Re: [RADIATOR] Monitor radiator authentication response time
Thanks Heikki. Will let you know. Rohan On Thu, Mar 27, 2014 at 2:00 PM, Heikki Vatiainen wrote: > On 03/27/2014 05:27 AM, rohan.henry @cwjamaica.com wrote: > > > We use radlogin radius test tool. It sends auth request using username > > and password and measures the response time. > > > > http://www.iea-software.com/products/radlogin4.cfm > > > > But I want to monitor radius response time on Radius server that use NAS > > Port ID to authenticate users. > > Hello Rohan, > > is that the NAS-Port-Id attribute, number 87, in the dictionary? > > If so, I suggest you create a clause for the monitoring and > put AddToRequest NAS-Port-Id=something in the Client clause. The > incoming request from the test tool will be modified to include the said > attribute and value and the authentication should then succeed. > > Please let us know if this solves the problem. > > Thanks, > Heikki > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
On 03/27/2014 05:27 AM, rohan.henry @cwjamaica.com wrote: > We use radlogin radius test tool. It sends auth request using username > and password and measures the response time. > > http://www.iea-software.com/products/radlogin4.cfm > > But I want to monitor radius response time on Radius server that use NAS > Port ID to authenticate users. Hello Rohan, is that the NAS-Port-Id attribute, number 87, in the dictionary? If so, I suggest you create a clause for the monitoring and put AddToRequest NAS-Port-Id=something in the Client clause. The incoming request from the test tool will be modified to include the said attribute and value and the authentication should then succeed. Please let us know if this solves the problem. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
Heikki, We use radlogin radius test tool. It sends auth request using username and password and measures the response time. http://www.iea-software.com/products/radlogin4.cfm But I want to monitor radius response time on Radius server that use NAS Port ID to authenticate users. Rohan On Fri, Mar 21, 2014 at 2:33 PM, Heikki Vatiainen wrote: > On 03/19/2014 09:21 PM, rohan.henry @cwjamaica.com wrote: > > > How can I monitor Radiator's response time when using NAS Port ID > > instead of username for authentication? > > Hello Rohan, > > can you describe in more detail how the monitoring is done now? > > Thanks, > Heikki > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor radiator authentication response time
On 03/19/2014 09:21 PM, rohan.henry @cwjamaica.com wrote: > How can I monitor Radiator's response time when using NAS Port ID > instead of username for authentication? Hello Rohan, can you describe in more detail how the monitoring is done now? Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Monitor radiator authentication response time
Hello, How can I monitor Radiator's response time when using NAS Port ID instead of username for authentication? Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
Hi Heikki,
El 04/10/2012, a las 20:48, Heikki Vatiainen escribió:
> On 10/04/2012 11:47 AM, Jesús Rodríguez wrote:
>
>> Is possible to use a value returned in an AuthSelect query in a
>> subsequent ?.
>
> Yes. Instead of using 'check' as the type for AuthColumnDef, use
> 'request'. That will put the retrieved value in the request for later
> use. For the details, please see the reference manual section '5.31.11
> AuthColumnDef'.
This is exactly what i needed, thanks!!.
Regards.
>> An example:
>>
>>
>> AuthByPolicy ContinueWhileAccept
>> AddToRequest X-pre-auth-required-result = 1
>>
>> AuthSelect select
>> validate_preauth('%{Calling-Station-Id}','',%0,'','','','','','','','','','',0,1,0,now())
>> AuthColumnDef 0, X-pre-auth-required-result, check
>>
>>
>> In this case, the AuthSelect would return two values. The first one is used
>> as check value. I would like to get the second returned value and use it in
>> a subsequent within the same clause. Is possible to save
>> the second value in a variable or pseudo-attribute and use it later on?.
>>
>> Thanks and regards.
>>
>>
>>
>>
>>
>> El 27/06/2012, a las 13:21, Jesús Rodríguez escribió:
>>
>>> -- Forwarded message --
>>> From: Heikki Vatiainen
>>> Date: Sun, Jun 24, 2012 at 10:59 PM
>>> Subject: Re: [RADIATOR] Authentication without check attributes
>>> To: radiator@open.com.au
>>>
>>>
>>> On 06/23/2012 04:32 PM, Jesús Rodríguez wrote:
>>>
>>>> To authenticate a dsl pre-authentication request, i have to use a mysql
>>>> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject),
>>>> with no check attributes or other values i can use as check parameters.
>>>>
>>>> How can i send the Accept or Reject based on the returned 1 or 0 values?.
>>>
>>> Try something like this:
>>>
>>>
>>> AddToRequest X-pre-auth-required-result = 1
>>>
>>> AuthSelect your-mysql-function
>>> AuthColumnDef 0, X-pre-auth-required-result, check
>>> ...
>>> ...
>>>
>>> Here X-pre-auth-required-result is a local pseudo-attribute. You can
>>> name it as you want, but the main thing is it will never come from the
>>> NAS and has a fixed value you can compare against value returned from
>>> MySQL function.
>>>
>>> Thanks,
>>> Heikki
>>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
On 10/04/2012 11:47 AM, Jesús Rodríguez wrote:
> Is possible to use a value returned in an AuthSelect query in a
> subsequent ?.
Yes. Instead of using 'check' as the type for AuthColumnDef, use
'request'. That will put the retrieved value in the request for later
use. For the details, please see the reference manual section '5.31.11
AuthColumnDef'.
Thanks,
Heikki
> An example:
>
>
> AuthByPolicy ContinueWhileAccept
> AddToRequest X-pre-auth-required-result = 1
>
> AuthSelect select
> validate_preauth('%{Calling-Station-Id}','',%0,'','','','','','','','','','',0,1,0,now())
> AuthColumnDef 0, X-pre-auth-required-result, check
>
>
> In this case, the AuthSelect would return two values. The first one is used
> as check value. I would like to get the second returned value and use it in a
> subsequent within the same clause. Is possible to save the
> second value in a variable or pseudo-attribute and use it later on?.
>
> Thanks and regards.
>
>
>
>
>
> El 27/06/2012, a las 13:21, Jesús Rodríguez escribió:
>
>> -- Forwarded message --
>> From: Heikki Vatiainen
>> Date: Sun, Jun 24, 2012 at 10:59 PM
>> Subject: Re: [RADIATOR] Authentication without check attributes
>> To: radiator@open.com.au
>>
>>
>> On 06/23/2012 04:32 PM, Jesús Rodríguez wrote:
>>
>>> To authenticate a dsl pre-authentication request, i have to use a mysql
>>> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject),
>>> with no check attributes or other values i can use as check parameters.
>>>
>>> How can i send the Accept or Reject based on the returned 1 or 0 values?.
>>
>> Try something like this:
>>
>>
>>AddToRequest X-pre-auth-required-result = 1
>>
>>AuthSelect your-mysql-function
>>AuthColumnDef 0, X-pre-auth-required-result, check
>>...
>> ...
>>
>> Here X-pre-auth-required-result is a local pseudo-attribute. You can
>> name it as you want, but the main thing is it will never come from the
>> NAS and has a fixed value you can compare against value returned from
>> MySQL function.
>>
>> Thanks,
>> Heikki
>
>
>
>
>
> Jesus Rodriguez
> VozTelecom Sistemas, S.L.
> jes...@voztele.com
> http://www.voztele.com
> Tel. 902360305
> -
>
>
>
>
>
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
Hi Heikki and all,
Is possible to use a value returned in an AuthSelect query in a
subsequent ?.
An example:
AuthByPolicy ContinueWhileAccept
AddToRequest X-pre-auth-required-result = 1
AuthSelect select
validate_preauth('%{Calling-Station-Id}','',%0,'','','','','','','','','','',0,1,0,now())
AuthColumnDef 0, X-pre-auth-required-result, check
In this case, the AuthSelect would return two values. The first one is used as
check value. I would like to get the second returned value and use it in a
subsequent within the same clause. Is possible to save the
second value in a variable or pseudo-attribute and use it later on?.
Thanks and regards.
