6e 69 65 64 > Code: Access-Reject > Identifier: 108 > Authentic: <149><11><197><233><9><213><182><16><226>y<157>|<127>W<130><193> > Attributes: > Reply-Message = "Request Denied" > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Authentication type not support - HELP
Hi, I'm getting the following error relating to REJECT: Authentication type not supported. Can anyone point me in the right direction as to what I have done wrong? Thanks Matthew Mon Sep 13 21:53:29 2010: DEBUG: Packet dump: *** Received from 192.168.100.1 port 51172 Packet length = 151 01 6c 00 97 3e 13 28 89 b3 8c c6 d7 2d 89 cc 86 10 23 9c a1 06 06 00 00 00 02 07 06 00 00 00 01 01 09 6d 72 65 65 76 65 73 1a 18 00 00 01 37 0b 12 73 8a 8f 3f b6 f3 31 18 b9 6d 7e 4d 50 ff fa 4a 1a 3a 00 00 01 37 19 34 44 00 0d 3a 4e 7c 0b 1e bd 2f 6c 71 51 0a 3d b3 5f 5a 00 00 00 00 00 00 00 00 37 a4 37 43 1a c1 8d eb 59 4e eb 47 7f 9a 09 1c bf 5f 2e 90 1e b4 e5 9f 1f 10 32 31 37 2e 33 36 2e 32 35 34 2e 32 30 39 20 06 6c 32 74 70 05 06 00 00 00 00 Code: Access-Request Identifier: 108 Authentic: ><19>(<137><179><140><198><215>-<137><204><134><16>#<156><161> Attributes: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mreeves" MS-CHAP-Challenge = s<138><143>?<182><243>1<24><185>m~MP<255><250>J MS-CHAP2-Response = D<0><13>:N|<11><30><189>/lqQ<10>=<179>_Z<0><0><0><0><0><0><0><0>7<164>7C<26><193><141><235>YN<235>G<127><154><9><28><191>_.<144><30><180><229><159> Calling-Station-Id = "217.36.254.209" NAS-Identifier = "l2tp" NAS-Port = 0 Mon Sep 13 21:53:29 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Mon Sep 13 21:53:29 2010: DEBUG: Deleting session for mreeves, 192.168.100.1, 0 Mon Sep 13 21:53:29 2010: DEBUG: Handling with Radius::AuthSQLHOTP: Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP looks for match with mreeves [mreeves] Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP REJECT: Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP: mreeves [mreeves] Mon Sep 13 21:53:29 2010: DEBUG: AuthBy SQLHOTP result: REJECT, Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP Mon Sep 13 21:53:29 2010: INFO: Access rejected for mreeves: Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP Mon Sep 13 21:53:29 2010: DEBUG: Packet dump: *** Sending to 192.168.100.1 port 51172 Packet length = 36 03 6c 00 24 95 0b c5 e9 09 d5 b6 10 e2 79 9d 7c 7f 57 82 c1 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 108 Authentic: <149><11><197><233><9><213><182><16><226>y<157>|<127>W<130><193> Attributes: Reply-Message = "Request Denied" ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) authentication
On 11/10/03 6:03 PM, "Dan Boucaut" <[EMAIL PROTECTED]> wrote: > Is it possible to use different authentication methods based on username. > > ie usernameA authenticates to serverA > and usernameB authenticates to serverB ?? Sure with Radiator, almost anything is possible! ;-) -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 Any sufficiently advanced bug is indistinguishable from a feature. - Kulawiec === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication
On Tue, 11 Nov 2003, Dan Boucaut wrote: > Is it possible to use different authentication methods based on username. > > ie usernameA authenticates to serverA > and usernameB authenticates to serverB ?? You can have a different handler for each username but if this is for a large volume of users (perhaps the merging of 2 ISPs) that's not going to scale. Are you after a system that allows you to look up a username in a DB or similar and the result of the DB query indicates another RADIUS server to proxy to? If so you would probably have to do a "continue while accept", use an AuthBy to add a field to the request and then a later handler base don that attribute. You would probably still have to hard code the address of the RADIUS servers in your config file but you could select them based on a DB lookup. Andrew === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication
Hello Dan - Yes there are many different ways of using authentication methods, ie: multiple AuthBy clauses, cascaded AuthBy clauses, seperate Handlers, individual Realms, etc. Perhaps if you give us a bit more detail we can make some suggestions. regards Hugh On 11/11/2003, at 10:03 AM, Dan Boucaut wrote: Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication
Dan, Yes, this is possible. We're currently doing this by appending a domain on the username... so for instance: [EMAIL PROTECTED] and [EMAIL PROTECTED] I'm not sure how you would do it otherwise, but maybe others can shed more light. You may want to look at the proxy configuration samples in the goodies directory. - Terry On Nov 10, 2003, at 4:03 PM, Dan Boucaut wrote: Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication
Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication failure in leap when Username including domain-suffix
Hello, Thank you for quickly response, Mike I was downloading newest patches from www.open.com.au and applied them, but LEAP-Authentication does not work well. In environment, there is no different from previous, except appling patches. Result wrote in below.(What's "Access-Accept" in log?) --- Mon Nov 10 15:41:03 2003: DEBUG: Finished reading configuration file '/etc/eap_p eap.cfg' Mon Nov 10 15:41:03 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona ry' Mon Nov 10 15:41:04 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona ry.cisco' Mon Nov 10 15:41:04 2003: DEBUG: Creating authentication port 0.0.0.0:1812 Mon Nov 10 15:41:04 2003: DEBUG: Creating accounting port 0.0.0.0:1813 Mon Nov 10 15:41:04 2003: NOTICE: Server started: Radiator 3.7.1 on test1.test.com Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Received from aaa.bbb.ccc.ddd port 1516 Code: Access-Request Identifier: 204 Authentic: <157><10><174>9:m<129>tQ<183><174><3>v}M> Attributes: User-Name = "[EMAIL PROTECTED]" cisco-avpair = "ssid=TEST-SPOT" NAS-IP-Address = aaa.bbb.ccc.ddd Called-Station-Id = "000c30da9d03" Calling-Station-Id = "00022d559b41" NAS-Identifier = "TEST-AP-1" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login EAP-Message = <2><13><0><27><1>[EMAIL PROTECTED] Message-Authenticator = <239><23><10><159><242><230><198><207><131>A1Z<1 63><136>P<238> Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Handling request with Handler '' Mon Nov 10 15:43:41 2003: DEBUG: Deleting session for [EMAIL PROTECTED], a aa.bbb.ccc.ddd, 37 Mon Nov 10 15:43:41 2003: DEBUG: Handling with Radius::AuthDBFILE: Mon Nov 10 15:43:41 2003: DEBUG: Handling with EAP: code 2, 13, 27 Mon Nov 10 15:43:41 2003: DEBUG: Response type 1 Mon Nov 10 15:43:41 2003: DEBUG: EAP result: 3, EAP PEAP Challenge Mon Nov 10 15:43:41 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe nge Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Sending to aaa.bbb.ccc.ddd port 1516 Code: Access-Challenge Identifier: 204 Authentic: <157><10><174>9:m<129>tQ<183><174><3>v}M> Attributes: EAP-Message = <1><14><0><6><25> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Received from aaa.bbb.ccc.ddd port 1517 Code: Access-Request Identifier: 205 Authentic: <2>4<138><161>N2<214>R<242>}.6}an<134> Attributes: User-Name = "[EMAIL PROTECTED]" cisco-avpair = "ssid=TEST-SPOT" NAS-IP-Address = aaa.bbb.ccc.ddd Called-Station-Id = "000c30da9d03" Calling-Station-Id = "00022d559b41" NAS-Identifier = "TEST-AP-1" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login EAP-Message = <2><14><0><6><3><17> Message-Authenticator = <159><195><29>E<216><247>U<241><184>1*^hWxl Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Handling request with Handler '' Mon Nov 10 15:43:41 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 2 02.48.98.47, 37 Mon Nov 10 15:43:41 2003: DEBUG: Handling with Radius::AuthDBFILE: Mon Nov 10 15:43:41 2003: DEBUG: Handling with EAP: code 2, 14, 6 Mon Nov 10 15:43:41 2003: DEBUG: Response type 3 Mon Nov 10 15:43:41 2003: INFO: EAP Nak desires type 17 Mon Nov 10 15:43:41 2003: DEBUG: EAP result: 3, EAP LEAP Challenge Mon Nov 10 15:43:41 2003: DEBUG: Access challenged for nagataki: EAP LEAP Challe nge Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Sending to aaa.bbb.ccc.ddd port 1517 Code: Access-Challenge Identifier: 205 Authentic: <2>4<138><161>N2<214>R<242>}.6}an<134> Attributes: EAP-Message = <1><15><0>&<17><1><0><8><159><21><143><167><172>R<220>snag [EMAIL PROTECTED] Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Mon Nov 10 15:43:55 2003: DEBUG: Packet dump: *** Received from aaa.bbb.ccc.ddd port 1518 Code: Access-Request Identifier: 206 Authentic: g8<23>r<175><251><24>x<20><29><176><248>05'<171> Attributes: User-Name = "[EMAIL PROTECTED]" cisco-avpair = "ssid=TEST-SPOT" NAS-IP-Address = aaa.bbb.ccc.ddd Called-Station-Id = "000c30da9d03" Calling-Station-Id = "00022d559b41" NAS-Identifier = "TEST-AP-1" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login EAP-Message = <2><15><0>6<17><1><0><24><223>&<19>%<221> <219>*,x<194><20 6><8><247>gZ[0<213><253><136><25><237><225>[EMAIL PROTECTED]
Re: (RADIATOR) Authentication failure in leap when Username including domain-suffix
Hello, The problem here was that the LEAP identity being sent by the client was [EMAIL PROTECTED], and although you had a RewriteUsername to rewrite the Radius user name it had no effect on the LEAP identity. We have now posted a patch so that RewriteUsername also affects the LEAP identity. That should fix your problem. The new version of EAP_17.pm has also been attached. PLs let us know how you get on. Cheers. On Mon, 10 Nov 2003 01:17 pm, [EMAIL PROTECTED] wrote: > Hi everyone, > > I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap. > But I have a problem in leap (everything looks like OK in peap) and > can't see what is incorrect. > > > (Prerequisite(summary)) > 1.Radiator server version is 3.7.1 applied newest(?) patches > (downloading at 21 Oct.) > 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition > 3.Username is include "@domain-suffix" > (When excluding "@domain-suffix" from Username, test is passed) > 4.User-Authentication is using DBFile. > 5.config_file is like below. > --- > #Foreground > #LogStdout > LogDir /var/log > #DbDir /etc/raddb > AuthPort1812 > AcctPort1813 > DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco > # User a lower trace level in production systems: > Trace 4 > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # You will probably want to add other Clients to suit your site, > # one for each NAS you want to work with > > Secret test > DupInterval 0 > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > > # This is where we autneticate a PEAP inner request, which will be an EAP > # request. The username of the inner request will be anonymous, although > # the identity of the EAP request will be the real username we are > # trying to authenticate. > > # > > Filename /etc/raddb/users > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # This tells the PEAP client what types of inner EAP > requests # we will honour > EAPType PEAP,MSCHAP-V2 > > > > > # The original PEAP request from a NAS will be sent to a matching > # Realm or Handler in the usual way, where it will be unpacked and the > inner aut hentication > # extracted. > # The inner authentication request will be sent again to a matching > # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to > sele ct > # a specific handler, or else you can use EAPAnonymous to set a username > and rea lm > # which can be used to select a Realm clause for the inner request. > # This allows you to select an inner authentication method based on Realm, > and/o r the > # fact that they were tunnelled. You can therfore act just as a PEAP > server, or also > # act as the AAA/H home server, and authenticate PEAP requests locally or > proxy # them to another remote server based on the realm of the inner > authenticaiton r equest. > # In this basic example, both the inner and outer authentication are > authenticat ed > # from a file by AuthBy FILE > > # > > # The username of the outer authentication > # must be in this file to get anywhere. In this example, > # it requires an entry for 'anonymous' which is the > standard use rname > # in the outer requests, and it also requires an entry for > the # actual user name who is trying to connect (ie the 'Login name' > entered > # in the Funk Odyssey 'Edit Profile Properties' page > Filename /etc/raddb/users > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # EAPType sets the EAP type(s) that Radiator will honour. > # Options are: MD5-Challenge, One-Time-Password > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 > # Multiple types can be comma separated. With the default > (most # preferred) type given first > EAPType PEAP,MSCHAP-V2,LEAP > > # EAPTLS_CAFile is the name of a file of CA certificates > # in PEM format. The file can contain several CA > certificates # Radiator will first look in EAPTLS_CAFile then in # > EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile > /home/test/ca/ca2.pem > > # EAPTLS_CAPath is the name of a directory containing CA > # certificates in PEM format. The files each contain one > # CA certificate. The files are looked up by the CA > # subject name hash value > EAPTLS_CAPath /home/test/ca > > # EAPTLS_CertificateFile is the name of a file containing > # the servers certificate. EAPTLS_CertificateType > # specifies the type of the file. Can be PEM or ASN1 > # defaults to ASN
(RADIATOR) Authentication failure in leap when Username including domain-suffix
Hi everyone, I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap. But I have a problem in leap (everything looks like OK in peap) and can't see what is incorrect. (Prerequisite(summary)) 1.Radiator server version is 3.7.1 applied newest(?) patches (downloading at 21 Oct.) 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition 3.Username is include "@domain-suffix" (When excluding "@domain-suffix" from Username, test is passed) 4.User-Authentication is using DBFile. 5.config_file is like below. --- #Foreground #LogStdout LogDir /var/log #DbDir /etc/raddb AuthPort1812 AcctPort1813 DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco # User a lower trace level in production systems: Trace 4 RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret test DupInterval 0 RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # Filename /etc/raddb/users RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # This tells the PEAP client what types of inner EAP requests # we will honour EAPType PEAP,MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner aut hentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele ct # a specific handler, or else you can use EAPAnonymous to set a username and rea lm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/o r the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton r equest. # In this basic example, both the inner and outer authentication are authenticat ed # from a file by AuthBy FILE # # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard use rname # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename /etc/raddb/users RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP,MSCHAP-V2,LEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile /home/test/ca/ca2.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value EAPTLS_CAPath /home/test/ca # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 EAPTLS_CertificateFile /home/test/ca/cert2.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it EAPTLS_PrivateKeyFile /home/test/ca/key2.pem EAPTLS_PrivateKeyPassword test1234
Re: (RADIATOR) Authentication Issue - Odyssey and iPaq 5450
Hi Steve, From your calling station ID, it seems like you are using Cisco wireless gear. I recently played with Meetinghouse client for ipaq 5450. I could not get it to work too. But my problem is not on the radius side. Our Cisco wireless gear set up uses dynamic key, which Meetinghouse client does not support. I have no experience with Odyssey client. Based on your description, if this is the same issue as we encountered, the solution (as Meetinghouse tech support suggested) is to roll back to use only static encryption key for the client in order to get it to work. But then it kind of defeats the whole purpose of setting up strong security to begin with. I am currently exploring an alternative, which is to upgrade my ipaq 5450 to run Mobile (Pocket PC) 2003. It claims to support 802.1x but I am still waiting for my order. It would be great if anyone in this list has experience to share in regard to whether Mobile 2003 will do the trick with its zero configuration for supporting 802.1x connection.. Thanks! Bon On Mon, 6 Oct 2003, Steve Caporossi wrote: > I'm having an issue authenticating users with the iPaq 5450 (internal > nic) and the Odyssey Client. It appears that when the user > authenticates, Radiator initially issues an access-accept and then > follows it up with an access-reject. > > I am only having this issue with the above deviceall other clients > authenticate sucessfully. Any ideas would be appreciated. > > Attached are debugs and the config. Radiator version 3.7.1 on RH7.3. > > Thanks, > -- > Steve Caporossi > Network Systems Engineer > Center for Computing and Information Technology > Medical University of South Carolina > 843.876.5083 > > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Issue - Odyssey and iPaq 5450
I'm having an issue authenticating users with the iPaq 5450 (internal nic) and the Odyssey Client. It appears that when the user authenticates, Radiator initially issues an access-accept and then follows it up with an access-reject. I am only having this issue with the above deviceall other clients authenticate sucessfully. Any ideas would be appreciated. Attached are debugs and the config. Radiator version 3.7.1 on RH7.3. Thanks, -- Steve Caporossi Network Systems Engineer Center for Computing and Information Technology Medical University of South Carolina 843.876.5083 # radius.cfg # # Radiator configuration file. # #Foreground #LogStdout LogFile /var/log/radius/%m%d%y.log LogDir /var/log/radius DbDir /etc/radiator PidFile /var/run/radius.pid DictionaryFile /etc/radiator/dictionary # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 AuthPort 1645,1812 AcctPort 1646,1813 # Add Clients below... Identifier ppp Secret DupInterval 2 Identifier ppp Secret DupInterval 2 Identifier video Secret DupInterval 2 Identifier vpn Secret DupInterval 2 Identifier wlan Secret DupInterval 2 IgnoreAcctSignature # # PPP Config ## AuthByPolicy ContinueAlways #AuthByPolicy ContinueWhileIgnore # Default DBSourcedbi:mysql:radius DBUsername < > DBAuth < > AuthSelect # Only insert Start and Stop requests, ack everything else HandleAcctStatusTypes Start,Stop AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef CONNTYPE,%{Client:Identifier},formatted AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIPADDRESS,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CALLEDSTATIONID,Called-Station-Id AcctColumnDef CALLINGSTATIONID,Calling-Station-Id AcctColumnDef ACCTAUTHENTIC,Acct-Authentic AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.missedaccountin.log #DefaultSimultaneousUse 1 Filename /etc/passwd.ras # Log accounting to a detail file AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log VPN Config ## AuthByPolicy ContinueAlways #AuthByPolicy ContinueWhileIgnore # Default DBSourcedbi:mysql:radius DBUsername < > DBAuth < > AuthSelect # Only insert Start and Stop requests, ack everything else HandleAcctStatusTypes Start,Stop AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef CONNTYPE,%{Client:Identifier},formatted AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASIPADDRESS,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTAUTHENTIC,Acct-Authentic AcctColumnDef CLASS,Class AcctColumnDef TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint AcctFailedLogFileName %L/%{Client:Identifier}/%m%d%y.missedaccountin.log #DefaultSimultaneousUse 1 Filename /etc/passwd.ras # Log accounting to a detail file