El 27/06/2012, a las 13:21, Jesús Rodríguez escribió:
> ------ Forwarded message --
> From: Heikki Vatiainen
> Date: Sun, Jun 24, 2012 at 10:59 PM
> Subject: Re: [RADIATOR] Authentication without check attributes
> To: radiator@open.com.au
>
>
> On 06/23/2012 04:32 PM, Jesús Rodríguez wrote:
>
>> To authenticate a dsl pre-authentication request, i have to use a mysql
>> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject),
>> with no check attributes or other values i can use as check parameters.
>>
>> How can i send the Accept or Reject based on the returned 1 or 0 values?.
>
> Try something like this:
>
>
>AddToRequest X-pre-auth-required-result = 1
>
>AuthSelect your-mysql-function
>AuthColumnDef 0, X-pre-auth-required-result, check
>...
> ...
>
> Here X-pre-auth-required-result is a local pseudo-attribute. You can
> name it as you want, but the main thing is it will never come from the
> NAS and has a fixed value you can compare against value returned from
> MySQL function.
>
> Thanks,
> Heikki
Jesus Rodriguez
VozTelecom Sistemas, S.L.
jes...@voztele.com
http://www.voztele.com
Tel. 902360305
-
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
Hi Heikki, On Sun, Jun 24, 2012 at 10:59 PM, Heikki Vatiainen wrote: > On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: > >> To authenticate a dsl pre-authentication request, i have to use a mysql >> function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), >> with no check attributes or other values i can use as check parameters. >> >> How can i send the Accept or Reject based on the returned 1 or 0 values?. > > Try something like this: > > > AddToRequest X-pre-auth-required-result = 1 > > AuthSelect your-mysql-function > AuthColumnDef 0, X-pre-auth-required-result, check > ... > ... > > Here X-pre-auth-required-result is a local pseudo-attribute. You can > name it as you want, but the main thing is it will never come from the > NAS and has a fixed value you can compare against value returned from > MySQL function. Thanks for your reply. This should do the trick!. Regards. Saludos JesusR. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication without check attributes
On 06/23/2012 04:32 PM, Jesús Rodríguez wrote: > To authenticate a dsl pre-authentication request, i have to use a mysql > function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), > with no check attributes or other values i can use as check parameters. > > How can i send the Accept or Reject based on the returned 1 or 0 values?. Try something like this: AddToRequest X-pre-auth-required-result = 1 AuthSelect your-mysql-function AuthColumnDef 0, X-pre-auth-required-result, check ... ... Here X-pre-auth-required-result is a local pseudo-attribute. You can name it as you want, but the main thing is it will never come from the NAS and has a fixed value you can compare against value returned from MySQL function. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Authentication without check attributes
Hello, To authenticate a dsl pre-authentication request, i have to use a mysql function query (using AuthBy mysql) that returns 1 (accept) or 0 (reject), with no check attributes or other values i can use as check parameters. How can i send the Accept or Reject based on the returned 1 or 0 values?. Thanks and regards. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication type not support - HELP
Hi, > I'm getting the following error relating to REJECT: Authentication type not > supported. > Can anyone point me in the right direction as to what I have done wrong? you've tried to use HOTP for an MSCHAPv2 challenge method...which, as Hugh says isnt possible. the debug log tries to help > Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP REJECT: Authentication > type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by > HOTP: mreeves [mreeves] it might be good if the type was mentioned in the debug to clear any doubts...but HOTP only does RFC 4226 authenticationso really needs the password given to it there and then. you need to use another Auth methodif you've got need for both one-time and mschapv2 stuff then you'll need to eg define another handler thats looking for that type of authentication and dealing with it (then theres the issue of which types of backend authentication can be used with MSCHAPv2) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authentication type not support - HELP
Hello Matthew -
I don't think you have done anything wrong - but the debug shows the client is
sending an MSCHAP-V2 request, which as you can see is not supported by the
AuthBy SQLHOTP clause.
regards
Hugh
On 13 Sep 2010, at 15:57, Matthew Reeves-Hairs wrote:
> Hi,
> I'm getting the following error relating to REJECT: Authentication type not
> supported.
> Can anyone point me in the right direction as to what I have done wrong?
>
> Thanks
>
> Matthew
>
> Mon Sep 13 21:53:29 2010: DEBUG: Packet dump:
> *** Received from 192.168.100.1 port 51172
>
> Packet length = 151
> 01 6c 00 97 3e 13 28 89 b3 8c c6 d7 2d 89 cc 86
> 10 23 9c a1 06 06 00 00 00 02 07 06 00 00 00 01
> 01 09 6d 72 65 65 76 65 73 1a 18 00 00 01 37 0b
> 12 73 8a 8f 3f b6 f3 31 18 b9 6d 7e 4d 50 ff fa
> 4a 1a 3a 00 00 01 37 19 34 44 00 0d 3a 4e 7c 0b
> 1e bd 2f 6c 71 51 0a 3d b3 5f 5a 00 00 00 00 00
> 00 00 00 37 a4 37 43 1a c1 8d eb 59 4e eb 47 7f
> 9a 09 1c bf 5f 2e 90 1e b4 e5 9f 1f 10 32 31 37
> 2e 33 36 2e 32 35 34 2e 32 30 39 20 06 6c 32 74
> 70 05 06 00 00 00 00
> Code: Access-Request
> Identifier: 108
> Authentic: ><19>(<137><179><140><198><215>-<137><204><134><16>#<156><161>
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "mreeves"
> MS-CHAP-Challenge = s<138><143>?<182><243>1<24><185>m~MP<255><250>J
> MS-CHAP2-Response =
> D<0><13>:N|<11><30><189>/lqQ<10>=<179>_Z<0><0><0><0><0><0><0><0>7<164>7C<26><193><141><235>YN<235>G<127><154><9><28><191>_.<144><30><180><229><159>
> Calling-Station-Id = "217.36.254.209"
> NAS-Identifier = "l2tp"
> NAS-Port = 0
>
> Mon Sep 13 21:53:29 2010: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Mon Sep 13 21:53:29 2010: DEBUG: Deleting session for mreeves,
> 192.168.100.1, 0
> Mon Sep 13 21:53:29 2010: DEBUG: Handling with Radius::AuthSQLHOTP:
> Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP looks for match with
> mreeves [mreeves]
> Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP REJECT: Authentication
> type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by
> HOTP: mreeves [mreeves]
> Mon Sep 13 21:53:29 2010: DEBUG: AuthBy SQLHOTP result: REJECT,
> Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is
> supported by HOTP
> Mon Sep 13 21:53:29 2010: INFO: Access rejected for mreeves: Authentication
> type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP
> Mon Sep 13 21:53:29 2010: DEBUG: Packet dump:
> *** Sending to 192.168.100.1 port 51172
>
> Packet length = 36
> 03 6c 00 24 95 0b c5 e9 09 d5 b6 10 e2 79 9d 7c
> 7f 57 82 c1 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 108
> Authentic: <149><11><197><233><9><213><182><16><226>y<157>|<127>W<130><193>
> Attributes:
> Reply-Message = "Request Denied"
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Authentication type not support - HELP
Hi, I'm getting the following error relating to REJECT: Authentication type not supported. Can anyone point me in the right direction as to what I have done wrong? Thanks Matthew Mon Sep 13 21:53:29 2010: DEBUG: Packet dump: *** Received from 192.168.100.1 port 51172 Packet length = 151 01 6c 00 97 3e 13 28 89 b3 8c c6 d7 2d 89 cc 86 10 23 9c a1 06 06 00 00 00 02 07 06 00 00 00 01 01 09 6d 72 65 65 76 65 73 1a 18 00 00 01 37 0b 12 73 8a 8f 3f b6 f3 31 18 b9 6d 7e 4d 50 ff fa 4a 1a 3a 00 00 01 37 19 34 44 00 0d 3a 4e 7c 0b 1e bd 2f 6c 71 51 0a 3d b3 5f 5a 00 00 00 00 00 00 00 00 37 a4 37 43 1a c1 8d eb 59 4e eb 47 7f 9a 09 1c bf 5f 2e 90 1e b4 e5 9f 1f 10 32 31 37 2e 33 36 2e 32 35 34 2e 32 30 39 20 06 6c 32 74 70 05 06 00 00 00 00 Code: Access-Request Identifier: 108 Authentic: ><19>(<137><179><140><198><215>-<137><204><134><16>#<156><161> Attributes: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mreeves" MS-CHAP-Challenge = s<138><143>?<182><243>1<24><185>m~MP<255><250>J MS-CHAP2-Response = D<0><13>:N|<11><30><189>/lqQ<10>=<179>_Z<0><0><0><0><0><0><0><0>7<164>7C<26><193><141><235>YN<235>G<127><154><9><28><191>_.<144><30><180><229><159> Calling-Station-Id = "217.36.254.209" NAS-Identifier = "l2tp" NAS-Port = 0 Mon Sep 13 21:53:29 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Mon Sep 13 21:53:29 2010: DEBUG: Deleting session for mreeves, 192.168.100.1, 0 Mon Sep 13 21:53:29 2010: DEBUG: Handling with Radius::AuthSQLHOTP: Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP looks for match with mreeves [mreeves] Mon Sep 13 21:53:29 2010: DEBUG: Radius::AuthSQLHOTP REJECT: Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP: mreeves [mreeves] Mon Sep 13 21:53:29 2010: DEBUG: AuthBy SQLHOTP result: REJECT, Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP Mon Sep 13 21:53:29 2010: INFO: Access rejected for mreeves: Authentication type not supported. Only RADIUS PAP, EAP-OPT and EAP-GTC is supported by HOTP Mon Sep 13 21:53:29 2010: DEBUG: Packet dump: *** Sending to 192.168.100.1 port 51172 Packet length = 36 03 6c 00 24 95 0b c5 e9 09 d5 b6 10 e2 79 9d 7c 7f 57 82 c1 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 108 Authentic: <149><11><197><233><9><213><182><16><226>y<157>|<127>W<130><193> Attributes: Reply-Message = "Request Denied" ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) authentication
On 11/10/03 6:03 PM, "Dan Boucaut" <[EMAIL PROTECTED]> wrote: > Is it possible to use different authentication methods based on username. > > ie usernameA authenticates to serverA > and usernameB authenticates to serverB ?? Sure with Radiator, almost anything is possible! ;-) -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 Any sufficiently advanced bug is indistinguishable from a feature. - Kulawiec === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication
On Tue, 11 Nov 2003, Dan Boucaut wrote: > Is it possible to use different authentication methods based on username. > > ie usernameA authenticates to serverA > and usernameB authenticates to serverB ?? You can have a different handler for each username but if this is for a large volume of users (perhaps the merging of 2 ISPs) that's not going to scale. Are you after a system that allows you to look up a username in a DB or similar and the result of the DB query indicates another RADIUS server to proxy to? If so you would probably have to do a "continue while accept", use an AuthBy to add a field to the request and then a later handler base don that attribute. You would probably still have to hard code the address of the RADIUS servers in your config file but you could select them based on a DB lookup. Andrew === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication
Hello Dan - Yes there are many different ways of using authentication methods, ie: multiple AuthBy clauses, cascaded AuthBy clauses, seperate Handlers, individual Realms, etc. Perhaps if you give us a bit more detail we can make some suggestions. regards Hugh On 11/11/2003, at 10:03 AM, Dan Boucaut wrote: Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication
Dan, Yes, this is possible. We're currently doing this by appending a domain on the username... so for instance: [EMAIL PROTECTED] and [EMAIL PROTECTED] I'm not sure how you would do it otherwise, but maybe others can shed more light. You may want to look at the proxy configuration samples in the goodies directory. - Terry On Nov 10, 2003, at 4:03 PM, Dan Boucaut wrote: Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication
Hello, Is it possible to use different authentication methods based on username. ie usernameA authenticates to serverA and usernameB authenticates to serverB ?? thanks regards Dan === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication failure in leap when Username including domain-suffix
Hello, Thank you for quickly response, Mike I was downloading newest patches from www.open.com.au and applied them, but LEAP-Authentication does not work well. In environment, there is no different from previous, except appling patches. Result wrote in below.(What's "Access-Accept" in log?) --- Mon Nov 10 15:41:03 2003: DEBUG: Finished reading configuration file '/etc/eap_p eap.cfg' Mon Nov 10 15:41:03 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona ry' Mon Nov 10 15:41:04 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona ry.cisco' Mon Nov 10 15:41:04 2003: DEBUG: Creating authentication port 0.0.0.0:1812 Mon Nov 10 15:41:04 2003: DEBUG: Creating accounting port 0.0.0.0:1813 Mon Nov 10 15:41:04 2003: NOTICE: Server started: Radiator 3.7.1 on test1.test.com Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Received from aaa.bbb.ccc.ddd port 1516 Code: Access-Request Identifier: 204 Authentic: <157><10><174>9:m<129>tQ<183><174><3>v}M> Attributes: User-Name = "[EMAIL PROTECTED]" cisco-avpair = "ssid=TEST-SPOT" NAS-IP-Address = aaa.bbb.ccc.ddd Called-Station-Id = "000c30da9d03" Calling-Station-Id = "00022d559b41" NAS-Identifier = "TEST-AP-1" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login EAP-Message = <2><13><0><27><1>[EMAIL PROTECTED] Message-Authenticator = <239><23><10><159><242><230><198><207><131>A1Z<1 63><136>P<238> Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Handling request with Handler '' Mon Nov 10 15:43:41 2003: DEBUG: Deleting session for [EMAIL PROTECTED], a aa.bbb.ccc.ddd, 37 Mon Nov 10 15:43:41 2003: DEBUG: Handling with Radius::AuthDBFILE: Mon Nov 10 15:43:41 2003: DEBUG: Handling with EAP: code 2, 13, 27 Mon Nov 10 15:43:41 2003: DEBUG: Response type 1 Mon Nov 10 15:43:41 2003: DEBUG: EAP result: 3, EAP PEAP Challenge Mon Nov 10 15:43:41 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe nge Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Sending to aaa.bbb.ccc.ddd port 1516 Code: Access-Challenge Identifier: 204 Authentic: <157><10><174>9:m<129>tQ<183><174><3>v}M> Attributes: EAP-Message = <1><14><0><6><25> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Received from aaa.bbb.ccc.ddd port 1517 Code: Access-Request Identifier: 205 Authentic: <2>4<138><161>N2<214>R<242>}.6}an<134> Attributes: User-Name = "[EMAIL PROTECTED]" cisco-avpair = "ssid=TEST-SPOT" NAS-IP-Address = aaa.bbb.ccc.ddd Called-Station-Id = "000c30da9d03" Calling-Station-Id = "00022d559b41" NAS-Identifier = "TEST-AP-1" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login EAP-Message = <2><14><0><6><3><17> Message-Authenticator = <159><195><29>E<216><247>U<241><184>1*^hWxl Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki Mon Nov 10 15:43:41 2003: DEBUG: Handling request with Handler '' Mon Nov 10 15:43:41 2003: DEBUG: Deleting session for [EMAIL PROTECTED], 2 02.48.98.47, 37 Mon Nov 10 15:43:41 2003: DEBUG: Handling with Radius::AuthDBFILE: Mon Nov 10 15:43:41 2003: DEBUG: Handling with EAP: code 2, 14, 6 Mon Nov 10 15:43:41 2003: DEBUG: Response type 3 Mon Nov 10 15:43:41 2003: INFO: EAP Nak desires type 17 Mon Nov 10 15:43:41 2003: DEBUG: EAP result: 3, EAP LEAP Challenge Mon Nov 10 15:43:41 2003: DEBUG: Access challenged for nagataki: EAP LEAP Challe nge Mon Nov 10 15:43:41 2003: DEBUG: Packet dump: *** Sending to aaa.bbb.ccc.ddd port 1517 Code: Access-Challenge Identifier: 205 Authentic: <2>4<138><161>N2<214>R<242>}.6}an<134> Attributes: EAP-Message = <1><15><0>&<17><1><0><8><159><21><143><167><172>R<220>snag [EMAIL PROTECTED] Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Mon Nov 10 15:43:55 2003: DEBUG: Packet dump: *** Received from aaa.bbb.ccc.ddd port 1518 Code: Access-Request Identifier: 206 Authentic: g8<23>r<175><251><24>x<20><29><176><248>05'<171> Attributes: User-Name = "[EMAIL PROTECTED]" cisco-avpair = "ssid=TEST-SPOT" NAS-IP-Address = aaa.bbb.ccc.ddd Called-Station-Id = "000c30da9d03" Calling-Station-Id = "00022d559b41" NAS-Identifier = "TEST-AP-1" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login EAP-Message = <2><15><0>6<17><1><0><24><223>&<19>%<221> <219>*,x<194><20 6><8><247>gZ[0<213><253><136><25><237><225>[EMAIL PROTECTED]
Re: (RADIATOR) Authentication failure in leap when Username including domain-suffix