(RADIATOR) Authentication Failure Messages
Hello, We need to keep authentication failure information in our database. This can of course be done with . To make it simple, let's say that we have to handle things like an account status (Active or Blocked) in the authentication process. This can be easily done by : AuthSelect select ... from ACCOUNT where USERNAME=%0 and STATUS = 'Active' But if someone with correct Usr/Psw but blocked RADIUS account tries to connect, it will of course result in the "No such user" failure message instead of some dedicated failure message such as "Account Blocked". We could handle the Account Status check using check items and AddToRequest parameter instead of using AuthSelect and then get "dedicated" failure messages, but for other cases it is not that simple. Ex.: - For one account (usr/psw), multiple service subscriptions based on the NAS-Port-Type attribute of the Access-Request and resulting in different reply attributes. - Accounts should be bound to several Access Servers (RADIUS clients). We can handle this with proper data model and AuthSelect parameter but we need dedicated authentication failure messages (ex : "No subscription for this service" and "Not allowed from this NAS") in case of correct Usr/Psw. I don't know much about PostAuthHook but I guess it may be the solution. Any suggestions ? Regards. Geoffrey === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication to one DB, Accounting to another
The only catch is that AuthBy SQL will open a connection to the database when it starts up and keep that connection up unless there is a problem with it so your round robin DNS will not do much. AuthBY SQL supports declaring a database to use as a backup which may be a better scheme for reliability. If you are looking to load balance among your databases I would run a Radiator instance for each database instance and then proxy requests to them using a main instance with AuthBy ROUNDROBIN or AuthBy LOADBALANCE. -Frank -Original Message- From: Derek Buttineau [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 6:20 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) Authentication to one DB, Accounting to another Just want to make sure I'm not totally out in left field on how to accomplish this, I thought I'd ask. We just recently setup MySQL Replication.. and I'd like to make our Radiator software use the master and slaves for authentication (just using DNS round robin atm).. but since only the master can receive updates, I'd like to make sure the accounting packets only go to the master. I'm thinking I need to make the configuration look like this, but please let me know if I'm totally off base: AuthByPolicy ContinueAlways DBSourcedbi:mysql:radius:< DBUsernameusername DBAuthpassword # Setup Authentication AuthSelectselect ENCRYPTEDPASSWORD, REPLYATTR from AUTHENTICATIONTABLE where USERNAME='%U' AuthColumnDef0, Encrypted-Password, check AuthColumnDef1, GENERIC, reply # Disable Accounting AccountingTable DBSourcedbi:mysql:radius:<> DBUsernameradius DBAuthcsrox # Disable Authentication AuthSelect # Setup Accounting AccountingTable ACCOUNTINGTABLE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,formatted-date,'%Y%m%d %H:%M:%S' AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CONNECTSPEED,Connect-Speed Thanks a bunch in advance. Sorry if this has already been covered on the list, took a look but perhaps my search techniques are in need of improvement :) -- Regards, Derek Buttineau Internet Systems Administrator Compu-SOLVE Internet Services === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication to one DB, Accounting to another
Just want to make sure I'm not totally out in left field on how to accomplish this, I thought I'd ask. We just recently setup MySQL Replication.. and I'd like to make our Radiator software use the master and slaves for authentication (just using DNS round robin atm).. but since only the master can receive updates, I'd like to make sure the accounting packets only go to the master. I'm thinking I need to make the configuration look like this, but please let me know if I'm totally off base: AuthByPolicy ContinueAlways DBSourcedbi:mysql:radius:< DBUsernameusername DBAuthpassword # Setup Authentication AuthSelectselect ENCRYPTEDPASSWORD, REPLYATTR from AUTHENTICATIONTABLE where USERNAME='%U' AuthColumnDef0, Encrypted-Password, check AuthColumnDef1, GENERIC, reply # Disable Accounting AccountingTable DBSourcedbi:mysql:radius:<> DBUsernameradius DBAuthcsrox # Disable Authentication AuthSelect # Setup Accounting AccountingTable ACCOUNTINGTABLE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,formatted-date,'%Y%m%d %H:%M:%S' AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CONNECTSPEED,Connect-Speed Thanks a bunch in advance. Sorry if this has already been covered on the list, took a look but perhaps my search techniques are in need of improvement :) -- Regards, Derek Buttineau Internet Systems Administrator Compu-SOLVE Internet Services === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication result codes list?
Hello John - You will find everything you need in the source code. Here are the return values that are defined in "Radius/AuthGeneric.pm": # Return codes for handle_request $main::ACCEPT = 0; # Issue an accept for us $main::REJECT = 1; # Issue a reject for us $main::IGNORE = 2; # Dont reply at all $main::CHALLENGE = 3; # Issue a challenge $main::REJECT_IMMEDIATE = 4; # Reject, and dont fall through To understand more about the LDAP return codes you should check the source code for the Perl LDAP module that you are using - and of course don't forget to look at the code in "Radius/AuthLDAP2.pm". There are also a number of example hooks in the file "goodies/hooks.txt". regards Hugh ps - "may the source be with you..." On Wednesday, Aug 20, 2003, at 05:28 Australia/Melbourne, John McFadden wrote: I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication result codes list?
Hi, You will find all the information in RFC 2865. This document will help you to understand the protocol. Don't forget to take a look at rfc 2866 (RADIUS Accounting). Regards. Geoffrey -Message d'origine- De : John McFadden [mailto:[EMAIL PROTECTED] Envoyé : mardi 19 août 2003 21:29 À : [EMAIL PROTECTED] Objet : (RADIATOR) Authentication result codes list? I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication result codes list?
I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication falied
Hello Sara Sodagar - The only way I can help is if I have a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing the problem. From what you describe it sounds like the database is responding very slowly to queries. regards Hugh On Tuesday, Aug 12, 2003, at 18:51 Australia/Melbourne, sara sodagar wrote: Hi I have a radiator 3.1 on Redhat 7,1. I get authentication failed several times in a day , and when I trace our network and system , I found out that the request is reaching to radiusd very late , because when it respond to that request it is very late and our NAS rejects it.I checked our NAS parameters for timeout but everything is OK. I checked our network and it has no problem for delay. During the problem I also check the system with radpwtst , but the same thing happens and I got no reply from server. I am using Tomcat , 4.0.3 and Oracle8i. Our hardware is : PIII (1000 MHZ) Dual 2 GB RAM --I appreciate any suggestion and help. Thanks Sara Sodagar NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
(RADIATOR) Authentication falied
Hi I have a radiator 3.1 on Redhat 7,1. I get authentication failed several times in a day , and when I trace our network and system , I found out that the request is reaching to radiusd very late , because when it respond to that request it is very late and our NAS rejects it.I checked our NAS parameters for timeout but everything is OK. I checked our network and it has no problem for delay. During the problem I also check the system with radpwtst , but the same thing happens and I got no reply from server. I am using Tomcat , 4.0.3 and Oracle8i. Our hardware is : PIII (1000 MHZ) Dual 2 GB RAM --I appreciate any suggestion and help. Thanks Sara Sodagar
Re: (RADIATOR) authentication by using DBFile
Hello Masa - What is the problem? And why are you using a DB file? Please send me a trace 4 debug from Radiator showing the problem together with a clear description of what is happening. regards Hugh On Wednesday, Jul 9, 2003, at 02:03 Australia/Melbourne, [EMAIL PROTECTED] wrote: Hello, I have a problem for authentication by using DB_File, and can't see what's wrong. I'll describe the configuration below. PEAP with MSCHAPv2 or LEAP #./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users nagatakiUser-Password=masahiro #Foreground #LogStdout LogDir /var/log #DbDir . AuthPort1812 AcctPort1813 DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret mysecret DupInterval 0 # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # anonymous-PEAP must be in here: Filename /etc/radiator/users.db # This tells the PEAP client what types of inner EAP requests # we will honour EAPType PEAP,MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner aut hentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele ct # a specific handler, or else you can use EAPAnonymous to set a username and rea lm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/o r the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton r equest. # In this basic example, both the inner and outer authentication are authenticat ed # from a file by AuthBy FILE # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard use rname # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename /etc/radiator/users.db # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP,MSCHAP-V2,LEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 #EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile)
(RADIATOR) authentication by using DBFile
Hello, I have a problem for authentication by using DB_File, and can't see what's wrong. I'll describe the configuration below. PEAP with MSCHAPv2 or LEAP #./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users nagatakiUser-Password=masahiro #Foreground #LogStdout LogDir /var/log #DbDir . AuthPort1812 AcctPort1813 DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret mysecret DupInterval 0 # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # anonymous-PEAP must be in here: Filename /etc/radiator/users.db # This tells the PEAP client what types of inner EAP requests # we will honour EAPType PEAP,MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner aut hentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele ct # a specific handler, or else you can use EAPAnonymous to set a username and rea lm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/o r the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton r equest. # In this basic example, both the inner and outer authentication are authenticat ed # from a file by AuthBy FILE # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard use rname # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename /etc/radiator/users.db # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP,MSCHAP-V2,LEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 #EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem #EAPTLS_PrivateKeyPassword whatever EAPTLS_PrivateKeyFile /usr/local/ssl/c
Re: (RADIATOR) Authentication problem.
Hello Rajan - I am not sure that I understand your question, but if you want to limit users to one NAS only or another NAS only, you can do something like this: # define Client clauses Identifier NAS1 . Identifier NAS2 . . .. . . . regards Hugh On Wednesday, August 21, 2002, at 07:54 AM, Rajan wrote: Hi all, I have to use two authby clause one for router1 and another for router2. Now the problem is router2 user can be authenticate dialing to router1. Since i have only one AAA server. Is it possible to check handler in Client clause itself. Will this slove my problem. Please help me. regards, Rajan. NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
(RADIATOR) Authentication problem.
Hi all, I have to use two authby clause one for router1 and another for router2. Now the problem is router2 user can be authenticate dialing to router1. Since i have only one AAA server. Is it possible to check handler in Client clause itself. Will this slove my problem. Please help me. regards, Rajan.
Re: (RADIATOR) Authentication via proxy
Hello Chris - If you use radpwtst on the localhost for testing, the shared secret by default is "mysecret", so if you change the secret in the clause you should see the same behaviour as for the other Client. You can set up the clause with the shared secret of the Client that has problems and use radpwtst with the -secret flag to verify correct operation. Ie: Secret ***whatever*** then radpwtst -secret ***whatever*** -user -password If this test works, then you know that the shared secret on the problem Client is not correct. BTW - keep in mind that there is one shared secret between the NAS and the remote proxy, and another shared secret between the proxy and your Radiator. regards Hugh On Wed, 3 Jul 2002 03:36, chris wrote: > I have added a client clause for every nas, and every proxy. I still get > the same results. > Is there anyway to verify that the shared secrets indeed do no match? > > The radpwtst from localhost returns an OK for the user > > > Thanks, > Chris > > > - Original Message - > From: "Hugh Irvine" <[EMAIL PROTECTED]> > To: "chris" <[EMAIL PROTECTED]> > Sent: Monday, July 01, 2002 4:18 PM > Subject: Re: (RADIATOR) Authentication via proxy > > > Hello Chris - > > > > I am still quite sure that the problem is shared secrets. > > > > You should probably add a Client clause for the proxy: > > > > # define Client clause for proxy > > > > > > Secret .. > > . > > > > > > It is fairly easy to verify this by using radpwtst locally against the > > to make sure the user record is checked correctly. > > > > regards > > > > Hugh > > > > On Tue, 2 Jul 2002 04:00, chris wrote: > > > I have verified shared secret, even tried setting to a simple number > > like > > > > 11 to rule out CaSe issues. > > > I am still having the same issues > > > > > > I am not sure how much it matters, but the setup is like this.. > > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier > > radius > > > > proxy that hands off to us. > > > > > > > > > > > > - Original Message - > > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Monday, June 24, 2002 4:21 PM > > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > > > Hello Chris - > > > > > > > > This is almost always due to incorrect shared secrets. > > > > > > > > If you still have problems, please send me a copy of your > > configuration > > > > file > > > > > > > and a copy of the user record from the users file, as well as a trace > > 4 > > > > debug. > > > > > > > regards > > > > > > > > Hugh > > > > > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > > > I am trying to setup a managed modem system with a local clec. They > > > > > > answer > > > > > > > > the calls and proxy to > > > > > my radius. I am trying to figgure our where the problem is in > > > > > authentication. It brings the username over ok, but the password is > > > > > > garbled > > > > > > > > into non-printables > > > > > > > > > > Here is a L5trace of one such session, am I overlooking something > > > > > > obvious? > > > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > > > *** Received from 64.66.192.33 port 34998 > > > > > > > > > > Packet length = 100 > > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > > > 00 00 00 00 > > > > > Code: Access-Request > > > > > Identifier: 7 > > > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > > > Attributes: > > > > > User-Name = "testme" > > > > > Password = > > &g
Fw: (RADIATOR) Authentication via proxy
Ok, after hounding the provider, they found a misconfigureation on thier end. In the shared secret I am guessing, but none-the-less they *finally* fixed it up. Thanks for all he help Hugh! You are *the* radiator king! Chris > - Original Message - > From: "chris" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Tuesday, July 02, 2002 10:36 AM > Subject: Re: (RADIATOR) Authentication via proxy > > > > I have added a client clause for every nas, and every proxy. I still get > the > > same results. > > Is there anyway to verify that the shared secrets indeed do no match? > > > > The radpwtst from localhost returns an OK for the user > > > > > > Thanks, > > Chris > > > > > > - Original Message - > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > To: "chris" <[EMAIL PROTECTED]> > > Sent: Monday, July 01, 2002 4:18 PM > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > > > > > > Hello Chris - > > > > > > I am still quite sure that the problem is shared secrets. > > > > > > You should probably add a Client clause for the proxy: > > > > > > # define Client clause for proxy > > > > > > > > > Secret .. > > > . > > > > > > > > > It is fairly easy to verify this by using radpwtst locally against the > > > to make sure the user record is checked correctly. > > > > > > regards > > > > > > Hugh > > > > > > > > > On Tue, 2 Jul 2002 04:00, chris wrote: > > > > I have verified shared secret, even tried setting to a simple number > > like > > > > 11 to rule out CaSe issues. > > > > I am still having the same issues > > > > > > > > I am not sure how much it matters, but the setup is like this.. > > > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier > > radius > > > > proxy that hands off to us. > > > > > > > > > > > > > > - Original Message - > > > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > > > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > > Sent: Monday, June 24, 2002 4:21 PM > > > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > > > > > Hello Chris - > > > > > > > > > > This is almost always due to incorrect shared secrets. > > > > > > > > > > If you still have problems, please send me a copy of your > > configuration > > > > > > > > file > > > > > > > > > and a copy of the user record from the users file, as well as a > trace > > 4 > > > > > > > > debug. > > > > > > > > > regards > > > > > > > > > > Hugh > > > > > > > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > > > > I am trying to setup a managed modem system with a local clec. > They > > > > > > > > answer > > > > > > > > > > the calls and proxy to > > > > > > my radius. I am trying to figgure our where the problem is in > > > > > > authentication. It brings the username over ok, but the password > is > > > > > > > > garbled > > > > > > > > > > into non-printables > > > > > > > > > > > > Here is a L5trace of one such session, am I overlooking something > > > > > > > > obvious? > > > > > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > > > > *** Received from 64.66.192.33 port 34998 > > > > > > > > > > > > Packet length = 100 > > > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > > > > 00 00 00 00 > > > > > > Code: Access-Request > > > > > > Identifier: 7 > &
Re: (RADIATOR) Authentication via proxy