Hello, The problem here was that the LEAP identity being sent by the client was [EMAIL PROTECTED], and although you had a RewriteUsername to rewrite the Radius user name it had no effect on the LEAP identity. We have now posted a patch so that RewriteUsername also affects the LEAP identity. That should fix your problem. The new version of EAP_17.pm has also been attached. PLs let us know how you get on. Cheers. On Mon, 10 Nov 2003 01:17 pm, [EMAIL PROTECTED] wrote: > Hi everyone, > > I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap. > But I have a problem in leap (everything looks like OK in peap) and > can't see what is incorrect. > > > (Prerequisite(summary)) > 1.Radiator server version is 3.7.1 applied newest(?) patches > (downloading at 21 Oct.) > 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition > 3.Username is include "@domain-suffix" > (When excluding "@domain-suffix" from Username, test is passed) > 4.User-Authentication is using DBFile. > 5.config_file is like below. > --- > #Foreground > #LogStdout > LogDir /var/log > #DbDir /etc/raddb > AuthPort1812 > AcctPort1813 > DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco > # User a lower trace level in production systems: > Trace 4 > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # You will probably want to add other Clients to suit your site, > # one for each NAS you want to work with > > Secret test > DupInterval 0 > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > > # This is where we autneticate a PEAP inner request, which will be an EAP > # request. The username of the inner request will be anonymous, although > # the identity of the EAP request will be the real username we are > # trying to authenticate. > > # > > Filename /etc/raddb/users > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # This tells the PEAP client what types of inner EAP > requests # we will honour > EAPType PEAP,MSCHAP-V2 > > > > > # The original PEAP request from a NAS will be sent to a matching > # Realm or Handler in the usual way, where it will be unpacked and the > inner aut hentication > # extracted. > # The inner authentication request will be sent again to a matching > # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to > sele ct > # a specific handler, or else you can use EAPAnonymous to set a username > and rea lm > # which can be used to select a Realm clause for the inner request. > # This allows you to select an inner authentication method based on Realm, > and/o r the > # fact that they were tunnelled. You can therfore act just as a PEAP > server, or also > # act as the AAA/H home server, and authenticate PEAP requests locally or > proxy # them to another remote server based on the realm of the inner > authenticaiton r equest. > # In this basic example, both the inner and outer authentication are > authenticat ed > # from a file by AuthBy FILE > > # > > # The username of the outer authentication > # must be in this file to get anywhere. In this example, > # it requires an entry for 'anonymous' which is the > standard use rname > # in the outer requests, and it also requires an entry for > the # actual user name who is trying to connect (ie the 'Login name' > entered > # in the Funk Odyssey 'Edit Profile Properties' page > Filename /etc/raddb/users > RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ > > # EAPType sets the EAP type(s) that Radiator will honour. > # Options are: MD5-Challenge, One-Time-Password > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 > # Multiple types can be comma separated. With the default > (most # preferred) type given first > EAPType PEAP,MSCHAP-V2,LEAP > > # EAPTLS_CAFile is the name of a file of CA certificates > # in PEM format. The file can contain several CA > certificates # Radiator will first look in EAPTLS_CAFile then in # > EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile > /home/test/ca/ca2.pem > > # EAPTLS_CAPath is the name of a directory containing CA > # certificates in PEM format. The files each contain one > # CA certificate. The files are looked up by the CA > # subject name hash value > EAPTLS_CAPath /home/test/ca > > # EAPTLS_CertificateFile is the name of a file containing > # the servers certificate. EAPTLS_CertificateType > # specifies the type of the file. Can be PEM or ASN1 > # defaults to ASN
(RADIATOR) Authentication failure in leap when Username including domain-suffix
Hi everyone, I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap. But I have a problem in leap (everything looks like OK in peap) and can't see what is incorrect. (Prerequisite(summary)) 1.Radiator server version is 3.7.1 applied newest(?) patches (downloading at 21 Oct.) 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition 3.Username is include "@domain-suffix" (When excluding "@domain-suffix" from Username, test is passed) 4.User-Authentication is using DBFile. 5.config_file is like below. --- #Foreground #LogStdout LogDir /var/log #DbDir /etc/raddb AuthPort1812 AcctPort1813 DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco # User a lower trace level in production systems: Trace 4 RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret test DupInterval 0 RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # Filename /etc/raddb/users RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # This tells the PEAP client what types of inner EAP requests # we will honour EAPType PEAP,MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner aut hentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele ct # a specific handler, or else you can use EAPAnonymous to set a username and rea lm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/o r the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton r equest. # In this basic example, both the inner and outer authentication are authenticat ed # from a file by AuthBy FILE # # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard use rname # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename /etc/raddb/users RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP,MSCHAP-V2,LEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile /home/test/ca/ca2.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value EAPTLS_CAPath /home/test/ca # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 EAPTLS_CertificateFile /home/test/ca/cert2.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it EAPTLS_PrivateKeyFile /home/test/ca/key2.pem EAPTLS_PrivateKeyPassword test1234
Re: (RADIATOR) Authentication Issue - Odyssey and iPaq 5450
Hi Steve, From your calling station ID, it seems like you are using Cisco wireless gear. I recently played with Meetinghouse client for ipaq 5450. I could not get it to work too. But my problem is not on the radius side. Our Cisco wireless gear set up uses dynamic key, which Meetinghouse client does not support. I have no experience with Odyssey client. Based on your description, if this is the same issue as we encountered, the solution (as Meetinghouse tech support suggested) is to roll back to use only static encryption key for the client in order to get it to work. But then it kind of defeats the whole purpose of setting up strong security to begin with. I am currently exploring an alternative, which is to upgrade my ipaq 5450 to run Mobile (Pocket PC) 2003. It claims to support 802.1x but I am still waiting for my order. It would be great if anyone in this list has experience to share in regard to whether Mobile 2003 will do the trick with its zero configuration for supporting 802.1x connection.. Thanks! Bon On Mon, 6 Oct 2003, Steve Caporossi wrote: > I'm having an issue authenticating users with the iPaq 5450 (internal > nic) and the Odyssey Client. It appears that when the user > authenticates, Radiator initially issues an access-accept and then > follows it up with an access-reject. > > I am only having this issue with the above deviceall other clients > authenticate sucessfully. Any ideas would be appreciated. > > Attached are debugs and the config. Radiator version 3.7.1 on RH7.3. > > Thanks, > -- > Steve Caporossi > Network Systems Engineer > Center for Computing and Information Technology > Medical University of South Carolina > 843.876.5083 > > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Issue - Odyssey and iPaq 5450
I'm having an issue authenticating users with the iPaq 5450 (internal
nic) and the Odyssey Client. It appears that when the user
authenticates, Radiator initially issues an access-accept and then
follows it up with an access-reject.
I am only having this issue with the above deviceall other clients
authenticate sucessfully. Any ideas would be appreciated.
Attached are debugs and the config. Radiator version 3.7.1 on RH7.3.
Thanks,
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#
# Radiator configuration file.
#
#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir /var/log/radius
DbDir /etc/radiator
PidFile /var/run/radius.pid
DictionaryFile /etc/radiator/dictionary
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
AuthPort 1645,1812
AcctPort 1646,1813
# Add Clients below...
Identifier ppp
Secret
DupInterval 2
Identifier ppp
Secret
DupInterval 2
Identifier video
Secret
DupInterval 2
Identifier vpn
Secret
DupInterval 2
Identifier wlan
Secret
DupInterval 2
IgnoreAcctSignature
#
#
PPP Config ##
AuthByPolicy ContinueAlways
#AuthByPolicy ContinueWhileIgnore # Default
DBSourcedbi:mysql:radius
DBUsername < >
DBAuth < >
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d
%H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLEDSTATIONID,Called-Station-Id
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctFailedLogFileName
%L/%{Client:Identifier}/%m%d%y.missedaccountin.log
#DefaultSimultaneousUse 1
Filename /etc/passwd.ras
# Log accounting to a detail file
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
VPN Config ##
AuthByPolicy ContinueAlways
#AuthByPolicy ContinueWhileIgnore # Default
DBSourcedbi:mysql:radius
DBUsername < >
DBAuth < >
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d
%H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef CLASS,Class
AcctColumnDef TUNNELCLIENTENDPOINT,Tunnel-Client-Endpoint
AcctFailedLogFileName
%L/%{Client:Identifier}/%m%d%y.missedaccountin.log
#DefaultSimultaneousUse 1
Filename /etc/passwd.ras
# Log accounting to a detail file
(RADIATOR) Authentication Failure Messages
Hello, We need to keep authentication failure information in our database. This can of course be done with . To make it simple, let's say that we have to handle things like an account status (Active or Blocked) in the authentication process. This can be easily done by : AuthSelect select ... from ACCOUNT where USERNAME=%0 and STATUS = 'Active' But if someone with correct Usr/Psw but blocked RADIUS account tries to connect, it will of course result in the "No such user" failure message instead of some dedicated failure message such as "Account Blocked". We could handle the Account Status check using check items and AddToRequest parameter instead of using AuthSelect and then get "dedicated" failure messages, but for other cases it is not that simple. Ex.: - For one account (usr/psw), multiple service subscriptions based on the NAS-Port-Type attribute of the Access-Request and resulting in different reply attributes. - Accounts should be bound to several Access Servers (RADIUS clients). We can handle this with proper data model and AuthSelect parameter but we need dedicated authentication failure messages (ex : "No subscription for this service" and "Not allowed from this NAS") in case of correct Usr/Psw. I don't know much about PostAuthHook but I guess it may be the solution. Any suggestions ? Regards. Geoffrey === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication to one DB, Accounting to another
The only catch is that AuthBy SQL will open a connection to the database when it starts up and keep that connection up unless there is a problem with it so your round robin DNS will not do much. AuthBY SQL supports declaring a database to use as a backup which may be a better scheme for reliability. If you are looking to load balance among your databases I would run a Radiator instance for each database instance and then proxy requests to them using a main instance with AuthBy ROUNDROBIN or AuthBy LOADBALANCE. -Frank -Original Message- From: Derek Buttineau [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 6:20 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) Authentication to one DB, Accounting to another Just want to make sure I'm not totally out in left field on how to accomplish this, I thought I'd ask. We just recently setup MySQL Replication.. and I'd like to make our Radiator software use the master and slaves for authentication (just using DNS round robin atm).. but since only the master can receive updates, I'd like to make sure the accounting packets only go to the master. I'm thinking I need to make the configuration look like this, but please let me know if I'm totally off base: AuthByPolicy ContinueAlways DBSourcedbi:mysql:radius:< DBUsernameusername DBAuthpassword # Setup Authentication AuthSelectselect ENCRYPTEDPASSWORD, REPLYATTR from AUTHENTICATIONTABLE where USERNAME='%U' AuthColumnDef0, Encrypted-Password, check AuthColumnDef1, GENERIC, reply # Disable Accounting AccountingTable DBSourcedbi:mysql:radius:<> DBUsernameradius DBAuthcsrox # Disable Authentication AuthSelect # Setup Accounting AccountingTable ACCOUNTINGTABLE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,formatted-date,'%Y%m%d %H:%M:%S' AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CONNECTSPEED,Connect-Speed Thanks a bunch in advance. Sorry if this has already been covered on the list, took a look but perhaps my search techniques are in need of improvement :) -- Regards, Derek Buttineau Internet Systems Administrator Compu-SOLVE Internet Services === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication to one DB, Accounting to another
Just want to make sure I'm not totally out in left field on how to accomplish this, I thought I'd ask. We just recently setup MySQL Replication.. and I'd like to make our Radiator software use the master and slaves for authentication (just using DNS round robin atm).. but since only the master can receive updates, I'd like to make sure the accounting packets only go to the master. I'm thinking I need to make the configuration look like this, but please let me know if I'm totally off base: AuthByPolicy ContinueAlways DBSourcedbi:mysql:radius:< DBUsernameusername DBAuthpassword # Setup Authentication AuthSelectselect ENCRYPTEDPASSWORD, REPLYATTR from AUTHENTICATIONTABLE where USERNAME='%U' AuthColumnDef0, Encrypted-Password, check AuthColumnDef1, GENERIC, reply # Disable Accounting AccountingTable DBSourcedbi:mysql:radius:<> DBUsernameradius DBAuthcsrox # Disable Authentication AuthSelect # Setup Accounting AccountingTable ACCOUNTINGTABLE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,formatted-date,'%Y%m%d %H:%M:%S' AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef CONNECTSPEED,Connect-Speed Thanks a bunch in advance. Sorry if this has already been covered on the list, took a look but perhaps my search techniques are in need of improvement :) -- Regards, Derek Buttineau Internet Systems Administrator Compu-SOLVE Internet Services === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication result codes list?
Hello John - You will find everything you need in the source code. Here are the return values that are defined in "Radius/AuthGeneric.pm": # Return codes for handle_request $main::ACCEPT = 0; # Issue an accept for us $main::REJECT = 1; # Issue a reject for us $main::IGNORE = 2; # Dont reply at all $main::CHALLENGE = 3; # Issue a challenge $main::REJECT_IMMEDIATE = 4; # Reject, and dont fall through To understand more about the LDAP return codes you should check the source code for the Perl LDAP module that you are using - and of course don't forget to look at the code in "Radius/AuthLDAP2.pm". There are also a number of example hooks in the file "goodies/hooks.txt". regards Hugh ps - "may the source be with you..." On Wednesday, Aug 20, 2003, at 05:28 Australia/Melbourne, John McFadden wrote: I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication result codes list?
Hi, You will find all the information in RFC 2865. This document will help you to understand the protocol. Don't forget to take a look at rfc 2866 (RADIUS Accounting). Regards. Geoffrey -Message d'origine- De : John McFadden [mailto:[EMAIL PROTECTED] Envoyé : mardi 19 août 2003 21:29 À : [EMAIL PROTECTED] Objet : (RADIATOR) Authentication result codes list? I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication result codes list?