I have added a client clause for every nas, and every proxy. I still get the same results. Is there anyway to verify that the shared secrets indeed do no match? The radpwtst from localhost returns an OK for the user Thanks, Chris - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "chris" <[EMAIL PROTECTED]> Sent: Monday, July 01, 2002 4:18 PM Subject: Re: (RADIATOR) Authentication via proxy > > Hello Chris - > > I am still quite sure that the problem is shared secrets. > > You should probably add a Client clause for the proxy: > > # define Client clause for proxy > > > Secret .. > . > > > It is fairly easy to verify this by using radpwtst locally against the > to make sure the user record is checked correctly. > > regards > > Hugh > > > On Tue, 2 Jul 2002 04:00, chris wrote: > > I have verified shared secret, even tried setting to a simple number like > > 11 to rule out CaSe issues. > > I am still having the same issues > > > > I am not sure how much it matters, but the setup is like this.. > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier radius > > proxy that hands off to us. > > > > > > - Original Message - > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Monday, June 24, 2002 4:21 PM > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > Hello Chris - > > > > > > This is almost always due to incorrect shared secrets. > > > > > > If you still have problems, please send me a copy of your configuration > > > > file > > > > > and a copy of the user record from the users file, as well as a trace 4 > > > > debug. > > > > > regards > > > > > > Hugh > > > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > > I am trying to setup a managed modem system with a local clec. They > > > > answer > > > > > > the calls and proxy to > > > > my radius. I am trying to figgure our where the problem is in > > > > authentication. It brings the username over ok, but the password is > > > > garbled > > > > > > into non-printables > > > > > > > > Here is a L5trace of one such session, am I overlooking something > > > > obvious? > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > > *** Received from 64.66.192.33 port 34998 > > > > > > > > Packet length = 100 > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > > 00 00 00 00 > > > > Code: Access-Request > > > > Identifier: 7 > > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > > Attributes: > > > > User-Name = "testme" > > > > Password = > > > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > > > > NAS-IP-Address = 63.93.57.35 > > > > NAS-Port = 18646 > > > > Service-Type = Framed-User > > > > Framed-Protocol = PPP > > > > Called-Station-Id = "7024410063" > > > > Calling-Station-Id = "2099263677" > > > > NAS-Port-Type = Async > > > > NAS-Port-Type = Async > > > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > > > > 'Realm=DEFAULT' > > > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > > > > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > > > > 63.93.57.35, 1864 > > > > 6 > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > > > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > > > > /usr/local/etc/raddb/users > > > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > > > > testme > > > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > > > &
Re: (RADIATOR) Authentication via proxy
On sending you the infomation earlier, I thought about the situation some more. This radius server is and has been working for several PM3's. I have made sure I am using the proper configs and dictionary now. The PM3's users are still authenticating great. I think the problem is with the way they are handing it off to me. Thier NAS goes through a proxy to get to me. Although they claim its a transparent proxy that doesnt do anything with the data, except pass it long. Just wanted to let you know that the radius server itself *is* functioning to an extent. Thanks Chris - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, June 28, 2002 9:41 PM Subject: Re: (RADIATOR) Authentication via proxy > > Hello Chris - > > I suspect you are not using the latest dictionary file either. > > This is from the standard Radiator 3.1 dictionary: > > ATTRIBUTE EAP-Message 79 binary > > regards > > Hugh > > > On Sat, 29 Jun 2002 02:38, chris wrote: > > > Hello Chris - > > > > > > This sounds like you are not running the 3.1 version of radiusd, which > > > has > > > > a > > > > > call to &Radius::Util::get_port , not &Radius::Radius::get_port. > > > > Doh! I was in such a rush yesterday that I didnt notice it installs the > > radiusd into a different location. > > This server is being upgraded from 2.16. > > > > > > Anyways, that was exactly the problem. I am seeing this in the error log > > now though... > > > > Fri Jun 28 09:12:53 2002: ERR: Attribute number 79 is not defined in your > > dictionary > > > > Which seems to correspond with this > > > > 79 ICL / Fujitsu Computers / TeamWARE Group Tony Gale > > [EMAIL PROTECTED] > > > > Although I use all Lucent PM3's in that location. > > It doesnt seem to be affecting service in any way > > > > Thanks, > > Chris. > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via proxy
Hello Chris - This sounds like you are not running the 3.1 version of radiusd, which has a call to &Radius::Util::get_port , not &Radius::Radius::get_port. regards Hugh On Fri, 28 Jun 2002 10:43, chris wrote: > I am going to be testing it tomorrow again, I will verify that the secrets > do indeed match. > > In the meantime I am trying to install 3.1 and all the 'make test' comes > out OK > but when I start it I get this message > > Undefined subroutine &Radius::Radius::get_port called at > /usr/local/sbin/radiusd line 333. > > Thanks, > Chris > > > > - Original Message - > From: "Hugh Irvine" <[EMAIL PROTECTED]> > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Monday, June 24, 2002 4:21 PM > Subject: Re: (RADIATOR) Authentication via proxy > > > Hello Chris - > > > > This is almost always due to incorrect shared secrets. > > > > If you still have problems, please send me a copy of your configuration > > file > > > and a copy of the user record from the users file, as well as a trace 4 > > debug. > > > regards > > > > Hugh > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > I am trying to setup a managed modem system with a local clec. They > > answer > > > > the calls and proxy to > > > my radius. I am trying to figgure our where the problem is in > > > authentication. It brings the username over ok, but the password is > > garbled > > > > into non-printables > > > > > > Here is a L5trace of one such session, am I overlooking something > > obvious? > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > *** Received from 64.66.192.33 port 34998 > > > > > > Packet length = 100 > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > 00 00 00 00 > > > Code: Access-Request > > > Identifier: 7 > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > Attributes: > > > User-Name = "testme" > > > Password = > > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > > > NAS-IP-Address = 63.93.57.35 > > > NAS-Port = 18646 > > > Service-Type = Framed-User > > > Framed-Protocol = PPP > > > Called-Station-Id = "7024410063" > > > Calling-Station-Id = "2099263677" > > > NAS-Port-Type = Async > > > NAS-Port-Type = Async > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > > > 'Realm=DEFAULT' > > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > > > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > > > 63.93.57.35, 1864 > > > 6 > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > > > /usr/local/etc/raddb/users > > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > > > testme > > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > > > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad > > > Password > > > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: > > > *** Sending to 64.66.192.33 port 34998 > > > Code: Access-Reject > > > Identifier: 7 > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > Attributes: > > > Reply-Message = "Request Denied" > > > Reply-Message = "Bad Password" > > > > > > > > > Thanks, > > > Chris > > > > > > > > > === > > > Archive at http://www.open.com.au/archives/radiator/ > > > Announcements on [EMAIL PROTECTED] > > > To unsubscribe, email '[EMAIL PROTECTED]' with > > > 'unsubscribe radiator' in the body of the message. > > > > -- > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > > - > > Nets: internetwork inventory and management - graphical, extensible, > > flexible with hardware, software, platform and database independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via proxy
I am going to be testing it tomorrow again, I will verify that the secrets do indeed match. In the meantime I am trying to install 3.1 and all the 'make test' comes out OK but when I start it I get this message Undefined subroutine &Radius::Radius::get_port called at /usr/local/sbin/radiusd line 333. Thanks, Chris - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 24, 2002 4:21 PM Subject: Re: (RADIATOR) Authentication via proxy > > Hello Chris - > > This is almost always due to incorrect shared secrets. > > If you still have problems, please send me a copy of your configuration file > and a copy of the user record from the users file, as well as a trace 4 debug. > > regards > > Hugh > > On Tue, 25 Jun 2002 03:51, chris wrote: > > I am trying to setup a managed modem system with a local clec. They answer > > the calls and proxy to > > my radius. I am trying to figgure our where the problem is in > > authentication. It brings the username over ok, but the password is garbled > > into non-printables > > > > Here is a L5trace of one such session, am I overlooking something obvious? > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > *** Received from 64.66.192.33 port 34998 > > > > Packet length = 100 > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > 00 00 00 00 > > Code: Access-Request > > Identifier: 7 > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > Attributes: > > User-Name = "testme" > > Password = > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > > NAS-IP-Address = 63.93.57.35 > > NAS-Port = 18646 > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Called-Station-Id = "7024410063" > > Calling-Station-Id = "2099263677" > > NAS-Port-Type = Async > > NAS-Port-Type = Async > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > > 'Realm=DEFAULT' > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > > 63.93.57.35, 1864 > > 6 > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > > /usr/local/etc/raddb/users > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > > testme > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad > > Password > > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: > > *** Sending to 64.66.192.33 port 34998 > > Code: Access-Reject > > Identifier: 7 > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > Attributes: > > Reply-Message = "Request Denied" > > Reply-Message = "Bad Password" > > > > > > Thanks, > > Chris > > > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via proxy
Hello Chris - This is almost always due to incorrect shared secrets. If you still have problems, please send me a copy of your configuration file and a copy of the user record from the users file, as well as a trace 4 debug. regards Hugh On Tue, 25 Jun 2002 03:51, chris wrote: > I am trying to setup a managed modem system with a local clec. They answer > the calls and proxy to > my radius. I am trying to figgure our where the problem is in > authentication. It brings the username over ok, but the password is garbled > into non-printables > > Here is a L5trace of one such session, am I overlooking something obvious? > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > *** Received from 64.66.192.33 port 34998 > > Packet length = 100 > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > 00 00 00 00 > Code: Access-Request > Identifier: 7 > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > Attributes: > User-Name = "testme" > Password = > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > NAS-IP-Address = 63.93.57.35 > NAS-Port = 18646 > Service-Type = Framed-User > Framed-Protocol = PPP > Called-Station-Id = "7024410063" > Calling-Station-Id = "2099263677" > NAS-Port-Type = Async > NAS-Port-Type = Async > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > 63.93.57.35, 1864 > 6 > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > /usr/local/etc/raddb/users > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > testme > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad > Password > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: > *** Sending to 64.66.192.33 port 34998 > Code: Access-Reject > Identifier: 7 > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > Attributes: > Reply-Message = "Request Denied" > Reply-Message = "Bad Password" > > > Thanks, > Chris > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication via proxy
I am trying to setup a managed modem system with a local clec. They answer the calls and proxy to my radius. I am trying to figgure our where the problem is in authentication. It brings the username over ok, but the password is garbled into non-printables Here is a L5trace of one such session, am I overlooking something obvious? Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: *** Received from 64.66.192.33 port 34998 Packet length = 100 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 00 00 00 00 Code: Access-Request Identifier: 7 Authentic: _<193>3sF|er<184>?<254>]<165><255>mP Attributes: User-Name = "testme" Password = "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" NAS-IP-Address = 63.93.57.35 NAS-Port = 18646 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "7024410063" Calling-Station-Id = "2099263677" NAS-Port-Type = Async NAS-Port-Type = Async Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, 63.93.57.35, 1864 6 Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE Mon Jun 24 10:18:35 2002: DEBUG: Reading users file /usr/local/etc/raddb/users Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with testme Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad Password Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: *** Sending to 64.66.192.33 port 34998 Code: Access-Reject Identifier: 7 Authentic: _<193>3sF|er<184>?<254>]<165><255>mP Attributes: Reply-Message = "Request Denied" Reply-Message = "Bad Password" Thanks, Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Disbaled
Hello Jack - Please send me a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. regards Hugh On Tue, 11 Jun 2002 00:57, Jaskaran Singh wrote: > Hi All > I started my radiator server, and its reject all users saying > "Authentication Disabled" > Any ideas? > > Jaskaran Singh > University Systems & Security > Fairleigh Dickinson University > Teaneck, NJ 07666 -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Disbaled
Hi All I started my radiator server, and its reject all users saying “Authentication Disabled” Any ideas? Jaskaran Singh University Systems & Security Fairleigh Dickinson University Teaneck, NJ 07666
(RADIATOR) RADIATOR authentication
Hi all, Below is the content of my radius.cfg but the Radiator is not authenticating the clients rather the authentication is being done by the Cisco Access server. Secret ...## Secret mysecret# DupInterval 0# Filename %D/users # Log accounting to a detail file AcctLogFileName %L/detail MaximumSessions 1 AuthPort 1645 AcctPort 1646 Is the configuration enough to make the Radiator authenticate clients or I still need to modify it? And if I need to modify it, what do I do pls? Below is the configuration on the NAS (Cisco AS5300): aaa new-modelaaa authentication login default localaaa authentication ppp ppp-radius if-needed radius localaaa authorization network default radius localaaa accounting network default start-stop radius radius-server host (IP Address) auth-port 1645 acct-port 1646radius-server key ... (2) The time in the logfile does not correspond to the time on the Radius server and the NAS, what could be responsible this pls? Although, the date is correct. Any help will be highly appreciated. Regards, Akin. IncrediMail - Email has finally evolved - Click Here
Re: (RADIATOR) Authentication problem with Radiator 2.19 and OpenLDAP 2.0.28
Hello Mike, Hello Stephen - Mike is correct, a NoDefault usually fixes this problem, which is due to the LDAP server incorrectly returning a result for DEFAULT if it is not found. Radiator by default will always look for "DEFAULT" entries in the user database, but this can be altered with the "NoDefault" tag. regards Hugh On Tue, 19 Feb 2002 04:36, Forbes Mike wrote: > I ran into this problem also, you need to add the line NoDefault > to your LDAP Authby. See 6.17.12 in the manual. I am not quite sure why > I did this now, but it seems to work. If it does not find the user it > then tries the DEFAULT user. > > Mike Forbes > > On Mon, 18 Feb 2002, Stephen Davies wrote: > > Hi, > > > > I am trying to set radiator to authenticate against and OpenLDAP database > > version 2.0.28 > > > > Openldap is working fine with everything else, including my telnet and > > webmail (written in perl) access. > > > > When I try to run radpwtst I get the error in the logfile as: > > > > *** Received from 127.0.0.1 port 46475 > > Code: Access-Request > > Identifier: 118 > > Authentic: 1234567890123456 > > Attributes: > > User-Name = "stephen" > > Service-Type = Framed-User > > NAS-IP-Address = 203.63.154.1 > > NAS-Port = 1234 > > Called-Station-Id = "123456789" > > Calling-Station-Id = "987654321" > > NAS-Port-Type = Async > > User-Password = > > "<250><5>p<185><25><233>$<168>qd<2><25>z%<133><129>" > > > > Mon Feb 18 16:49:13 2002: DEBUG: Handling request with Handler > > 'Realm=DEFAULT' Mon Feb 18 16:49:13 2002: DEBUG: Deleting session for > > stephen, 203.63.154.1, 12 34 > > Mon Feb 18 16:49:13 2002: DEBUG: Handling with Radius::AuthLDAP2: > > Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, > > port 389 Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with > > cn=X,dc=brightonline ,dc=com,dc=au, XXX (server > > ldap.brightonline.com.au:389) > > Mon Feb 18 16:49:13 2002: DEBUG: LDAP got result for uid=stephen, > > ou=Brighteam, dc=brightonline, dc=com, dc=au > > Mon Feb 18 16:49:13 2002: DEBUG: LDAP got userPassword: > > {CRYPT}s4LYe7mPaoXHA Mon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 > > looks for match with stephen Mon Feb 18 16:49:13 2002: DEBUG: > > Radius::AuthLDAP2 REJECT: Bad Password Mon Feb 18 16:49:13 2002: INFO: > > Connecting to ldap.brightonline.com.au, port 389 Mon Feb 18 16:49:13 > > 2002: INFO: Attempting to bind with cn=admin,dc=brightonline > > ,dc=com,dc=au, witchhunt (server ldap.brightonline.com.au:389) > > Mon Feb 18 16:49:13 2002: DEBUG: No entries for DEFAULT found in LDAP > > database Mon Feb 18 16:49:13 2002: INFO: Access rejected for stephen: Bad > > Password Mon Feb 18 16:49:13 2002: DEBUG: Packet dump: > > *** Sending to 127.0.0.1 port 46475 > > Code: Access-Reject > > Identifier: 118 > > Authentic: 1234567890123456 > > Attributes: > > Reply-Message = "Request Denied" > > > > > > LDAP portion of radius.cfg file reads as: > > > > > >ServerChecksPassword > > > >Hostldap.brightonline.com.au > >Port389 > >AuthDN cn=X, dc=brightonline,dc=com,dc=au > >AuthPasswordXXX > >BaseDN dc=brightonline,dc=com,dc=au > >UsernameAttruid > >PasswordAttruserPassword > > > > > > > > I have also tried SeverChecksPassword off, and EncryptedPasswordAttr > > instead of PasswordAttr > > > > Some suggestions on the list have been setting the -secret. This has been > > done. > > > > > > My environment is: > > perl 5.6.1 > > perl-ldap 0.25 > > radiator 2.19 > > openldap 2.0.28 > > > > Regards > > > > Stephen > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication problem with Radiator 2.19 and OpenLDAP2.0.28