I fairly green to Radius and Radiator so please excuse my ignorance. I'm writing a post auth hook and want to make sure I cover all the various conditions. ie: I'll want to check and act on the result an AuthBy LDAP2. I understand it can be ACCEPT or REJECT but I'm wondering if I need to handle other results such as IGNORE? If so where do I get the full list of possible results? Any pointers are appreciated? Thanks in advance John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication falied
Hello Sara Sodagar - The only way I can help is if I have a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing the problem. From what you describe it sounds like the database is responding very slowly to queries. regards Hugh On Tuesday, Aug 12, 2003, at 18:51 Australia/Melbourne, sara sodagar wrote: Hi I have a radiator 3.1 on Redhat 7,1. I get authentication failed several times in a day , and when I trace our network and system , I found out that the request is reaching to radiusd very late , because when it respond to that request it is very late and our NAS rejects it.I checked our NAS parameters for timeout but everything is OK. I checked our network and it has no problem for delay. During the problem I also check the system with radpwtst , but the same thing happens and I got no reply from server. I am using Tomcat , 4.0.3 and Oracle8i. Our hardware is : PIII (1000 MHZ) Dual 2 GB RAM --I appreciate any suggestion and help. Thanks Sara Sodagar NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
(RADIATOR) Authentication falied
Hi I have a radiator 3.1 on Redhat 7,1. I get authentication failed several times in a day , and when I trace our network and system , I found out that the request is reaching to radiusd very late , because when it respond to that request it is very late and our NAS rejects it.I checked our NAS parameters for timeout but everything is OK. I checked our network and it has no problem for delay. During the problem I also check the system with radpwtst , but the same thing happens and I got no reply from server. I am using Tomcat , 4.0.3 and Oracle8i. Our hardware is : PIII (1000 MHZ) Dual 2 GB RAM --I appreciate any suggestion and help. Thanks Sara Sodagar
Re: (RADIATOR) authentication by using DBFile
Hello Masa - What is the problem? And why are you using a DB file? Please send me a trace 4 debug from Radiator showing the problem together with a clear description of what is happening. regards Hugh On Wednesday, Jul 9, 2003, at 02:03 Australia/Melbourne, [EMAIL PROTECTED] wrote: Hello, I have a problem for authentication by using DB_File, and can't see what's wrong. I'll describe the configuration below. PEAP with MSCHAPv2 or LEAP #./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users nagatakiUser-Password=masahiro #Foreground #LogStdout LogDir /var/log #DbDir . AuthPort1812 AcctPort1813 DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret mysecret DupInterval 0 # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # anonymous-PEAP must be in here: Filename /etc/radiator/users.db # This tells the PEAP client what types of inner EAP requests # we will honour EAPType PEAP,MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner aut hentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele ct # a specific handler, or else you can use EAPAnonymous to set a username and rea lm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/o r the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton r equest. # In this basic example, both the inner and outer authentication are authenticat ed # from a file by AuthBy FILE # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard use rname # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename /etc/radiator/users.db # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP,MSCHAP-V2,LEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 #EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile)
(RADIATOR) authentication by using DBFile
Hello, I have a problem for authentication by using DB_File, and can't see what's wrong. I'll describe the configuration below. PEAP with MSCHAPv2 or LEAP #./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users nagatakiUser-Password=masahiro #Foreground #LogStdout LogDir /var/log #DbDir . AuthPort1812 AcctPort1813 DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with Secret mysecret DupInterval 0 # This is where we autneticate a PEAP inner request, which will be an EAP # request. The username of the inner request will be anonymous, although # the identity of the EAP request will be the real username we are # trying to authenticate. # anonymous-PEAP must be in here: Filename /etc/radiator/users.db # This tells the PEAP client what types of inner EAP requests # we will honour EAPType PEAP,MSCHAP-V2 # The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner aut hentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele ct # a specific handler, or else you can use EAPAnonymous to set a username and rea lm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/o r the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton r equest. # In this basic example, both the inner and outer authentication are authenticat ed # from a file by AuthBy FILE # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard use rname # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename /etc/radiator/users.db # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP,MSCHAP-V2,LEAP # EAPTLS_CAFile is the name of a file of CA certificates # in PEM format. The file can contain several CA certificates # Radiator will first look in EAPTLS_CAFile then in # EAPTLS_CAPath, so there usually is no need to set both #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem # EAPTLS_CAPath is the name of a directory containing CA # certificates in PEM format. The files each contain one # CA certificate. The files are looked up by the CA # subject name hash value # EAPTLS_CAPath # EAPTLS_CertificateFile is the name of a file containing # the servers certificate. EAPTLS_CertificateType # specifies the type of the file. Can be PEM or ASN1 # defaults to ASN1 #EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile is the name of the file containing # the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem #EAPTLS_PrivateKeyPassword whatever EAPTLS_PrivateKeyFile /usr/local/ssl/c
Re: (RADIATOR) Authentication problem.
Hello Rajan - I am not sure that I understand your question, but if you want to limit users to one NAS only or another NAS only, you can do something like this: # define Client clauses Identifier NAS1 . Identifier NAS2 . . .. . . . regards Hugh On Wednesday, August 21, 2002, at 07:54 AM, Rajan wrote: Hi all, I have to use two authby clause one for router1 and another for router2. Now the problem is router2 user can be authenticate dialing to router1. Since i have only one AAA server. Is it possible to check handler in Client clause itself. Will this slove my problem. Please help me. regards, Rajan. NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
(RADIATOR) Authentication problem.
Hi all, I have to use two authby clause one for router1 and another for router2. Now the problem is router2 user can be authenticate dialing to router1. Since i have only one AAA server. Is it possible to check handler in Client clause itself. Will this slove my problem. Please help me. regards, Rajan.
Re: (RADIATOR) Authentication via proxy
Hello Chris - If you use radpwtst on the localhost for testing, the shared secret by default is "mysecret", so if you change the secret in the clause you should see the same behaviour as for the other Client. You can set up the clause with the shared secret of the Client that has problems and use radpwtst with the -secret flag to verify correct operation. Ie: Secret ***whatever*** then radpwtst -secret ***whatever*** -user -password If this test works, then you know that the shared secret on the problem Client is not correct. BTW - keep in mind that there is one shared secret between the NAS and the remote proxy, and another shared secret between the proxy and your Radiator. regards Hugh On Wed, 3 Jul 2002 03:36, chris wrote: > I have added a client clause for every nas, and every proxy. I still get > the same results. > Is there anyway to verify that the shared secrets indeed do no match? > > The radpwtst from localhost returns an OK for the user > > > Thanks, > Chris > > > - Original Message - > From: "Hugh Irvine" <[EMAIL PROTECTED]> > To: "chris" <[EMAIL PROTECTED]> > Sent: Monday, July 01, 2002 4:18 PM > Subject: Re: (RADIATOR) Authentication via proxy > > > Hello Chris - > > > > I am still quite sure that the problem is shared secrets. > > > > You should probably add a Client clause for the proxy: > > > > # define Client clause for proxy > > > > > > Secret .. > > . > > > > > > It is fairly easy to verify this by using radpwtst locally against the > > to make sure the user record is checked correctly. > > > > regards > > > > Hugh > > > > On Tue, 2 Jul 2002 04:00, chris wrote: > > > I have verified shared secret, even tried setting to a simple number > > like > > > > 11 to rule out CaSe issues. > > > I am still having the same issues > > > > > > I am not sure how much it matters, but the setup is like this.. > > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier > > radius > > > > proxy that hands off to us. > > > > > > > > > > > > - Original Message - > > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Monday, June 24, 2002 4:21 PM > > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > > > Hello Chris - > > > > > > > > This is almost always due to incorrect shared secrets. > > > > > > > > If you still have problems, please send me a copy of your > > configuration > > > > file > > > > > > > and a copy of the user record from the users file, as well as a trace > > 4 > > > > debug. > > > > > > > regards > > > > > > > > Hugh > > > > > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > > > I am trying to setup a managed modem system with a local clec. They > > > > > > answer > > > > > > > > the calls and proxy to > > > > > my radius. I am trying to figgure our where the problem is in > > > > > authentication. It brings the username over ok, but the password is > > > > > > garbled > > > > > > > > into non-printables > > > > > > > > > > Here is a L5trace of one such session, am I overlooking something > > > > > > obvious? > > > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > > > *** Received from 64.66.192.33 port 34998 > > > > > > > > > > Packet length = 100 > > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > > > 00 00 00 00 > > > > > Code: Access-Request > > > > > Identifier: 7 > > > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > > > Attributes: > > > > > User-Name = "testme" > > > > > Password = > > &g