I ran into this problem also, you need to add the line NoDefault to your LDAP Authby. See 6.17.12 in the manual. I am not quite sure why I did this now, but it seems to work. If it does not find the user it then tries the DEFAULT user. Mike Forbes On Mon, 18 Feb 2002, Stephen Davies wrote: > Hi, > > I am trying to set radiator to authenticate against and OpenLDAP database version >2.0.28 > > Openldap is working fine with everything else, including my telnet and webmail >(written in perl) access. > > When I try to run radpwtst I get the error in the logfile as: > > *** Received from 127.0.0.1 port 46475 > Code: Access-Request > Identifier: 118 > Authentic: 1234567890123456 > Attributes: > User-Name = "stephen" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = "<250><5>p<185><25><233>$<168>qd<2><25>z%<133><129>" > > Mon Feb 18 16:49:13 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' > Mon Feb 18 16:49:13 2002: DEBUG: Deleting session for stephen, 203.63.154.1, 12 > 34 > Mon Feb 18 16:49:13 2002: DEBUG: Handling with Radius::AuthLDAP2: > Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, port 389 > Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with cn=X,dc=brightonline > ,dc=com,dc=au, XXX (server ldap.brightonline.com.au:389) > Mon Feb 18 16:49:13 2002: DEBUG: LDAP got result for uid=stephen, ou=Brighteam, > dc=brightonline, dc=com, dc=au > Mon Feb 18 16:49:13 2002: DEBUG: LDAP got userPassword: {CRYPT}s4LYe7mPaoXHA > Mon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 looks for match with stephen > Mon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password > Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, port 389 > Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with cn=admin,dc=brightonline > ,dc=com,dc=au, witchhunt (server ldap.brightonline.com.au:389) > Mon Feb 18 16:49:13 2002: DEBUG: No entries for DEFAULT found in LDAP database > Mon Feb 18 16:49:13 2002: INFO: Access rejected for stephen: Bad Password > Mon Feb 18 16:49:13 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 46475 > Code: Access-Reject > Identifier: 118 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > > LDAP portion of radius.cfg file reads as: > > >ServerChecksPassword > >Hostldap.brightonline.com.au >Port389 >AuthDN cn=X, dc=brightonline,dc=com,dc=au >AuthPasswordXXX >BaseDN dc=brightonline,dc=com,dc=au >UsernameAttruid >PasswordAttruserPassword > > > > I have also tried SeverChecksPassword off, and EncryptedPasswordAttr instead of >PasswordAttr > > Some suggestions on the list have been setting the -secret. This has been done. > > > My environment is: > perl 5.6.1 > perl-ldap 0.25 > radiator 2.19 > openldap 2.0.28 > > Regards > > Stephen > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication problem with Radiator 2.19 and OpenLDAP 2.0.28
Hi, I am trying to set radiator to authenticate against and OpenLDAP database version 2.0.28 Openldap is working fine with everything else, including my telnet and webmail (written in perl) access. When I try to run radpwtst I get the error in the logfile as: *** Received from 127.0.0.1 port 46475 Code: Access-RequestIdentifier: 118Authentic: 1234567890123456Attributes: User-Name = "stephen" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<250><5>p<185><25><233>$<168>qd<2><25>z%<133><129>" Mon Feb 18 16:49:13 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'Mon Feb 18 16:49:13 2002: DEBUG: Deleting session for stephen, 203.63.154.1, 1234Mon Feb 18 16:49:13 2002: DEBUG: Handling with Radius::AuthLDAP2:Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, port 389Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with cn=X,dc=brightonline,dc=com,dc=au, XXX (server ldap.brightonline.com.au:389)Mon Feb 18 16:49:13 2002: DEBUG: LDAP got result for uid=stephen, ou=Brighteam,dc=brightonline, dc=com, dc=auMon Feb 18 16:49:13 2002: DEBUG: LDAP got userPassword: {CRYPT}s4LYe7mPaoXHAMon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 looks for match with stephenMon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad PasswordMon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, port 389Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with cn=admin,dc=brightonline,dc=com,dc=au, witchhunt (server ldap.brightonline.com.au:389)Mon Feb 18 16:49:13 2002: DEBUG: No entries for DEFAULT found in LDAP databaseMon Feb 18 16:49:13 2002: INFO: Access rejected for stephen: Bad PasswordMon Feb 18 16:49:13 2002: DEBUG: Packet dump:*** Sending to 127.0.0.1 port 46475 Code: Access-RejectIdentifier: 118Authentic: 1234567890123456Attributes: Reply-Message = "Request Denied" LDAP portion of radius.cfg file reads as: ServerChecksPassword Host ldap.brightonline.com.au Port 389 AuthDN cn=X, dc=brightonline,dc=com,dc=au AuthPasswordXXX BaseDN dc=brightonline,dc=com,dc=au UsernameAttr uid PasswordAttr userPassword I have also tried SeverChecksPassword off, and EncryptedPasswordAttr instead of PasswordAttr Some suggestions on the list have been setting the -secret. This has been done. My environment is: perl 5.6.1 perl-ldap 0.25 radiator 2.19 openldap 2.0.28 Regards Stephen
Re: (RADIATOR) authentication based on the hour of the day
Hello Eapen - I think you will have to do this in a hook (probably a PostAuthHook). There are some example hooks in the file "goodies/hooks.txt". regards Hugh On Mon, 4 Feb 2002 16:43, Eapen Joseph wrote: > Dear Hugh, > As you said, the time option should work. But the restriction should be > in such a way, so that the session time returned by the time function > should not override the balance time, which is returned as the session > time to the access-server in the normal fashion. > i.e the balancetime or the restriction in time, which ever expires > first should be imposed. > > regards > eapen > > - Original Message - > From: Hugh Irvine <[EMAIL PROTECTED]> > Date: Monday, February 4, 2002 6:59 am > Subject: Re: (RADIATOR) authentication based on the hour of the day > > > Hello Eapen - > > > > You would use the Time = "" check item. > > > > Have a look at section 13.1.13 in the Radiator 2.19 reference manual. > > > > regards > > > > Hugh > > > > On Sun, 3 Feb 2002 20:37, Eapen Joseph wrote: > > > hi, > > > How do i restrict users to authenticate from say 4:00 am till > > > > 2:00 pm > > > > > only? > > > At present we are doing this with a select statement in the > > > AuthSelect section. > > > Is there a way other than this > > > > > > regards > > > eapen > > > > > > === > > > Archive at http://www.open.com.a > > > Announcements on [EMAIL PROTECTED] > > > To unsubscribe, email '[EMAIL PROTECTED]' with > > > 'unsubscribe radiator' in the body of the message. > > > > -- > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > > - > > Nets: internetwork inventory and management - graphical, extensible, > > flexible with hardware, software, platform and database independence. > > === > > Archive at http://www.open.com.a > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication based on the hour of the day
Dear Hugh, As you said, the time option should work. But the restriction should be in such a way, so that the session time returned by the time function should not override the balance time, which is returned as the session time to the access-server in the normal fashion. i.e the balancetime or the restriction in time, which ever expires first should be imposed. regards eapen - Original Message - From: Hugh Irvine <[EMAIL PROTECTED]> Date: Monday, February 4, 2002 6:59 am Subject: Re: (RADIATOR) authentication based on the hour of the day > > Hello Eapen - > > You would use the Time = "" check item. > > Have a look at section 13.1.13 in the Radiator 2.19 reference manual. > > regards > > Hugh > > > On Sun, 3 Feb 2002 20:37, Eapen Joseph wrote: > > hi, > > How do i restrict users to authenticate from say 4:00 am till > 2:00 pm > > only? > > At present we are doing this with a select statement in the > > AuthSelect section. > > Is there a way other than this > > > > regards > > eapen > > > > === > > Archive at http://www.open.com.a > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.a > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication based on the hour of the day
Hello Eapen - You would use the Time = "" check item. Have a look at section 13.1.13 in the Radiator 2.19 reference manual. regards Hugh On Sun, 3 Feb 2002 20:37, Eapen Joseph wrote: > hi, > How do i restrict users to authenticate from say 4:00 am till 2:00 pm > only? > At present we are doing this with a select statement in the > AuthSelect section. > Is there a way other than this > > regards > eapen > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication based on the hour of the day
hi, How do i restrict users to authenticate from say 4:00 am till 2:00 pm only? At present we are doing this with a select statement in the AuthSelect section. Is there a way other than this regards eapen === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Problems
Hello Eric - It looks to me like the shared secrets are not correct. radpwtst uses the shared secret "mysecret" by default, so in your case you should use "radpwtst -secret dogcat .". regards Hugh On Tue, 8 Jan 2002 03:34, Eric Johnson wrote: > I am having problems authenticating with Radiator. I am running NT 4 with > MySQL as the database. My config script is set to first check the NT user > database and then the SQL database. When I use radpwtst I get a bad > authenticator reply and then 2 no reply's which I assume are because the > first request failed. I am using the default user to test. Included is > the trace file (first) and my config file (second). Thanks for your help. > > Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3577 > Code: Access-Request > Identifier: 4 > Authentic: 1234567890123456 > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" > > Mon Jan 7 10:07:34 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' Mon Jan 7 10:07:34 2002: DEBUG: Deleting session for > mikem, 203.63.154.1, 1234 Mon Jan 7 10:07:34 2002: DEBUG: Handling with NT > Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL > Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL: CheckSQL > Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS > where USERNAME='mikem' > > Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL looks for match with mikem > Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password > Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS > where USERNAME='DEFAULT' > > Mon Jan 7 10:07:34 2002: INFO: Access rejected for mikem: Bad Password > Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 3577 > Code: Access-Reject > Identifier: 4 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3577 > Code: Accounting-Request > Identifier: 5 > Authentic: <141><245>j6<145><242><213>\;<218>x^^=<22>) > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Start > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > > Mon Jan 7 10:07:34 2002: WARNING: Bad authenticator in request from > 127.0.0.1 (203.63.154.1) Mon Jan 7 10:07:39 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3577 > Code: Accounting-Request > Identifier: 6 > Authentic: d6B<159><200>u<138><152>FI<216><154><190>S<230>G > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Stop > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 2 > Acct-Output-Octets = 3 > > Mon Jan 7 10:07:39 2002: WARNING: Bad authenticator in request from > 127.0.0.1 (203.63.154.1) > > Foreground > LogStdout > LogDir /Radiator/log > #Dictionary File is in current dir > DictionaryFile ./dictionary > Trace 4 > > >Secret dogcat > DupInterval 0 > > > > Identifier CheckSQL > > DBSourcedbi:mysql:ISP > DBUsername admin > DBAuth lifter > AccountingTable ACCOUNTING > AcctColumnDef USERNAME,User-Name > AcctColumnDef TIME_STAMP,Timestamp,integer > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer > AcctColumnDef ACCTSESSIONID,Acct-Session-Id > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer > AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause > AcctColumnDef NASIDENTIFIER,NAS-Identifier > AcctColumnDef NASPORT,NAS-Port,integer > > > > > > > Identifier CheckNT > > # You must set the domain name here to suit your site > Domain ETHERNET1 > > # ON NT, optionally specify the name of the > # Primary Domain Controller, including the leading > # \\ slashes, to override the default domain
(RADIATOR) Authentication Problems
I am having problems authenticating with Radiator. I am running NT 4 with MySQL as the database. My config script is set to first check the NT user database and then the SQL database. When I use radpwtst I get a bad authenticator reply and then 2 no reply's which I assume are because the first request failed. I am using the default user to test. Included is the trace file (first) and my config file (second). Thanks for your help. Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Access-Request Identifier: 4 Authentic: 1234567890123456 Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" Mon Jan 7 10:07:34 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jan 7 10:07:34 2002: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Mon Jan 7 10:07:34 2002: DEBUG: Handling with NT Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL: CheckSQL Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='mikem' Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL looks for match with mikem Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='DEFAULT' Mon Jan 7 10:07:34 2002: INFO: Access rejected for mikem: Bad Password Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 3577 Code: Access-Reject Identifier: 4 Authentic: 1234567890123456 Attributes: Reply-Message = "Request Denied" Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Accounting-Request Identifier: 5 Authentic: <141><245>j6<145><242><213>\;<218>x^^=<22>) Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Mon Jan 7 10:07:34 2002: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Mon Jan 7 10:07:39 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Accounting-Request Identifier: 6 Authentic: d6B<159><200>u<138><152>FI<216><154><190>S<230>G Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Mon Jan 7 10:07:39 2002: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Foreground LogStdout LogDir /Radiator/log #Dictionary File is in current dir DictionaryFile ./dictionary Trace 4 Secret dogcat DupInterval 0 Identifier CheckSQL DBSourcedbi:mysql:ISP DBUsername admin DBAuth lifter AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer Identifier CheckNT # You must set the domain name here to suit your site Domain ETHERNET1 # ON NT, optionally specify the name of the # Primary Domain Controller, including the leading # \\ slashes, to override the default domain controller # for the domain you specified above DomainController \\FEZZIK # On Unix, you MUST specify the Domain Controller # name as the NT host name of the domain controller # its not optional. This needs to be set to the NT # name of the Primary Domain Controller, and further
Re: (RADIATOR) Authentication...
Hello GwangHee - The standard behaviour for Radiator is to look for the exact username, then DEFAULT, DEFAULT1, DEFAULT2, etc. You can change this by adding NoDefault (or NoDefaultIfFound) to your AuthBy clause. .. NoDefault . Have a look at section 6.16.11 and 6.16.12 in the Radiator 2.19 reference manual ("doc/ref.html"). regards Hugh On Sat, 15 Dec 2001 08:11, GwangHee Yi wrote: > Dear Hugh, > > I try to authenticate call number 17607614701, > If user is not in DB, radiator try to authenticate username='DEFAULT' > Why? > > Below is configuration and debug > > Thanks, > > Configureration.. > ++ > > > # Adjust DBSource, DBUsername, DBAuth to suit your DB > DBSourcedbi:mysql:radius > DBUsername * > DBAuth *** > > # Auth Statements > > AuthSelect SELECT password,replyattr FROM subscribers WHERE > username = '%n' > AuthColumnDef 0, User-Password, check > AuthColumnDef 1, GENERIC, reply > > > > Debug... > ++ > Bla Bla... > > Fri Dec 14 14:01:06 2001: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Fri Dec 14 14:01:06 2001: DEBUG: Deleting session for 17607614701, *.*.*.*, > Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL > Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL > Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM > subscribers WHERE username = '17607614701' > Fri Dec 14 14:01:06 2001: DEBUG: Radius::AuthSQL looks for match with > 17607614701 > Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM > subscribers WHERE username = 'DEFAULT' > > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication...
Dear Hugh, I try to authenticate call number 17607614701, If user is not in DB, radiator try to authenticate username='DEFAULT' Why? Below is configuration and debug Thanks, Configureration.. ++ # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcedbi:mysql:radius DBUsername * DBAuth *** # Auth Statements AuthSelect SELECT password,replyattr FROM subscribers WHERE username = '%n' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply Debug... ++ Bla Bla... Fri Dec 14 14:01:06 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Fri Dec 14 14:01:06 2001: DEBUG: Deleting session for 17607614701, *.*.*.*, Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM subscribers WHERE username = '17607614701' Fri Dec 14 14:01:06 2001: DEBUG: Radius::AuthSQL looks for match with 17607614701 Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM subscribers WHERE username = 'DEFAULT' === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication Question..
Remember that the Authentication requests can be sent to a different place than the Accounting requests, via separate lines in your Cisco config file. Perhaps the AUTH line is not correct... Dave > -Original Message- > From: GwangHee Yi [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 12, 2001 1:37 PM > To: [EMAIL PROTECTED] > Subject: (RADIATOR) Authentication Question.. > > > Dear All, > > I am using Cisco2600 Gatekeeper. > > I want to authenticate with Radiator. > I got exact accouting attributes. It's working very well. > But Cisco Router do not send me an Access-Request. > Therefore, I can not authenticate with my MySql DB. > > Is this Cisco Configuration problem or Radiator Configuration > problem.. > > Below is configuration and Debug... > > Thanks, > > Configuration. > == > Trace 4 > Foreground > LogStdout > LogDir . > DbDir . > > > AuthPort1712 > AcctPort1713 > > > # Adjust DBSource, DBUsername, DBAuth to suit your DB > DBSourcedbi:mysql: > DBUsername > DBAuth * > > # Auth Statements > > AuthSelect SELECT password,replyattr FROM subscribers > WHERE username = '%n' > AuthColumnDef 0, User-Password, check > AuthColumnDef 1, GENERIC, reply > > # You may want to tailor these for your ACCOUNTING table > AccountingTable ACCOUNTING > AcctColumnDef USERNAME,User-Name > AcctColumnDef TIME_STAMP,Timestamp,integer > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer > AcctColumnDef ACCTSESSIONID,Acct-Session-Id > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter > > AcctLogFileName /var/radius/radius.log > > > Debug > = > Code: Accounting-Request > Identifier: 76 > Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> > Attributes: > NAS-IP-Address = * > NAS-Port-Type = Async > User-Name = "***" > Called-Station-Id = "***" > Calling-Station-Id = "***" > Acct-Status-Type = Stop > Service-Type = Login-User > Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//" > Acct-Input-Octets = 0 > Acct-Output-Octets = 0 > Acct-Input-Packets = 0 > Acct-Output-Packets = 0 > Acct-Session-Time = 11 > cisco-avpair = "pre-bytes-in=0" > cisco-avpair = "pre-bytes-out=0" > cisco-avpair = "pre-paks-in=0" > cisco-avpair = "pre-paks-out=0" > cisco-avpair = "nas-rx-speed=0" > cisco-avpair = "nas-tx-speed=0" > Acct-Delay-Time = 0 > > Tue Dec 11 17:04:58 2001: DEBUG: Handling request with > Handler 'Realm=DEFAULT' Tue Dec 11 17:04:58 2001: DEBUG: > Deleting session for **, *, Tue Dec 11 17:04:58 > 2001: DEBUG: Handling with Radius::AuthSQL Tue Dec 11 > 17:04:58 2001: DEBUG: Handling accounting with > Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: do query is: > insert into ACCOUNTING > (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, > ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, > ACCTSESSIONID, ACCTSESSIONTIME) > values > ('**', 1008119098, 'Stop', 0, 0, 0, > '56///0 B8E9C61F 4050007 EA25B92//', 11) > > Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted > Tue Dec 11 17:04:58 2001: DEBUG: Packet dump: > *** Sending to *** port 1646 > Code: Accounting-Response > Identifier: 76 > Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> > Attributes: > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Question..
Hello GwangHee - Thanks for sending the files. If the Cisco is not sending an Access-Request you will have to check with Cisco what you need to configure. The trace file only shows an accounting request that is being processed correctly, so if you are not seeing any access requests I would have to conclude that the Cisco is not sending them. regards Hugh On Thu, 13 Dec 2001 05:37, GwangHee Yi wrote: > Dear All, > > I am using Cisco2600 Gatekeeper. > > I want to authenticate with Radiator. > I got exact accouting attributes. It's working very well. > But Cisco Router do not send me an Access-Request. > Therefore, I can not authenticate with my MySql DB. > > Is this Cisco Configuration problem or Radiator Configuration problem.. > > Below is configuration and Debug... > > Thanks, > > Configuration. > == > Trace 4 > Foreground > LogStdout > LogDir . > DbDir . > > > AuthPort1712 > AcctPort1713 > > > # Adjust DBSource, DBUsername, DBAuth to suit your DB > DBSourcedbi:mysql: > DBUsername > DBAuth * > > # Auth Statements > > AuthSelect SELECT password,replyattr FROM subscribers WHERE > username = '%n' > AuthColumnDef 0, User-Password, check > AuthColumnDef 1, GENERIC, reply > > # You may want to tailor these for your ACCOUNTING table > AccountingTable ACCOUNTING > AcctColumnDef USERNAME,User-Name > AcctColumnDef TIME_STAMP,Timestamp,integer > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer > AcctColumnDef ACCTSESSIONID,Acct-Session-Id > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter > > AcctLogFileName /var/radius/radius.log > > > Debug > = > Code: Accounting-Request > Identifier: 76 > Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> > Attributes: > NAS-IP-Address = * > NAS-Port-Type = Async > User-Name = "***" > Called-Station-Id = "***" > Calling-Station-Id = "***" > Acct-Status-Type = Stop > Service-Type = Login-User > Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//" > Acct-Input-Octets = 0 > Acct-Output-Octets = 0 > Acct-Input-Packets = 0 > Acct-Output-Packets = 0 > Acct-Session-Time = 11 > cisco-avpair = "pre-bytes-in=0" > cisco-avpair = "pre-bytes-out=0" > cisco-avpair = "pre-paks-in=0" > cisco-avpair = "pre-paks-out=0" > cisco-avpair = "nas-rx-speed=0" > cisco-avpair = "nas-tx-speed=0" > Acct-Delay-Time = 0 > > Tue Dec 11 17:04:58 2001: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Dec 11 17:04:58 2001: DEBUG: Deleting session for **, *, > Tue Dec 11 17:04:58 2001: DEBUG: Handling with Radius::AuthSQL > Tue Dec 11 17:04:58 2001: DEBUG: Handling accounting with Radius::AuthSQL > Tue Dec 11 17:04:58 2001: DEBUG: do query is: insert into ACCOUNTING > (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME, > ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME) > values > ('**', 1008119098, 'Stop', 0, 0, 0, '56///0 > B8E9C61F 4050007 EA25B92//', 11) > > Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted > Tue Dec 11 17:04:58 2001: DEBUG: Packet dump: > *** Sending to *** port 1646 > Code: Accounting-Response > Identifier: 76 > Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> > Attributes: > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Question..
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["GwangHee Yi" <[EMAIL PROTECTED]>] Date: Tue, 11 Dec 2001 16:51:45 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] >From [EMAIL PROTECTED] Tue Dec 11 16:51:45 2001 Received: from ns2.neworbit.net (dt1A-hfc-0251-d8d99338.rdc1.sdca.coxatwork.com [216.217.147.56]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id fBBMpi315726 for <[EMAIL PROTECTED]>; Tue, 11 Dec 2001 16:51:44 -0600 Received: from gwanghee ([192.168.100.6]) by ns2.neworbit.net (8.11.0/8.11.0) with SMTP id fBC1Vvb16056 for <[EMAIL PROTECTED]>; Tue, 11 Dec 2001 17:31:58 -0800 Message-ID: <001501c182a3$5985b6e0$[EMAIL PROTECTED]> From: "GwangHee Yi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Authentication Question.. Date: Tue, 11 Dec 2001 16:24:22 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Dear All, I am using Cisco2600 Gatekeeper. I want to authenticate with Radiator. I got exact accouting attributes. It's working very well. But Cisco Router do not send me an Access-Request. Therefore, I can not authenticate with my MySql DB. Is this Cisco Configuration problem or Radiator Configuration problem.. Below is configuration and Debug... Thanks, Configuration. == Trace 4 Foreground LogStdout LogDir . DbDir . AuthPort1712 AcctPort1713 # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcedbi:mysql: DBUsername DBAuth * # Auth Statements AuthSelect SELECT password,replyattr FROM subscribers WHERE username = '%n' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply # You may want to tailor these for your ACCOUNTING table AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter AcctLogFileName /var/radius/radius.log Debug = Code: Accounting-Request Identifier: 76 Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> Attributes: NAS-IP-Address = 216.217.147.58 NAS-Port-Type = Async User-Name = "***" Called-Station-Id = "***" Calling-Station-Id = "***" Acct-Status-Type = Stop Service-Type = Login-User Acct-Session-Id = "56//SDGK1/0 B8E9C61F 4050007 EA25B92//" Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 11 cisco-avpair = "pre-bytes-in=0" cisco-avpair = "pre-bytes-out=0" cisco-avpair = "pre-paks-in=0" cisco-avpair = "pre-paks-out=0" cisco-avpair = "nas-rx-speed=0" cisco-avpair = "nas-tx-speed=0" Acct-Delay-Time = 0 Tue Dec 11 17:04:58 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Dec 11 17:04:58 2001: DEBUG: Deleting session for **, *, Tue Dec 11 17:04:58 2001: DEBUG: Handling with Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: Handling accounting with Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: do query is: insert into ACCOUNTING (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME) values ('**', 1008119098, 'Stop', 0, 0, 0, '56//SDGK1/0 B8E9C61F 4050007 EA25B92//', 11) Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted Tue Dec 11 17:04:58 2001: DEBUG: Packet dump: *** Sending to *** port 1646 Code: Accounting-Response Identifier: 76 Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> Attributes: --- -- I am travelling at the moment, and there may be delays in our correspondence. Mike McCauley, Open System Consultants, [EMAIL PROTECTED], www.open.com.au === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Question..
Dear All, I am using Cisco2600 Gatekeeper. I want to authenticate with Radiator. I got exact accouting attributes. It's working very well. But Cisco Router do not send me an Access-Request. Therefore, I can not authenticate with my MySql DB. Is this Cisco Configuration problem or Radiator Configuration problem.. Below is configuration and Debug... Thanks, Configuration. == Trace 4 Foreground LogStdout LogDir . DbDir . AuthPort1712 AcctPort1713 # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcedbi:mysql: DBUsername DBAuth * # Auth Statements AuthSelect SELECT password,replyattr FROM subscribers WHERE username = '%n' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply # You may want to tailor these for your ACCOUNTING table AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter AcctLogFileName /var/radius/radius.log Debug = Code: Accounting-Request Identifier: 76 Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> Attributes: NAS-IP-Address = * NAS-Port-Type = Async User-Name = "***" Called-Station-Id = "***" Calling-Station-Id = "***" Acct-Status-Type = Stop Service-Type = Login-User Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//" Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Session-Time = 11 cisco-avpair = "pre-bytes-in=0" cisco-avpair = "pre-bytes-out=0" cisco-avpair = "pre-paks-in=0" cisco-avpair = "pre-paks-out=0" cisco-avpair = "nas-rx-speed=0" cisco-avpair = "nas-tx-speed=0" Acct-Delay-Time = 0 Tue Dec 11 17:04:58 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Dec 11 17:04:58 2001: DEBUG: Deleting session for **, *, Tue Dec 11 17:04:58 2001: DEBUG: Handling with Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: Handling accounting with Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: do query is: insert into ACCOUNTING (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME) values ('**', 1008119098, 'Stop', 0, 0, 0, '56///0 B8E9C61F 4050007 EA25B92//', 11) Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted Tue Dec 11 17:04:58 2001: DEBUG: Packet dump: *** Sending to *** port 1646 Code: Accounting-Response Identifier: 76 Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4> Attributes: === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication through DNIS.
Hello Wasim - The trace 4 below (thanks for sending it) shows that your NAS is sending the number "7159" as the value for the Called-Station-Id (note the spelling). You can check for this in a users file as follows: cool Password = ., Called-Station-Id = 7159, Simultaneous-Use = 4 Service-Type = Framed-User, Framed-Protocol = PPP Note that Called-Station-Id is the number that the user has dialled. If you want to check the number the user is dialling from you would do this: cool Password = ., Calling-Station-Id = 13155131, Simultaneous-Use = 4 Service-Type = Framed-User, Framed-Protocol = PPP All check items must appear on the first line of a user definition and the reply items on the second and following lines with white space at the beginning and a comma at the end of every reply line except the last. Have a look at section 13 of the Radiator 2.19 reference manual. regards Hugh On Sat, 8 Dec 2001 20:22, Wasim Ahmed Khan wrote: > Hi All, > > I want to authenticate few of our users defined in radiator's user file > on basis of DNIS. How can we do that through radiator. As first i try > to pass Called-Station-ID attribute in users file but strangely it is > not authenticating. Here is sumthing detail shows: > It is picking "7159" as called-station-Id. > > Is there any other way to authenticate specific user on the basis on > DNIS or otherwise where i m wrong in this whole scenario. > > Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on > netops-2 > Wed Dec 8 12:31:40 1999: DEBUG: Packet dump: > *** Received from 202.63.217.245 port 1645 > Code: Access-Request > Identifier: 226 > Authentic: > <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ > Attributes: > NAS-IP-Address = 202.63.217.245 > NAS-Port = 62 > Cisco-NAS-Port = "Async62" > NAS-Port-Type = Async > User-Name = "cool" > Called-Station-Id = "7159" > Calling-Station-Id = "215219321" > User-Password = "<240>Q<142><218><240>K<177>T? > 1@<15><215>z<250><224>" > Service-Type = Framed-User > Framed-Protocol = PPP > > Wed Dec 8 12:31:40 1999: DEBUG: Handling request with > Handler 'Realm=DEFAULT' > Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool, > 202.63.217.245, 62 > Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD > Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD > Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day, > ma.extension+ma.overdue, maExpireDate), > DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, > sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit > from masteraccounts ma, subaccounts sa > where (sa.login = 'cool' or sa.shell = 'cool') > and ma.customerid = sa.customerid > and sa.active <> 0 and ma.active <> 0 > > Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt > (date,userid,password,cli) values ('12/8/1999 > 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321') > > Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match > with cool > Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day, > ma.extension+ma.overdue, maExpireDate), > DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, > sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit > from masteraccounts ma, subaccounts sa > where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT') > and ma.customerid = sa.customerid > and sa.active <> 0 and ma.active <> 0 > > Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt > (date,userid,password,cli) values ('12/8/1999 > 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321') > > Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE > Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users > Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with > cool > Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT: > Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool > Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use > Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: > *** Sending to 202.63.217.245 port 1645 > Code: Access-Accept > Identifier: 226 > Authentic: > <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ > Attributes: > Service-Type = Framed-User > Framed-Protocol = PPP > Simultaneous-Use = 4 > Called-Station-Id = "13155131" > > Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: > *** Received from 202.63.217.245 port 1646 > Code: Accounting-Request > Identifier: 227 > Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17> > Attributes: > NAS-IP-Address = 202.63.217.245 > NAS-Port = 62 > Cisco-NAS-Port = "Async62" > NAS-Port-Type = Async > User-Name = "cool" > Called-Station-Id = "7159" > Calling-Station-Id = "215219321" > Acct-Status-Type = Start >
(RADIATOR) Authentication through DNIS.
Hi All, I want to authenticate few of our users defined in radiator's user file on basis of DNIS. How can we do that through radiator. As first i try to pass Called-Station-ID attribute in users file but strangely it is not authenticating. Here is sumthing detail shows: It is picking "7159" as called-station-Id. Is there any other way to authenticate specific user on the basis on DNIS or otherwise where i m wrong in this whole scenario. Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on netops-2 Wed Dec 8 12:31:40 1999: DEBUG: Packet dump: *** Received from 202.63.217.245 port 1645 Code: Access-Request Identifier: 226 Authentic: <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ Attributes: NAS-IP-Address = 202.63.217.245 NAS-Port = 62 Cisco-NAS-Port = "Async62" NAS-Port-Type = Async User-Name = "cool" Called-Station-Id = "7159" Calling-Station-Id = "215219321" User-Password = "<240>Q<142><218><240>K<177>T? 1@<15><215>z<250><224>" Service-Type = Framed-User Framed-Protocol = PPP Wed Dec 8 12:31:40 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool, 202.63.217.245, 62 Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day, ma.extension+ma.overdue, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = 'cool' or sa.shell = 'cool') and ma.customerid = sa.customerid and sa.active <> 0 and ma.active <> 0 Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt (date,userid,password,cli) values ('12/8/1999 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321') Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match with cool Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day, ma.extension+ma.overdue, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT') and ma.customerid = sa.customerid and sa.active <> 0 and ma.active <> 0 Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt (date,userid,password,cli) values ('12/8/1999 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321') Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with cool Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT: Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: *** Sending to 202.63.217.245 port 1645 Code: Access-Accept Identifier: 226 Authentic: <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ Attributes: Service-Type = Framed-User Framed-Protocol = PPP Simultaneous-Use = 4 Called-Station-Id = "13155131" Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: *** Received from 202.63.217.245 port 1646 Code: Accounting-Request Identifier: 227 Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17> Attributes: NAS-IP-Address = 202.63.217.245 NAS-Port = 62 Cisco-NAS-Port = "Async62" NAS-Port-Type = Async User-Name = "cool" Called-Station-Id = "7159" Calling-Station-Id = "215219321" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0123" Framed-Protocol = PPP Acct-Delay-Time = 0 Wed Dec 8 12:31:42 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Dec 8 12:31:42 1999: DEBUG: Adding session for cool, 202.63.217.245, 62 Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthEMERALD Wed Dec 8 12:31:42 1999: DEBUG: Handling accounting with Radius::AuthEMERALD Wed Dec 8 12:31:42 1999: DEBUG: do query is: insert into Calls (UserName, CallDate, AcctStatusType, AcctDelayTime, AcctSessionId, NASIdentifier, CallerID, NASPort) values ('cool', 'Dec 8, 1999 12:31', 1, 0, '0123', '202.63.217.245', '215219321', 62) Wed Dec 8 12:31:43 1999: DEBUG: Accounting accepted Wed Dec 8 12:31:43 1999: DEBUG: Packet dump: *** Sending to 202.63.217.245 port 1646 Regards, Wasim Ahmed Khan. Application Programmer. eWorld Internet Services. Karachi, Pakistan. Ph:(92-21)111-246-246. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication through DNIS.
Hello Wasim - The trace 4 below (thanks for sending it) shows that your NAS is sending the number "7159" as the value for the Called-Station-Id (note the spelling). You can check for this in a users file as follows: cool Password = ., Called-Station-Id = 7159, Simultaneous-Use = 4 Service-Type = Framed-User, Framed-Protocol = PPP Note that Called-Station-Id is the number that the user has dialled. If you want to check the number the user is dialling from you would do this: cool Password = ., Calling-Station-Id = 13155131, Simultaneous-Use = 4 Service-Type = Framed-User, Framed-Protocol = PPP All check items must appear on the first line of a user definition and the reply items on the second and following lines with white space at the beginning and a comma at the end of every reply line except the last. Have a look at section 13 of the Radiator 2.19 reference manual. regards Hugh On Sat, 8 Dec 2001 20:22, Wasim Ahmed Khan wrote: > Hi All, > > I want to authenticate few of our users defined in radiator's user file > on basis of DNIS. How can we do that through radiator. As first i try > to pass Called-Station-ID attribute in users file but strangely it is > not authenticating. Here is sumthing detail shows: > It is picking "7159" as called-station-Id. > > Is there any other way to authenticate specific user on the basis on > DNIS or otherwise where i m wrong in this whole scenario. > > Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on > netops-2 > Wed Dec 8 12:31:40 1999: DEBUG: Packet dump: > *** Received from 202.63.217.245 port 1645 > Code: Access-Request > Identifier: 226 > Authentic: > <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ > Attributes: > NAS-IP-Address = 202.63.217.245 > NAS-Port = 62 > Cisco-NAS-Port = "Async62" > NAS-Port-Type = Async > User-Name = "cool" > Called-Station-Id = "7159" > Calling-Station-Id = "215219321" > User-Password = "<240>Q<142><218><240>K<177>T? > 1@<15><215>z<250><224>" > Service-Type = Framed-User > Framed-Protocol = PPP > > Wed Dec 8 12:31:40 1999: DEBUG: Handling request with > Handler 'Realm=DEFAULT' > Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool, > 202.63.217.245, 62 > Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD > Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD > Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day, > ma.extension+ma.overdue, maExpireDate), > DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, > sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit > from masteraccounts ma, subaccounts sa > where (sa.login = 'cool' or sa.shell = 'cool') > and ma.customerid = sa.customerid > and sa.active <> 0 and ma.active <> 0 > > Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt > (date,userid,password,cli) values ('12/8/1999 > 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321') > > Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match > with cool > Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day, > ma.extension+ma.overdue, maExpireDate), > DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, > sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit > from masteraccounts ma, subaccounts sa > where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT') > and ma.customerid = sa.customerid > and sa.active <> 0 and ma.active <> 0 > > Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt > (date,userid,password,cli) values ('12/8/1999 > 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321') > > Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE > Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users > Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with > cool > Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT: > Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool > Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use > Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: > *** Sending to 202.63.217.245 port 1645 > Code: Access-Accept > Identifier: 226 > Authentic: > <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ > Attributes: > Service-Type = Framed-User > Framed-Protocol = PPP > Simultaneous-Use = 4 > Called-Station-Id = "13155131" > > Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: > *** Received from 202.63.217.245 port 1646 > Code: Accounting-Request > Identifier: 227 > Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17> > Attributes: > NAS-IP-Address = 202.63.217.245 > NAS-Port = 62 > Cisco-NAS-Port = "Async62" > NAS-Port-Type = Async > User-Name = "cool" > Called-Station-Id = "7159" > Calling-Station-Id = "215219321" > Acct-Status-Type = Start >
(RADIATOR) Authentication through DNIS.
Hi All, I want to authenticate few of our users defined in radiator's user file on basis of DNIS. How can we do that through radiator. As first i try to pass Called-Station-ID attribute in users file but strangely it is not authenticating. Here is sumthing detail shows: It is picking "7159" as called-station-Id. Is there any other way to authenticate specific user on the basis on DNIS or otherwise where i m wrong in this whole scenario. Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on netops-2 Wed Dec 8 12:31:40 1999: DEBUG: Packet dump: *** Received from 202.63.217.245 port 1645 Code: Access-Request Identifier: 226 Authentic: <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ Attributes: NAS-IP-Address = 202.63.217.245 NAS-Port = 62 Cisco-NAS-Port = "Async62" NAS-Port-Type = Async User-Name = "cool" Called-Station-Id = "7159" Calling-Station-Id = "215219321" User-Password = "<240>Q<142><218><240>K<177>T? 1@<15><215>z<250><224>" Service-Type = Framed-User Framed-Protocol = PPP Wed Dec 8 12:31:40 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool, 202.63.217.245, 62 Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day, ma.extension+ma.overdue, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = 'cool' or sa.shell = 'cool') and ma.customerid = sa.customerid and sa.active <> 0 and ma.active <> 0 Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt (date,userid,password,cli) values ('12/8/1999 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321') Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match with cool Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day, ma.extension+ma.overdue, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT') and ma.customerid = sa.customerid and sa.active <> 0 and ma.active <> 0 Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt (date,userid,password,cli) values ('12/8/1999 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321') Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with cool Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT: Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: *** Sending to 202.63.217.245 port 1645 Code: Access-Accept Identifier: 226 Authentic: <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$ Attributes: Service-Type = Framed-User Framed-Protocol = PPP Simultaneous-Use = 4 Called-Station-Id = "13155131" Wed Dec 8 12:31:42 1999: DEBUG: Packet dump: *** Received from 202.63.217.245 port 1646 Code: Accounting-Request Identifier: 227 Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17> Attributes: NAS-IP-Address = 202.63.217.245 NAS-Port = 62 Cisco-NAS-Port = "Async62" NAS-Port-Type = Async User-Name = "cool" Called-Station-Id = "7159" Calling-Station-Id = "215219321" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = "0123" Framed-Protocol = PPP Acct-Delay-Time = 0 Wed Dec 8 12:31:42 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Dec 8 12:31:42 1999: DEBUG: Adding session for cool, 202.63.217.245, 62 Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthEMERALD Wed Dec 8 12:31:42 1999: DEBUG: Handling accounting with Radius::AuthEMERALD Wed Dec 8 12:31:42 1999: DEBUG: do query is: insert into Calls (UserName, CallDate, AcctStatusType, AcctDelayTime, AcctSessionId, NASIdentifier, CallerID, NASPort) values ('cool', 'Dec 8, 1999 12:31', 1, 0, '0123', '202.63.217.245', '215219321', 62) Wed Dec 8 12:31:43 1999: DEBUG: Accounting accepted Wed Dec 8 12:31:43 1999: DEBUG: Packet dump: *** Sending to 202.63.217.245 port 1646 Regards, Wasim Ahmed Khan. Application Programmer. eWorld Internet Services. Karachi, Pakistan. Ph:(92-21)111-246-246. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To
Re: (RADIATOR) Authentication CHAP
Ciao Giuseppe - Radiator will automatically handle CHAP-Password as long as you have the cleartext password available in the user defintion. regards Hugh On Friday 26 October 2001 01:08, Giuseppe Denora wrote: > Hi everybody, > > I' m trying to set up a Radiator Authenticator using the clause ETERNAL>. > I use a little perl module for CHAP-authentication. my Cisco NAS doesn't > pass to the > module the attribute CHAP-Challenge (only the CHAP-Password) for hashing > the clear text password. > > Does anybody know HOW to get THE CHAP-CHALLENGE from Ciscos?? > > > > === > Working Online - Internet, Telematica e Soluzioni di Rete > --- > Web www.working.it - Email [EMAIL PROTECTED] > Work.Net S.r.l. > Via XXV Aprile 37 - 21100 Varese - ITALY > Tel. +39-332-320.720 - Fax +39-332-310.202 > Via Cavour 15 - 21013 Gallarate - VA - ITALY > Tel. +39-331-776.818 - Fax +39-331-788.245 > === > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication CHAP
Hi everybody, I' m trying to set up a Radiator Authenticator using the clause . I use a little perl module for CHAP-authentication. my Cisco NAS doesn't pass to the module the attribute CHAP-Challenge (only the CHAP-Password) for hashing the clear text password. Does anybody know HOW to get THE CHAP-CHALLENGE from Ciscos?? === Working Online - Internet, Telematica e Soluzioni di Rete --- Web www.working.it - Email [EMAIL PROTECTED] Work.Net S.r.l. Via XXV Aprile 37 - 21100 Varese - ITALY Tel. +39-332-320.720 - Fax +39-332-310.202 Via Cavour 15 - 21013 Gallarate - VA - ITALY Tel. +39-331-776.818 - Fax +39-331-788.245 === === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication when SQL/proxyRadius is down
Hello David - On Wednesday 17 October 2001 01:13, [EMAIL PROTECTED] wrote: > Hi > I'm testing (Radiator/Radmin DEMO ) with some possible configuratin to > solve our requirements. > Overview: Radius server is connected to other server with SQL database. > Radius do Authby SQL or Auth by Radius (proxy) - based on @realm > > So in case of SQL database or proxy radius server is down I would like to > authenticate (send Access accept) users ( possible users with bad password > - it doesn't matter - it's free dial up ) and do accounting to file on > radius server. > You would do something like this: # define AuthBy clauses Identifier CheckSQL DBSource . DBUsername . DBAuth . .. AcctFailedLogFileName . AcctFailedLogFileFormat . Identifier ForwardToProxy .. NoReplyHook . AcctFailedLogFileName . AcctFailedLogFileFormat . Identifier AcceptAll # define Realms AuthByPolicy ContinueUntilAccept AuthBy CheckSQL AuthBy AcceptAll . Identifier AcceptAll AuthBy ForwardToProxy . There is an example NoReplyHook in the file "goodies/hooks.txt" that will work with what is shown above. Also have a look at sections 6.28 and 6.29 in the Radiator reference manual included in the file "doc/ref.html" in the distribution. If you have any other questions please ask. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication when SQL/proxyRadius is down
Hi I'm testing (Radiator/Radmin DEMO ) with some possible configuratin to solve our requirements. Overview: Radius server is connected to other server with SQL database. Radius do Authby SQL or Auth by Radius (proxy) - based on @realm So in case of SQL database or proxy radius server is down I would like to authenticate (send Access accept) users ( possible users with bad password - it doesn't matter - it's free dial up ) and do accounting to file on radius server. Thanks for any idea David Kramar === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Problem
I need help pls! and very URGENTLY too! My RADIATOR Authentication is suddenly rejecting all passwords. It is logging encrypted passwords in password.log. I am not using encryption at all. I am authentication via ODBC. I tried with User flat file without any success. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Harrison Ng" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 10, 2001 11:11 AM Subject: Re: (RADIATOR) FW: Load Balancing > > Hello Harrison - > > No - seconds only are supported. > > regards > > Hugh > > > On Monday 10 September 2001 17:23, Harrison Ng wrote: > > > > BTW, can those time related parameters accepts milliseconds, such as > > RetryTimeout, FailureBackoffTime. > > > > Harrison > > > > > -Original Message- > > > From: Harrison Ng > > > Sent: Monday, September 10, 2001 3:21 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: Load Balancing > > > > > > Hi, > > > > > > We are using Ericsson GSN, the primary and secondary failover timer in > > > GSN is restricted to merely 6 seconds. After these 6 secs, it drops the > > > call. > > > > > > So our radiator server need to respond very fast, I mean fast in doing > > > username/password authentication, accounting logging, ip address > > > allocation and forward accounting information to 3rd party business > > > partners and reply back to GSN at last. If we divide 6 secs into 2 > > > halves, there will be only 3 secs for primary radius, and 3 secs for > > > secondary radius. > > > > > > Our first question is it possible to change the behaviour (perhaps an > > > extra parameter) of so > > > that when radius proxy does not receive response from the first radius > > > server, then just stop it and let the radius server marked failure and > > > reply nothing to GSN. Let the radius server sit still until > > > FailureBackupoffTime is reached. Do not even try to forward request to > > > the second listed, until the list is exhausted. > > > > > > Second can we set the timeout value (perhaps to zero) for the very first > > > accounting forward packet. The RetryTimeout only suitable for > > > retransmitting packet. Lost accounting packet is not a concern to us, as > > > long as the radius server work very fast. > > > > > > We tried optimize every things such as using radius proxy to distribute > > > loading to several radius server, put database server in another unix > > > box, field indexing, lots of memory and etc. Maybe our question is a bit > > > strange. Perhaps someone can suggest us a workaround. Thanks. > > > > > > > > > Regards, > > > Harrison > > > SmarTone BroadBand Services Ltd. > > > Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1" > Content-Transfer-Encoding: quoted-printable > Content-Description: > > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication BY SQL
We are setting our RADIUS to authenticate via SQL Database. The Radius is communicating properly with the SQL database. However, The Radius server is rejecting all password even though the passwords are correct (Pls see log below) Pls help. -- from SUbsInfo where USERNAME='otisvi' Thu Sep 6 15:20:39 2001: DEBUG: Radius::AuthSQL looks for match with otisvi Thu Sep 6 15:20:39 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:39 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:39 2001: INFO: Access rejected for otisvi: Bad Password Thu Sep 6 15:20:39 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 120 Authentic: <140>*'<197><8><168>v`[<135>6?<14><16><206><146> Attributes: Reply-Message = "Request Denied" Thu Sep 6 15:20:40 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Access-Request Identifier: 121 Authentic: <209><217><156><201><232><148><255><148>_H<229><227><145><230><17><2 30> Attributes: User-Name = "otisvi" User-Password = "<138>c9<145><24><152><11><186>*<176>1<238>lM<166><146>" NAS-IP-Address = 195.166.231.247 NAS-Port = 773 Acct-Session-Id = "50594945" USR-Interface-Index = 2029 Service-Type = Framed-User Framed-Protocol = PPP USR-Chassis-Call-Slot = 4 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 5 USR-Connect-Speed = NONE Calling-Station-Id = "" Called-Station-Id = "" NAS-Port-Type = Async Thu Sep 6 15:20:40 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Sep 6 15:20:40 2001: DEBUG: Deleting session for otisvi, 195.166.231.247, 773 Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='otisvi' Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL looks for match with otisvi Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:40 2001: INFO: Access rejected for otisvi: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 121 Authentic: <209><217><156><201><232><148><255><148>_H<229><227><145><230><17><2 30> Attributes: Reply-Message = "Request Denied" Thu Sep 6 15:20:40 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Access-Request Identifier: 122 Authentic: <15><181><128><13><218><240><162><8><13><254>]<199>t&<0>z Attributes: User-Name = "prawa" User-Password = "<244><154><157><245><214>j<30><190>i<188>P<159><<230><2 21>6" NAS-IP-Address = 195.166.231.247 NAS-Port = 12 Acct-Session-Id = "721209" USR-Interface-Index = 1268 Service-Type = Framed-User Framed-Protocol = PPP USR-Chassis-Call-Slot = 1 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 12 USR-Connect-Speed = NONE Calling-Station-Id = "" Called-Station-Id = "" NAS-Port-Type = Async Thu Sep 6 15:20:40 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Sep 6 15:20:40 2001: DEBUG: Deleting session for prawa, 195.166.231.247, 1 2 Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='prawa' Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL looks for match with prawa Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:40 2001: INFO: Access rejected for prawa: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 122 Authentic: <15><181><128><13><218><240><162><8><13><254>]<199>t&<0>z Attributes: Reply-Message = "Request Denied" Thu Sep 6 15:20:42 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:42 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Acce
Re: (RADIATOR) Authentication to radius with Flat File
Hello Janice - There are several things wrong with what you show below, including the user definition which should have all the check items on the first line and all the reply items on the second and subsequent lines, like this: # user records have all check items on the first line (no comma at the end) # reply items are on the second and subsequent lines (commas except the last) bob12 User-Password = "forpccw" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 202.79.95.17, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP You will also need to uncomment the RewriteUsername to strip the suffix off the username before checking it in the AuthBy FILE. I will also need to see the complete configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. thanks Hugh At 19:23 +0800 01/8/1, Wong, Janice wrote: >hi all, > >I need to create a client to be authenticated using a fixed ip address. I >have created a flat file containing user information to assign the framed ip >address function for a specific user. But I do not seem to get >authentication and it always give me a handler error msg trying to reach >203.63.154.1 > >This is my configuration on Radius.cfg > > ># Framed ip address testing > > Secret x > IgnoreAcctSignature > > ># allow all clients to use the same secret > > Secret x > > > > > AcctLogFileFormat file:"/usr/local/radiator/LogFormat" > AcctLogFileName /usr/local/radiator/radacct/usage.testingrealm > #RewriteUsername s/^([^@]+).*/$1/ > > Filename %D/testuser > > > > >The user file : > >bob12 User-Password = "forpccw", > Service-Type = Framed-User > Framed-Protocol = PPP, > Framed-IP-Address = 202.79.95.17, > Framed-IP-Netmask = >255.255.255.255, > Framed-Routing = None, > Framed-MTU = 1500, > Framed-Compression = Van- >Jacobson-TCP-IP > >radpwtst logfile error: > >Code: Accounting-Request >Identifier: 67 >Authentic: }<163>kN$<220>T<150><142>U<188><193><183><245><234><15> >Attributes: > User-Name = "[EMAIL PROTECTED]" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Stop > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 2 > Acct-Output-Octets = 3 > >Wed Aug 1 19:11:00 2001: WARNING: Bad authenticator in request from DEFAULT >(203.63.154.1) > >Attributes: > User-Name = "[EMAIL PROTECTED]" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > User-Password = "<163>N<220><236><150>y<14><238>k(<135>Fp73<140>" > >Wed Aug 1 19:10:50 2001: DEBUG: Check if Handler Realm=.net.sg should >be used to handle this request >Wed Aug 1 19:10:50 2001: WARNING: Could not find a handler: request is >ignored >Wed Aug 1 19:10:55 2001: DEBUG: Packet dump: > >Am I missing any commands or configuration to enable the authentication? > >Janice >=== >Archive at http://www.open.com.au/archives/radiator/ >Announcements on [EMAIL PROTECTED] >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication to radius with Flat File
hi all, I need to create a client to be authenticated using a fixed ip address. I have created a flat file containing user information to assign the framed ip address function for a specific user. But I do not seem to get authentication and it always give me a handler error msg trying to reach 203.63.154.1 This is my configuration on Radius.cfg # Framed ip address testing Secret x IgnoreAcctSignature # allow all clients to use the same secret Secret x AcctLogFileFormat file:"/usr/local/radiator/LogFormat" AcctLogFileName /usr/local/radiator/radacct/usage.testingrealm #RewriteUsername s/^([^@]+).*/$1/ Filename %D/testuser The user file : bob12 User-Password = "forpccw", Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 202.79.95.17, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van- Jacobson-TCP-IP radpwtst logfile error: Code: Accounting-Request Identifier: 67 Authentic: }<163>kN$<220>T<150><142>U<188><193><183><245><234><15> Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Wed Aug 1 19:11:00 2001: WARNING: Bad authenticator in request from DEFAULT (203.63.154.1) Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<163>N<220><236><150>y<14><238>k(<135>Fp73<140>" Wed Aug 1 19:10:50 2001: DEBUG: Check if Handler Realm=.net.sg should be used to handle this request Wed Aug 1 19:10:50 2001: WARNING: Could not find a handler: request is ignored Wed Aug 1 19:10:55 2001: DEBUG: Packet dump: Am I missing any commands or configuration to enable the authentication? Janice === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication failing..........please help !!!
Hi everone, I am new to the field of Radiator. We are in a process of testing it for our needs. I am running into some problems and any help to it would be greatly appreciated. I am sending my radius.cfg file which is stored under /usr/local/etc directory. I am also sending a copy of my users file, which contains the default user "mikem" as well as a newly created user by the name "moin". I have stored this file at both /etc/radiator and /usr/local/etc directories. I did not change anything else from the initial config. Please note that i have removed the IP address of our client from the file and replaced it with "a.b.c.d" The "radpwtst" command works properly and its output is sending Access-Request... OK sending Accounting-Request Start... OK sending Accounting-Request Stop... OK As far as the hardware config is concerned, Its a Linux box with Redhat on it, 933 Mhz P III processor, 256 MB RAM, 35 GB hard disk, etc. Please take time to view the config and suggest anything i need to change. Is there something that i am overlooking. U can also reach me at 303 735 4809. Thanks. Imran. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ # radius.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # a simple system. You can then add and change features. # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # This example will authenticate from a standard users file in # the current directory and log accounting to a file in the current # directory. # It will accept requests from any client and try to handle request # for any realm. # And it will print out what its doing in great detail. # # You should consider this file to be a starting point only # $Id: linux-radius.cfg,v 1.1 2001/05/17 05:33:34 mikem Exp mikem $ #Foreground #LogStdout LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 3 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with # THIS IS THE 5500 CLIENT- ATTEMPTING A NON-NAMESERVED ENTRY Secret imran Secret mysecret DupInterval 0 Filename %D/users # Log accounting to a detail file AcctLogFileName %L/detail Filename %D/users # Log accounting to a detail file AcctLogFileName %L/detail # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the reference # manual at /usr/share/doc/Radiator-2.18.1/ref.html # # You can test this user with the command # radpwtst mikem Password=fred Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP moinPassword=pete Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP
Re: (RADIATOR) Authentication Thru Radiator with system passwd file
Hi , I have got authentication successful by changing 'users' file configuration and its path as well as radius.cfg's cofiguration and its path . Thanks for recommendations and assistance. Regards Javaid Sajjad On Sat, 23 Jun 2001, Hugh Irvine wrote: > > Hello Javaid - > > If you send me a copy of your configuration file (no secrets) > together with a trace 4 debug from Radiator, I will take a look. > > regards > > Hugh > > > At 7:10 PM +0500 6/22/01, <[EMAIL PROTECTED]> wrote: > >Hi, > > > >Thanx for that suggestion but it is not working- i think something should > >be done with 'users' file in /src/local/etc/radddb in our case. So any > >changes are required for that file? > > > > > > > >On Fri, 22 Jun 2001, Hugh Irvine wrote: > > > >> > >> Hello Javaid - > >> > >> > > >> >Hello ! > >> > > >> >Would you plese let me know how to configure Radiator's radius.cfg file > >> >for authentication through > >> >Linux default passwd file ie /etc/passwd which is in our case is flat > >> >one not shadow.Further more we > >> >want to authenticate from Livingston Access Server throu Radiator server > >> >which is on Linux 6.2 having > >> >flat passwd file. > >> >Any assistance will be highly appreciated . > >> > >> You would simply specify an AuthBy UNIX clause, like this: > >> > >> > >>Filename /etc/passwd > >> > >> > >> Note that you will only be able to use PAP authentication with this setup. > >> > >> regards > >> > >> Hugh > >> > >> > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication through unix passwd file
Hello Faisal - At 11:41 AM +0500 6/23/01, Syed Faisal Qadri wrote: >Hello Every body, > >I am unable to get authentication done through the radiator using the >local flat passwd file, I am attaching my configuration file for >reference. As well as the configuration file, I will need to see a trace 4 debug from Radiator showing what is happening. BTW you will not be able to use CHAP authentication with AuthBy UNIX. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication through unix passwd file
Hello Every body, I am unable to get authentication done through the radiator using the local flat passwd file, I am attaching my configuration file for reference. Regards, Faisal Qadri. radius.cfg
Re: (RADIATOR) Authentication Thru Radiator with system passwd file
--- Forwarded mail from [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Fri, 22 Jun 2001 07:13:41 -0500 To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [<[EMAIL PROTECTED]>] >From [EMAIL PROTECTED] Fri Jun 22 07:13:41 2001 Received: from mail.cyberaccess.com.pk ([203.133.252.19]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f5MCDaD27083; Fri, 22 Jun 2001 07:13:37 -0500 Received: from localhost (jsajjad@localhost) by mail.cyberaccess.com.pk (8.9.3/8.8.7) with ESMTP id TAA25183; Fri, 22 Jun 2001 19:10:31 +0500 Date: Fri, 22 Jun 2001 19:10:31 +0500 (PKT) From: <[EMAIL PROTECTED]> To: Hugh Irvine <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Authentication Thru Radiator with system passwd file In-Reply-To: <a04320401b758ee90c517@[10.17.64.33]> Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, Thanx for that suggestion but it is not working- i think something should be done with 'users' file in /src/local/etc/radddb in our case. So any changes are required for that file? On Fri, 22 Jun 2001, Hugh Irvine wrote: > > Hello Javaid - > > > > >Hello ! > > > >Would you plese let me know how to configure Radiator's radius.cfg file > >for authentication through > >Linux default passwd file ie /etc/passwd which is in our case is flat > >one not shadow.Further more we > >want to authenticate from Livingston Access Server throu Radiator server > >which is on Linux 6.2 having > >flat passwd file. > >Any assistance will be highly appreciated . > > You would simply specify an AuthBy UNIX clause, like this: > > > Filename /etc/passwd > > > Note that you will only be able to use PAP authentication with this setup. > > regards > > Hugh > > ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Thru Radiator with system passwdfile
Hello Javaid - If you send me a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator, I will take a look. regards Hugh At 7:10 PM +0500 6/22/01, <[EMAIL PROTECTED]> wrote: >Hi, > >Thanx for that suggestion but it is not working- i think something should >be done with 'users' file in /src/local/etc/radddb in our case. So any >changes are required for that file? > > > >On Fri, 22 Jun 2001, Hugh Irvine wrote: > >> >> Hello Javaid - >> >> > >> >Hello ! >> > >> >Would you plese let me know how to configure Radiator's radius.cfg file >> >for authentication through >> >Linux default passwd file ie /etc/passwd which is in our case is flat >> >one not shadow.Further more we >> >want to authenticate from Livingston Access Server throu Radiator server >> >which is on Linux 6.2 having >> >flat passwd file. >> >Any assistance will be highly appreciated . >> >> You would simply specify an AuthBy UNIX clause, like this: >> >> >> Filename /etc/passwd >> >> >> Note that you will only be able to use PAP authentication with this setup. >> >> regards >> >> Hugh >> >> -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Thru Radiator with system passwdfile
Hello Javaid - > >Hello ! > >Would you plese let me know how to configure Radiator's radius.cfg file >for authentication through >Linux default passwd file ie /etc/passwd which is in our case is flat >one not shadow.Further more we >want to authenticate from Livingston Access Server throu Radiator server >which is on Linux 6.2 having >flat passwd file. >Any assistance will be highly appreciated . You would simply specify an AuthBy UNIX clause, like this: Filename /etc/passwd Note that you will only be able to use PAP authentication with this setup. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Thru Radiator with system passwd file
--- Forwarded mail from [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Fri, 22 Jun 2001 04:27:30 -0500 To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Javaid Sajjad <[EMAIL PROTECTED]>] >From [EMAIL PROTECTED] Fri Jun 22 04:27:29 2001 Received: from mail.cyberaccess.com.pk (IDENT:root@[203.133.252.19]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f5M9RKD26686 for <[EMAIL PROTECTED]>; Fri, 22 Jun 2001 04:27:26 -0500 Received: from cyberaccess.com.pk ([203.133.252.20]) by mail.cyberaccess.com.pk (8.9.3/8.8.7) with ESMTP id QAA19073; Fri, 22 Jun 2001 16:24:08 +0500 Message-ID: <[EMAIL PROTECTED]> Date: Fri, 22 Jun 2001 16:18:17 +0500 From: Javaid Sajjad <[EMAIL PROTECTED]> X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: Authentication Thru Radiator with system passwd file Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello ! Would you plese let me know how to configure Radiator's radius.cfg file for authentication through Linux default passwd file ie /etc/passwd which is in our case is flat one not shadow.Further more we want to authenticate from Livingston Access Server throu Radiator server which is on Linux 6.2 having flat passwd file. Any assistance will be highly appreciated . Regards Javaid Sajjad ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication to NT Domain
Hello Andrew - > >Hi there, > >I am having problem with Radiator when passing authentication to NT Domain. >However, the Radius authentication is operational when authenticating to a >test file What platform are you running on? What hardware and what software? What version of Radiator? With what configuration file? And what does a trace 4 show? When sending problem reports, please include all of the information listed above. many thanks Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication to NT Domain
--- Forwarded mail from [EMAIL PROTECTED] Date: Mon, 19 Feb 2001 17:40:13 +1100 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [[EMAIL PROTECTED]] >From mikem Mon Feb 19 17:40:09 2001 Received: by oscar.open.com.au (8.9.0/8.9.0) id RAA27691 for [EMAIL PROTECTED]; Mon, 19 Feb 2001 17:40:09 +1100 (EST) From: [EMAIL PROTECTED] >Received: from melint01.au.logical.com ([203.63.37.248]) by perki.connect.com.au with ESMTP id RAA04046 (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Mon, 19 Feb 2001 17:21:23 +1100 (EST) Subject: Authentication to NT Domain To: [EMAIL PROTECTED] X-Mailer: Lotus Notes Release 5.0 (Intl) 30 March 1999 Message-ID: <[EMAIL PROTECTED]> Date: Mon, 19 Feb 2001 17:18:17 +1100 X-MIMETrack: Serialize by Router on MELINT01/SERVERS/AP/LOGICAL(Release 5.0.3 (Intl)|21 March 2000) at 02/19/2001 05:18:15 PM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi there, I am having problem with Radiator when passing authentication to NT Domain. However, the Radius authentication is operational when authenticating to a test file I would really appreciate your help !!! Thanks Andrew Charan ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Authentication problem
Hello, Everything works fine now. Thanks for your support. Mike McCauley wrote: > > Hello Nacho, > > Thanks for the detailed description of this problem. > Basically the problem is this. > The default configuration for LDAP2 is to reject empty passwords, as protection > against a problem in the Perl LDAP module. This is causing CHAP access requests > to be incorrectly rejected. > > The fix is to downlaoded a new version of AuthLDAP2.pm from the 2.16.3 patches > area. > > We apologise for this problem. Thank you for reporting it to us. > > Cheers. > -- Ignacio Paredes | email: [EMAIL PROTECTED] Eurocomercial | Tfno: +34 91 4359687 Informatica y Comunicaciones | Fax: +34 91 4313240 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication based on Calling-Station-ID
Hello Lisa - At 10:26 +0100 31/10/00, Lisa Goulet wrote: >Hi All, > >I saw a posting from May about authentication based on Calling-Station-Id. >There was a suggestion about creating a BLACKLIST etc. > >Are there any new features in the Radiator that enable this authentication >directly? > No there aren't. regards Hugh -- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication based on Calling-Station-ID
This is what you can do if you authenticat using some LDAP variant: # This will check Calling-Station_id against # LDAP attribute mobile Identifier Check-LDAP-mobile Host ldap.your.domain AuthDN cn=Directory Manager AuthPassword some_password BaseDN o=your_base # Calling-Station-Id is used to search # instead of UsernameAttr and PasswordAttr SearchFilter (mobile=%{Calling-Station-Id}) NoDefaultIfFound This will allow a user based on his registered "mobile" number. If you include any of the PasswordAttibutes, the password is also checked, otherwise you just get a couple of warnings at startup time. /Ingvar -Original Message- From: Lisa Goulet [mailto:[EMAIL PROTECTED]] Sent: den 31 oktober 2000 10:27 To: '[EMAIL PROTECTED] ' Subject: (RADIATOR) Authentication based on Calling-Station-ID Hi All, I saw a posting from May about authentication based on Calling-Station-Id. There was a suggestion about creating a BLACKLIST etc. Are there any new features in the Radiator that enable this authentication directly? Thanks, Lsia === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Authentication problem
Hello Nacho, Thanks for the detailed description of this problem. Basically the problem is this. The default configuration for LDAP2 is to reject empty passwords, as protection against a problem in the Perl LDAP module. This is causing CHAP access requests to be incorrectly rejected. The fix is to downlaoded a new version of AuthLDAP2.pm from the 2.16.3 patches area. We apologise for this problem. Thank you for reporting it to us. Cheers. > >X-Authentication-Warning: oscar.open.com.au: majordom set sender to > >[EMAIL PROTECTED] using -f > >>Received: from leira.eurocomercial.es (leira.eurocomercial.es > >>[194.224.214.253]) by perki.connect.com.au with SMTP id VAA19020 > > (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Mon, 30 Oct 2000 > >21:16:45 +1100 (EST) > >Date: Mon, 30 Oct 2000 11:18:22 + > >From: Nacho Paredes <[EMAIL PROTECTED]> > >Organization: EICSA > >X-Accept-Language: en > >To: [EMAIL PROTECTED] > >Subject: (RADIATOR) Authentication problem > >Sender: [EMAIL PROTECTED] > > > >This is really annoying me. > > > >I've already posted this, but I'm going to put it in a more > >comprehensive way. > > > >We are using Radiator 2.16.3 + OpenLDAP + MySQL > >We use LDAP for authentication and MySQL por IP allocation. > > > >This configuration works fine with radpwtst, the authentication is ok > >and the IP allocation works fine. But when we try a dial-in access we > >got the request rejected for an empty password. If we setup our ppp > >client with the refuse-chap option, Radiator gets a User-Password > >attribute (instead CHAP-Password) and everyting is ok. > > > >I include the config file and the log file with two accesses. The first > >failed and the second successful. > > > >Thanks for your help > > > >* Configuration File *** > >Foreground > >LogStdout > >LogDir . > >DbDir /opt/servicios/RadSQL > ># User a lower trace level in production systems: > >Trace 4 > > > >BindAddress yyy.yyy.yyy.98 > > > ># Radius proxy > > > > Secret xx > > > > > ># Radius proxy > > > > Secret xx > > > > > ># You will probably want to change this to suit your site. > > > > Secret xx > > DupInterval 0 > > > > > > > > Identifier myallocator > > > > DBSourcedbi:mysql:radius:172.16.20.150 > > DBUsername xxx > > DBAuth xxx > > > > > > Subnetmask 255.255.255.240 > > Range xxx.xxx.xxx.98 xxx.xxx.xxx.126 > > > > > > > > > > AuthByPolicy ContinueWhileAccept > > RewriteUsername s/^([^@]+).*/$1/ > > > > Host 172.16.20.150 > > Port 389 > > AuthDN cn=x,car=x > > AuthPassword xx > > BaseDN rlm=pruebasql,car=xx > > UsernameAttr uid > > PasswordAttr userpassword > > ReplyAttr replyitems > > Debug 255 > > > > > > Allocator myallocator > > > > PoolHint %{Reply:PoolHint} > > > > MapAttribute yiaddr, Framed-IP-Address > > MapAttribute subnetmask, Framed-IP-Netmask > > > > StripFromReply PoolHint > > > > > > MaxSessions 10 > > AcctLogFileName %L/detail-pruebasql > > > > > > > >Log File > >Mon Oct 30 10:25:45 2000: DEBUG: Packet dump: > >*** Received from aaa.aa.216.52 port 34071 > >Code: Access-Request ---> FAILED ACCESS > >Identifier: 5 > >Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152> > >Attributes: > > User-Name = "user2@pruebasql" > > CHAP-Password = "<3> <18>2-<133>P<15>Z<232><232>P<237><11>$ <191>" > > NAS-Port = 528 > > Acct-Session-Id = "34538485" > > USR-Interface-Index = 1784 > > Tunnel-Supports-Tags = 0 > > Service-Type = Framed-U
(RADIATOR) Authentication based on Calling-Station-ID
Hi All, I saw a posting from May about authentication based on Calling-Station-Id. There was a suggestion about creating a BLACKLIST etc. Are there any new features in the Radiator that enable this authentication directly? Thanks, Lsia === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication problem
This is really annoying me. I've already posted this, but I'm going to put it in a more comprehensive way. We are using Radiator 2.16.3 + OpenLDAP + MySQL We use LDAP for authentication and MySQL por IP allocation. This configuration works fine with radpwtst, the authentication is ok and the IP allocation works fine. But when we try a dial-in access we got the request rejected for an empty password. If we setup our ppp client with the refuse-chap option, Radiator gets a User-Password attribute (instead CHAP-Password) and everyting is ok. I include the config file and the log file with two accesses. The first failed and the second successful. Thanks for your help * Configuration File *** Foreground LogStdout LogDir . DbDir /opt/servicios/RadSQL # User a lower trace level in production systems: Trace 4 BindAddress yyy.yyy.yyy.98 # Radius proxy Secret xx # Radius proxy Secret xx # You will probably want to change this to suit your site. Secret xx DupInterval 0 Identifier myallocator DBSourcedbi:mysql:radius:172.16.20.150 DBUsername xxx DBAuth xxx Subnetmask 255.255.255.240 Range xxx.xxx.xxx.98 xxx.xxx.xxx.126 AuthByPolicy ContinueWhileAccept RewriteUsername s/^([^@]+).*/$1/ Host 172.16.20.150 Port 389 AuthDN cn=x,car=x AuthPassword xx BaseDN rlm=pruebasql,car=xx UsernameAttr uid PasswordAttr userpassword ReplyAttr replyitems Debug 255 Allocator myallocator PoolHint %{Reply:PoolHint} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint MaxSessions 10 AcctLogFileName %L/detail-pruebasql Log File Mon Oct 30 10:25:45 2000: DEBUG: Packet dump: *** Received from aaa.aa.216.52 port 34071 Code: Access-Request ---> FAILED ACCESS Identifier: 5 Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152> Attributes: User-Name = "user2@pruebasql" CHAP-Password = "<3> <18>2-<133>P<15>Z<232><232>P<237><11>$ <191>" NAS-Port = 528 Acct-Session-Id = "34538485" USR-Interface-Index = 1784 Tunnel-Supports-Tags = 0 Service-Type = Framed-User Framed-Protocol = PPP Chassis-Call-Slot = 3 Chassis-Call-Span = 1 Chassis-Call-Channel = 16 Connect-Speed = 300_BPS Calling-Station-Id = "98519" Called-Station-Id = "90166" NAS-Port-Type = Async Mon Oct 30 10:25:45 2000: DEBUG: Handling request with Handler 'Realm=pruebasql' Mon Oct 30 10:25:45 2000: DEBUG: Rewrote user name to user2 Mon Oct 30 10:25:45 2000: DEBUG: Deleting session for user2@pruebasql, aaa.aa.216.52, 528 Mon Oct 30 10:25:45 2000: DEBUG: Handling with Radius::AuthLDAP2 Mon Oct 30 10:25:45 2000: DEBUG: Radius::AuthLDAP2 rejected user2 because of an empty password Mon Oct 30 10:25:45 2000: INFO: Access rejected for user2: Empty password Mon Oct 30 10:25:45 2000: DEBUG: Packet dump: *** Sending to aaa.aa.216.52 port 34071 Code: Access-Reject Identifier: 5 Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152> Attributes: Port-Message = "Request Denied" Mon Oct 30 10:27:43 2000: DEBUG: Packet dump: *** Received from aaa.aa.216.52 port 34071 Code: Access-Request ->SUCCESSFUL ACCESS Identifier: 9 Authentic: <3>-<179>d<31><254><231>s<6><211><134>6<247><236>H<29> Attributes: User-Name = "user2@pruebasql" User-Password = "<208><233><128>#$[<18><22>#<176>EF$<157><254><202>" NAS-Port = 534 Acct-Session-Id = "34931520" USR-Interface-Index = 1790 Tunnel-Supports-Tags = 0 Service-Type = Framed-User Framed-Protocol = PPP Chassis-Call-Slot = 3 Chassis-Call-Span = 1 Chassis-Call-Channel = 22 Connect-Speed = 300_BPS Calling-Station-Id = "98519" Called-Station-Id = "90166" NAS-Port-Type = Async Mon Oct 30 10:27:43 2000: DEBUG: Handling request with Handler 'Realm=pruebasql' Mon Oct 30 10:27:43 2000: DEBUG: Rewrote user name to user2 Mon Oct 30 10:27:43 2000: DEBUG: Deleting session for user2@pruebasql, aaa.aa.216.52, 534 Mon Oct 30 10:27:43 2000: DEBUG: Handling with Radius::AuthLDAP2 Mon Oct 30 10:27:43 2000: DEBUG: Connecting to bbb.bb.20.150, port 389 Mon Oct 30 10:27:46 2000: DEBUG:
Re: (RADIATOR) authentication
Hello Jeremy - On Sat, 26 Aug 2000, Jeremy Gault wrote: > Hi, > > We've been using Radiator for some time now -- and it's great. > But I have a couple of questions I wanted to throw out here on the list > since I'm sure some other people have done these before (and know if it is > possible or not.) > > > 1. Is it possible to limit logins by time of day? As in, a user can > only login between certain hours? (I think this can be done -- there > is something about it in our users file that a former admin put in > there -- but I just want to make sure.) > Yes - you would use the "Time = ..." check item. See section 13.1.11 in the Radiator 2.16.3 reference manual. > 2. A more interesting question, is it possible to limit the total time > used per month? For example, after jdoe has been logged in for 75 > hours that month, he will be disconnected and can't login anymore? > Yes, but you will need to use an SQL database and keep track of the time remaining and return it in a Session-Timeout reply attribute. You will also need a monthly cron (or similar) job to recharge the monthly accounts. > 3. Is it possible to authenticate users by Caller ID? > Yes - by using the Calling-Station-Id and/or Called-Station-Id attributes. This has been discussed on the list previously so have a look at the archive site: http://www.starport.net/~radiator > Basically, this would be used in a VoIP setup. Anyhow, if anyone > has done this / knows if it can be done / how then please let me know. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication
Hi, We've been using Radiator for some time now -- and it's great. But I have a couple of questions I wanted to throw out here on the list since I'm sure some other people have done these before (and know if it is possible or not.) 1. Is it possible to limit logins by time of day? As in, a user can only login between certain hours? (I think this can be done -- there is something about it in our users file that a former admin put in there -- but I just want to make sure.) 2. A more interesting question, is it possible to limit the total time used per month? For example, after jdoe has been logged in for 75 hours that month, he will be disconnected and can't login anymore? 3. Is it possible to authenticate users by Caller ID? Basically, this would be used in a VoIP setup. Anyhow, if anyone has done this / knows if it can be done / how then please let me know. Thanks. Jeremy === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication via MySQL
MySQL's PASSWORD() function uses a proprietary hash algorithm. Ms. Jung, what you probably want to do instead (if you really want your passwords encrypted), is to use MySQL's also-built-in ENCRYPT() function. Is does a Unix-crypt compatible hash. ... SET ENCRYPTEDPASSWORD = ENCRYPT("mypassword") ... It takes an optional second argument to use as the SALT for the hash, but you shouldn't need that. :) HTH... Mike Nerone <mailto:[EMAIL PROTECTED]> Network Operations Manager Internet Direct, Inc. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Hugh Irvine > Sent: Thursday, 08 June 2000 1853 > To: Patricia Jung; [EMAIL PROTECTED] > Subject: Re: (RADIATOR) Authentication via MySQL > > > > Hello Patricia - > > On Fri, 09 Jun 2000, Patricia Jung wrote: > > Hi Hugh and all :) > > > > On Thu, Jun 08, 2000 at 09:03:54AM +1000, Hugh Irvine wrote: > > > > > > Curious. The trace shows that the Access-Request is being > accepted, however the > > > accounting requests are being rejected due to bad > authenticators. Have you got > > Exactly... > > > > > always accept a user if the password field is NULL. It > appears from the > > > configuration file above, that you are looking at the second > field in the SQL > > > response rather than the first. You might try this: > > My fault: one should never quote configfiles while debugging ;) > > > > The final solution: The PASSWORD-column in the MySQL-database > includes a > > password that was created by the > MySQL-password('passwordtext')-statement. > > The radpwtst-password-option, however, was followed by the > plain passwordtext. > > Thus, the string "passwordtext" was compared with "07213ca6267303ce", > > and this is obviously not the same... > > > > Therefore I wonder whether it is possible to use > MySQL-password() at all? > > > > What sort of encryption does MySQL-password(...) use? > > thanks > > Hugh > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. > Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. > > > > === > Archive at http://www.starport.net/~radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL
Hello Patricia - On Fri, 09 Jun 2000, Patricia Jung wrote: > Hi Hugh and all :) > > On Thu, Jun 08, 2000 at 09:03:54AM +1000, Hugh Irvine wrote: > > > > Curious. The trace shows that the Access-Request is being accepted, however the > > accounting requests are being rejected due to bad authenticators. Have you got > Exactly... > > > always accept a user if the password field is NULL. It appears from the > > configuration file above, that you are looking at the second field in the SQL > > response rather than the first. You might try this: > My fault: one should never quote configfiles while debugging ;) > > The final solution: The PASSWORD-column in the MySQL-database includes a > password that was created by the MySQL-password('passwordtext')-statement. > The radpwtst-password-option, however, was followed by the plain passwordtext. > Thus, the string "passwordtext" was compared with "07213ca6267303ce", > and this is obviously not the same... > > Therefore I wonder whether it is possible to use MySQL-password() at all? > What sort of encryption does MySQL-password(...) use? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL
Hi Hugh and all :) On Thu, Jun 08, 2000 at 09:03:54AM +1000, Hugh Irvine wrote: > > Curious. The trace shows that the Access-Request is being accepted, however the > accounting requests are being rejected due to bad authenticators. Have you got Exactly... > always accept a user if the password field is NULL. It appears from the > configuration file above, that you are looking at the second field in the SQL > response rather than the first. You might try this: My fault: one should never quote configfiles while debugging ;) The final solution: The PASSWORD-column in the MySQL-database includes a password that was created by the MySQL-password('passwordtext')-statement. The radpwtst-password-option, however, was followed by the plain passwordtext. Thus, the string "passwordtext" was compared with "07213ca6267303ce", and this is obviously not the same... Therefore I wonder whether it is possible to use MySQL-password() at all? Thanks for all the help :) Patricia === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication for ftpd
Hello Tuncay - On Thu, 08 Jun 2000, Tuncay MARGILIC wrote: > > > > Hi there, > > > I am planning to setup an ftp server that will handle 3k users. I heard that > it is possible to make the authentication on radius. but I don't know how. > Does anyone have informaion about it. Any documents or faq. > > The Operating system will be Linux or Solaris. > You can use PAM (pluggable authentication modules) to authenticate via RADIUS. And here is a good place to start: http://www.kernel.org/pub/linux/libs/pam/ hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL
Hello Patricia - On Thu, 08 Jun 2000, Patricia Jung wrote: > Hi, > > I really hope you don't mind a maybe stupid question but it really eats > up my days... The question is: why hasn't my testuser the slightest chance > of authentication? > > I'm playing a bit with a MySQL database that later will include the users > database, but currently only has one valid testuser, trish: > > $ mysql -u radiususer -p > [...] > mysql> use radius; > mysql> select * from SUBSCRIBERS where USERNAME='trish'; > +--+---+---+ > | USERNAME | PASSWORD | HOMEDIR | > +--+---+---+ > | trish| 71e5e1e45222b | /local/home/trish | > [...] > > My radius.cfg looks like this: > > Foreground > LogStdout > LogDir /local/home/trish/Radiator-config > DbDir /local/home/trish/Radiator-config > > FingerProg /usr/bin/finger > Trace 5 > > include %D/clients.cfg > > > > DBSourcedbi:mysql:radius > DBUsername radiususer > DBAuth blafasel > > FailureBackoffTime 300 > > AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n' > > #AuthColumnDef 1, User-Password, check > AuthColumnDef 1, Encrypted-Password, check > > > > > > > When running radpwtst -user trish -password xyz (no matter whether xyz equals > the correct password or not), the debug output looks like this: > > > Wed Jun 7 19:08:15 2000: INFO: Server started: Radiator 2.16 > Wed Jun 7 19:08:20 2000: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3981 > > Packet length = 77 > [...] > Code: Access-Request > Identifier: 125 > Authentic: 1234567890123456 > Attributes: > User-Name = "trish" > Service-Type = Framed-User > NAS-Identifier = "203.63.154.1" > NAS-Port = 1234 > NAS-Port-Type = Async > User-Password = "<155><231>><207><195>=<4><246><188>8<9><160><216>}x<153>" > > Wed Jun 7 19:08:20 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT' > Wed Jun 7 19:25:00 2000: DEBUG: Deleting session for trish, 203.63.154.1, 1234 > Wed Jun 7 19:25:00 2000: DEBUG: Handling with Radius::AuthSQL > Wed Jun 7 19:25:00 2000: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where >USERNAME='trish' > > Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL looks for match with trish > > Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL ACCEPT: > Wed Jun 7 19:25:00 2000: DEBUG: Access accepted for trish > Wed Jun 7 19:25:00 2000: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 4018 > Code: Access-Accept > Identifier: 105 > Authentic: 1234567890123456 > Attributes: > > Wed Jun 7 19:25:00 2000: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 4018 > > Packet length = 67 > [...] > Code: Accounting-Request > Identifier: 106 > Authentic: <230><222>C{<146>pR<10><192><8><177><143>H<191><151><198> > Attributes: > User-Name = "trish" > Service-Type = Framed-User > NAS-Identifier = "203.63.154.1" > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Start > > Wed Jun 7 19:25:00 2000: WARNING: Bad authenticator in request from 127.0.0.1 >(203.63.154.1) > Wed Jun 7 19:25:05 2000: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 4018 > > Packet length = 91 > [...] > Code: Accounting-Request > Identifier: 107 > Authentic: <254><167>o<234>)<143><198><179>X<231>?<138>y<194>0<202> > Attributes: > User-Name = "trish" > Service-Type = Framed-User > NAS-Identifier = "203.63.154.1" > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Stop > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 2 > Acct-Output-Octets = 3 > > Wed Jun 7 19:25:05 2000: WARNING: Bad authenticator in request from 127.0.0.1 >(203.63.154.1) > > Curious. The trace shows that the Access-Request is being accepted, however the accounting requests are being rejected due to bad authenticators. Have you got a correct Client entry for localhost (127.0.0.1)? And AuthBy SQL will only always accept a user if the password field is NULL. It appears from the configuration file above, that you are looking at the second field in the SQL response rather than the first. You might try this: Replace this: > AuthColumnDef 1, Encrypted-Password, check with this: AuthColumnDef 0, Encrypted-Password, check And you will need Encrypted-Password if the password field is indeed encrypted. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Ava
(RADIATOR) Authentication for ftpd
Title: Authentication for ftpd Hi there, I am planning to setup an ftp server that will handle 3k users. I heard that it is possible to make the authentication on radius. but I don't know how. Does anyone have informaion about it. Any documents or faq. The Operating system will be Linux or Solaris. Tuncay Margilic
(RADIATOR) Authentication via MySQL
Hi, I really hope you don't mind a maybe stupid question but it really eats up my days... The question is: why hasn't my testuser the slightest chance of authentication? I'm playing a bit with a MySQL database that later will include the users database, but currently only has one valid testuser, trish: $ mysql -u radiususer -p [...] mysql> use radius; mysql> select * from SUBSCRIBERS where USERNAME='trish'; +--+---+---+ | USERNAME | PASSWORD | HOMEDIR | +--+---+---+ | trish| 71e5e1e45222b | /local/home/trish | [...] My radius.cfg looks like this: Foreground LogStdout LogDir /local/home/trish/Radiator-config DbDir /local/home/trish/Radiator-config FingerProg /usr/bin/finger Trace 5 include %D/clients.cfg DBSourcedbi:mysql:radius DBUsername radiususer DBAuth blafasel FailureBackoffTime 300 AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n' #AuthColumnDef 1, User-Password, check AuthColumnDef 1, Encrypted-Password, check When running radpwtst -user trish -password xyz (no matter whether xyz equals the correct password or not), the debug output looks like this: Wed Jun 7 19:08:15 2000: INFO: Server started: Radiator 2.16 Wed Jun 7 19:08:20 2000: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3981 Packet length = 77 [...] Code: Access-Request Identifier: 125 Authentic: 1234567890123456 Attributes: User-Name = "trish" Service-Type = Framed-User NAS-Identifier = "203.63.154.1" NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<155><231>><207><195>=<4><246><188>8<9><160><216>}x<153>" Wed Jun 7 19:08:20 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Jun 7 19:25:00 2000: DEBUG: Deleting session for trish, 203.63.154.1, 1234 Wed Jun 7 19:25:00 2000: DEBUG: Handling with Radius::AuthSQL Wed Jun 7 19:25:00 2000: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='trish' Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL looks for match with trish Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL ACCEPT: Wed Jun 7 19:25:00 2000: DEBUG: Access accepted for trish Wed Jun 7 19:25:00 2000: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 4018 Code: Access-Accept Identifier: 105 Authentic: 1234567890123456 Attributes: Wed Jun 7 19:25:00 2000: DEBUG: Packet dump: *** Received from 127.0.0.1 port 4018 Packet length = 67 [...] Code: Accounting-Request Identifier: 106 Authentic: <230><222>C{<146>pR<10><192><8><177><143>H<191><151><198> Attributes: User-Name = "trish" Service-Type = Framed-User NAS-Identifier = "203.63.154.1" NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Wed Jun 7 19:25:00 2000: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Wed Jun 7 19:25:05 2000: DEBUG: Packet dump: *** Received from 127.0.0.1 port 4018 Packet length = 91 [...] Code: Accounting-Request Identifier: 107 Authentic: <254><167>o<234>)<143><198><179>X<231>?<138>y<194>0<202> Attributes: User-Name = "trish" Service-Type = Framed-User NAS-Identifier = "203.63.154.1" NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Wed Jun 7 19:25:05 2000: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) @row in AuthSQL.pm's sub findUser gets the correct PASSWORD from the database, thus, the problem should have to do with comparing. I tried both, Encrypted-Password, and User-Password, without success, just to make sure. Any hints where I should see next? Thanks a lot Patricia === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication through MySQL database
Hello Tuncay - On Fri, 21 Apr 2000, Tuncay MARGILIC wrote: > > Hello, > > I am planning to add TNT Max boxes to my network. I still have Cisco 5300 on > the network. The question is how can I go on checking the simultanius use of > the users. Max-User is set to 1 and I check (Radiator does) the 5300 box > with SNMP but the TNT boxes have to be used with finger. What should I do. > Is there anyway like creating a client table on radius database and give the > attributes of each NAS and make the radiator use different types of user > avaliability checking. Or make the TNT boxes accessible via SNMP (But the > vendor ID's are different) > Radiator already has support for mixed NAS environments. You simply specify NasType with each of your Client definitions: NasType Cisco Secret . NasType Ascend # or NasType AscendSNMP Secret . Have a look at section 6.4.5 in the Radiator 2.15 reference manual. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.