Fw: (RADIATOR) Authentication via proxy
Ok, after hounding the provider, they found a misconfigureation on thier end. In the shared secret I am guessing, but none-the-less they *finally* fixed it up. Thanks for all he help Hugh! You are *the* radiator king! Chris > - Original Message - > From: "chris" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Tuesday, July 02, 2002 10:36 AM > Subject: Re: (RADIATOR) Authentication via proxy > > > > I have added a client clause for every nas, and every proxy. I still get > the > > same results. > > Is there anyway to verify that the shared secrets indeed do no match? > > > > The radpwtst from localhost returns an OK for the user > > > > > > Thanks, > > Chris > > > > > > - Original Message - > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > To: "chris" <[EMAIL PROTECTED]> > > Sent: Monday, July 01, 2002 4:18 PM > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > > > > > > Hello Chris - > > > > > > I am still quite sure that the problem is shared secrets. > > > > > > You should probably add a Client clause for the proxy: > > > > > > # define Client clause for proxy > > > > > > > > > Secret .. > > > . > > > > > > > > > It is fairly easy to verify this by using radpwtst locally against the > > > to make sure the user record is checked correctly. > > > > > > regards > > > > > > Hugh > > > > > > > > > On Tue, 2 Jul 2002 04:00, chris wrote: > > > > I have verified shared secret, even tried setting to a simple number > > like > > > > 11 to rule out CaSe issues. > > > > I am still having the same issues > > > > > > > > I am not sure how much it matters, but the setup is like this.. > > > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier > > radius > > > > proxy that hands off to us. > > > > > > > > > > > > > > - Original Message - > > > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > > > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > > Sent: Monday, June 24, 2002 4:21 PM > > > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > > > > > Hello Chris - > > > > > > > > > > This is almost always due to incorrect shared secrets. > > > > > > > > > > If you still have problems, please send me a copy of your > > configuration > > > > > > > > file > > > > > > > > > and a copy of the user record from the users file, as well as a > trace > > 4 > > > > > > > > debug. > > > > > > > > > regards > > > > > > > > > > Hugh > > > > > > > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > > > > I am trying to setup a managed modem system with a local clec. > They > > > > > > > > answer > > > > > > > > > > the calls and proxy to > > > > > > my radius. I am trying to figgure our where the problem is in > > > > > > authentication. It brings the username over ok, but the password > is > > > > > > > > garbled > > > > > > > > > > into non-printables > > > > > > > > > > > > Here is a L5trace of one such session, am I overlooking something > > > > > > > > obvious? > > > > > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > > > > *** Received from 64.66.192.33 port 34998 > > > > > > > > > > > > Packet length = 100 > > > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > > > > 00 00 00 00 > > > > > > Code: Access-Request > > > > > > Identifier: 7 > &
Re: (RADIATOR) Authentication via proxy
I have added a client clause for every nas, and every proxy. I still get the same results. Is there anyway to verify that the shared secrets indeed do no match? The radpwtst from localhost returns an OK for the user Thanks, Chris - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "chris" <[EMAIL PROTECTED]> Sent: Monday, July 01, 2002 4:18 PM Subject: Re: (RADIATOR) Authentication via proxy > > Hello Chris - > > I am still quite sure that the problem is shared secrets. > > You should probably add a Client clause for the proxy: > > # define Client clause for proxy > > > Secret .. > . > > > It is fairly easy to verify this by using radpwtst locally against the > to make sure the user record is checked correctly. > > regards > > Hugh > > > On Tue, 2 Jul 2002 04:00, chris wrote: > > I have verified shared secret, even tried setting to a simple number like > > 11 to rule out CaSe issues. > > I am still having the same issues > > > > I am not sure how much it matters, but the setup is like this.. > > Our clients dial into PacWest NAS(Cisco)...Thier NAS talks to thier radius > > proxy that hands off to us. > > > > > > - Original Message - > > From: "Hugh Irvine" <[EMAIL PROTECTED]> > > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Monday, June 24, 2002 4:21 PM > > Subject: Re: (RADIATOR) Authentication via proxy > > > > > Hello Chris - > > > > > > This is almost always due to incorrect shared secrets. > > > > > > If you still have problems, please send me a copy of your configuration > > > > file > > > > > and a copy of the user record from the users file, as well as a trace 4 > > > > debug. > > > > > regards > > > > > > Hugh > > > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > > I am trying to setup a managed modem system with a local clec. They > > > > answer > > > > > > the calls and proxy to > > > > my radius. I am trying to figgure our where the problem is in > > > > authentication. It brings the username over ok, but the password is > > > > garbled > > > > > > into non-printables > > > > > > > > Here is a L5trace of one such session, am I overlooking something > > > > obvious? > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > > *** Received from 64.66.192.33 port 34998 > > > > > > > > Packet length = 100 > > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > > 00 00 00 00 > > > > Code: Access-Request > > > > Identifier: 7 > > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > > Attributes: > > > > User-Name = "testme" > > > > Password = > > > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > > > > NAS-IP-Address = 63.93.57.35 > > > > NAS-Port = 18646 > > > > Service-Type = Framed-User > > > > Framed-Protocol = PPP > > > > Called-Station-Id = "7024410063" > > > > Calling-Station-Id = "2099263677" > > > > NAS-Port-Type = Async > > > > NAS-Port-Type = Async > > > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > > > > 'Realm=DEFAULT' > > > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > > > > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > > > > 63.93.57.35, 1864 > > > > 6 > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > > > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > > > > /usr/local/etc/raddb/users > > > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > > > > testme > > > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > > > &
Re: (RADIATOR) Authentication via proxy
On sending you the infomation earlier, I thought about the situation some more. This radius server is and has been working for several PM3's. I have made sure I am using the proper configs and dictionary now. The PM3's users are still authenticating great. I think the problem is with the way they are handing it off to me. Thier NAS goes through a proxy to get to me. Although they claim its a transparent proxy that doesnt do anything with the data, except pass it long. Just wanted to let you know that the radius server itself *is* functioning to an extent. Thanks Chris - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, June 28, 2002 9:41 PM Subject: Re: (RADIATOR) Authentication via proxy > > Hello Chris - > > I suspect you are not using the latest dictionary file either. > > This is from the standard Radiator 3.1 dictionary: > > ATTRIBUTE EAP-Message 79 binary > > regards > > Hugh > > > On Sat, 29 Jun 2002 02:38, chris wrote: > > > Hello Chris - > > > > > > This sounds like you are not running the 3.1 version of radiusd, which > > > has > > > > a > > > > > call to &Radius::Util::get_port , not &Radius::Radius::get_port. > > > > Doh! I was in such a rush yesterday that I didnt notice it installs the > > radiusd into a different location. > > This server is being upgraded from 2.16. > > > > > > Anyways, that was exactly the problem. I am seeing this in the error log > > now though... > > > > Fri Jun 28 09:12:53 2002: ERR: Attribute number 79 is not defined in your > > dictionary > > > > Which seems to correspond with this > > > > 79 ICL / Fujitsu Computers / TeamWARE Group Tony Gale > > [EMAIL PROTECTED] > > > > Although I use all Lucent PM3's in that location. > > It doesnt seem to be affecting service in any way > > > > Thanks, > > Chris. > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via proxy
Hello Chris - This sounds like you are not running the 3.1 version of radiusd, which has a call to &Radius::Util::get_port , not &Radius::Radius::get_port. regards Hugh On Fri, 28 Jun 2002 10:43, chris wrote: > I am going to be testing it tomorrow again, I will verify that the secrets > do indeed match. > > In the meantime I am trying to install 3.1 and all the 'make test' comes > out OK > but when I start it I get this message > > Undefined subroutine &Radius::Radius::get_port called at > /usr/local/sbin/radiusd line 333. > > Thanks, > Chris > > > > - Original Message - > From: "Hugh Irvine" <[EMAIL PROTECTED]> > To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Monday, June 24, 2002 4:21 PM > Subject: Re: (RADIATOR) Authentication via proxy > > > Hello Chris - > > > > This is almost always due to incorrect shared secrets. > > > > If you still have problems, please send me a copy of your configuration > > file > > > and a copy of the user record from the users file, as well as a trace 4 > > debug. > > > regards > > > > Hugh > > > > On Tue, 25 Jun 2002 03:51, chris wrote: > > > I am trying to setup a managed modem system with a local clec. They > > answer > > > > the calls and proxy to > > > my radius. I am trying to figgure our where the problem is in > > > authentication. It brings the username over ok, but the password is > > garbled > > > > into non-printables > > > > > > Here is a L5trace of one such session, am I overlooking something > > obvious? > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > > *** Received from 64.66.192.33 port 34998 > > > > > > Packet length = 100 > > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > > 00 00 00 00 > > > Code: Access-Request > > > Identifier: 7 > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > Attributes: > > > User-Name = "testme" > > > Password = > > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > > > NAS-IP-Address = 63.93.57.35 > > > NAS-Port = 18646 > > > Service-Type = Framed-User > > > Framed-Protocol = PPP > > > Called-Station-Id = "7024410063" > > > Calling-Station-Id = "2099263677" > > > NAS-Port-Type = Async > > > NAS-Port-Type = Async > > > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > > > 'Realm=DEFAULT' > > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > > > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > > > 63.93.57.35, 1864 > > > 6 > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > > > /usr/local/etc/raddb/users > > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > > > testme > > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > > > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad > > > Password > > > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: > > > *** Sending to 64.66.192.33 port 34998 > > > Code: Access-Reject > > > Identifier: 7 > > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > > Attributes: > > > Reply-Message = "Request Denied" > > > Reply-Message = "Bad Password" > > > > > > > > > Thanks, > > > Chris > > > > > > > > > === > > > Archive at http://www.open.com.au/archives/radiator/ > > > Announcements on [EMAIL PROTECTED] > > > To unsubscribe, email '[EMAIL PROTECTED]' with > > > 'unsubscribe radiator' in the body of the message. > > > > -- > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > > - > > Nets: internetwork inventory and management - graphical, extensible, > > flexible with hardware, software, platform and database independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via proxy
I am going to be testing it tomorrow again, I will verify that the secrets do indeed match. In the meantime I am trying to install 3.1 and all the 'make test' comes out OK but when I start it I get this message Undefined subroutine &Radius::Radius::get_port called at /usr/local/sbin/radiusd line 333. Thanks, Chris - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "chris" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 24, 2002 4:21 PM Subject: Re: (RADIATOR) Authentication via proxy > > Hello Chris - > > This is almost always due to incorrect shared secrets. > > If you still have problems, please send me a copy of your configuration file > and a copy of the user record from the users file, as well as a trace 4 debug. > > regards > > Hugh > > On Tue, 25 Jun 2002 03:51, chris wrote: > > I am trying to setup a managed modem system with a local clec. They answer > > the calls and proxy to > > my radius. I am trying to figgure our where the problem is in > > authentication. It brings the username over ok, but the password is garbled > > into non-printables > > > > Here is a L5trace of one such session, am I overlooking something obvious? > > > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > > *** Received from 64.66.192.33 port 34998 > > > > Packet length = 100 > > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > > 00 00 00 00 > > Code: Access-Request > > Identifier: 7 > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > Attributes: > > User-Name = "testme" > > Password = > > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > > NAS-IP-Address = 63.93.57.35 > > NAS-Port = 18646 > > Service-Type = Framed-User > > Framed-Protocol = PPP > > Called-Station-Id = "7024410063" > > Calling-Station-Id = "2099263677" > > NAS-Port-Type = Async > > NAS-Port-Type = Async > > > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > > 'Realm=DEFAULT' > > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > > 63.93.57.35, 1864 > > 6 > > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > > /usr/local/etc/raddb/users > > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > > testme > > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad > > Password > > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: > > *** Sending to 64.66.192.33 port 34998 > > Code: Access-Reject > > Identifier: 7 > > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > > Attributes: > > Reply-Message = "Request Denied" > > Reply-Message = "Bad Password" > > > > > > Thanks, > > Chris > > > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via proxy
Hello Chris - This is almost always due to incorrect shared secrets. If you still have problems, please send me a copy of your configuration file and a copy of the user record from the users file, as well as a trace 4 debug. regards Hugh On Tue, 25 Jun 2002 03:51, chris wrote: > I am trying to setup a managed modem system with a local clec. They answer > the calls and proxy to > my radius. I am trying to figgure our where the problem is in > authentication. It brings the username over ok, but the password is garbled > into non-printables > > Here is a L5trace of one such session, am I overlooking something obvious? > > Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: > *** Received from 64.66.192.33 port 34998 > > Packet length = 100 > 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d > a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 > 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 > 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 > 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 > 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 > 00 00 00 00 > Code: Access-Request > Identifier: 7 > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > Attributes: > User-Name = "testme" > Password = > "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" > NAS-IP-Address = 63.93.57.35 > NAS-Port = 18646 > Service-Type = Framed-User > Framed-Protocol = PPP > Called-Station-Id = "7024410063" > Calling-Station-Id = "2099263677" > NAS-Port-Type = Async > NAS-Port-Type = Async > > Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme > Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, > 63.93.57.35, 1864 > 6 > Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE > Mon Jun 24 10:18:35 2002: DEBUG: Reading users file > /usr/local/etc/raddb/users > Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with > testme > Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password > Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad > Password > Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: > *** Sending to 64.66.192.33 port 34998 > Code: Access-Reject > Identifier: 7 > Authentic: _<193>3sF|er<184>?<254>]<165><255>mP > Attributes: > Reply-Message = "Request Denied" > Reply-Message = "Bad Password" > > > Thanks, > Chris > > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication via proxy
I am trying to setup a managed modem system with a local clec. They answer the calls and proxy to my radius. I am trying to figgure our where the problem is in authentication. It brings the username over ok, but the password is garbled into non-printables Here is a L5trace of one such session, am I overlooking something obvious? Mon Jun 24 10:18:35 2002: DEBUG: Packet dump: *** Received from 64.66.192.33 port 34998 Packet length = 100 01 07 00 64 5f c1 33 73 46 7c 65 72 b8 3f fe 5d a5 ff 6d 50 01 08 74 65 73 74 6d 65 02 12 e8 02 83 a4 a8 71 f9 3c 13 59 36 62 c5 29 e3 da 04 06 3f 5d 39 23 05 06 00 00 48 d6 06 06 00 00 00 02 07 06 00 00 00 01 1e 0c 37 30 32 34 34 31 30 30 36 33 1f 0c 32 30 39 39 32 36 33 36 37 37 3d 06 00 00 00 00 Code: Access-Request Identifier: 7 Authentic: _<193>3sF|er<184>?<254>]<165><255>mP Attributes: User-Name = "testme" Password = "<232><2><131><164><168>q<249><<19>Y6b<197>)<227><218>" NAS-IP-Address = 63.93.57.35 NAS-Port = 18646 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "7024410063" Calling-Station-Id = "2099263677" NAS-Port-Type = Async NAS-Port-Type = Async Mon Jun 24 10:18:35 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jun 24 10:18:35 2002: DEBUG: Rewrote user name to testme Mon Jun 24 10:18:35 2002: DEBUG: Deleting session for testme, 63.93.57.35, 1864 6 Mon Jun 24 10:18:35 2002: DEBUG: Handling with Radius::AuthFILE Mon Jun 24 10:18:35 2002: DEBUG: Reading users file /usr/local/etc/raddb/users Mon Jun 24 10:18:35 2002: DEBUG: Radius::AuthFILE looks for match with testme Mon Jun 24 10:18:36 2002: DEBUG: Radius::AuthFILE REJECT: Bad Password Mon Jun 24 10:18:36 2002: INFO: Access rejected for testme: Bad Password Mon Jun 24 10:18:36 2002: DEBUG: Packet dump: *** Sending to 64.66.192.33 port 34998 Code: Access-Reject Identifier: 7 Authentic: _<193>3sF|er<184>?<254>]<165><255>mP Attributes: Reply-Message = "Request Denied" Reply-Message = "Bad Password" Thanks, Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Disbaled
Hello Jack - Please send me a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. regards Hugh On Tue, 11 Jun 2002 00:57, Jaskaran Singh wrote: > Hi All > I started my radiator server, and its reject all users saying > "Authentication Disabled" > Any ideas? > > Jaskaran Singh > University Systems & Security > Fairleigh Dickinson University > Teaneck, NJ 07666 -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Disbaled
Hi All I started my radiator server, and its reject all users saying “Authentication Disabled” Any ideas? Jaskaran Singh University Systems & Security Fairleigh Dickinson University Teaneck, NJ 07666
(RADIATOR) RADIATOR authentication
Hi all, Below is the content of my radius.cfg but the Radiator is not authenticating the clients rather the authentication is being done by the Cisco Access server. Secret ...## Secret mysecret# DupInterval 0# Filename %D/users # Log accounting to a detail file AcctLogFileName %L/detail MaximumSessions 1 AuthPort 1645 AcctPort 1646 Is the configuration enough to make the Radiator authenticate clients or I still need to modify it? And if I need to modify it, what do I do pls? Below is the configuration on the NAS (Cisco AS5300): aaa new-modelaaa authentication login default localaaa authentication ppp ppp-radius if-needed radius localaaa authorization network default radius localaaa accounting network default start-stop radius radius-server host (IP Address) auth-port 1645 acct-port 1646radius-server key ... (2) The time in the logfile does not correspond to the time on the Radius server and the NAS, what could be responsible this pls? Although, the date is correct. Any help will be highly appreciated. Regards, Akin. IncrediMail - Email has finally evolved - Click Here
Re: (RADIATOR) Authentication problem with Radiator 2.19 and OpenLDAP 2.0.28
Hello Mike, Hello Stephen -
Mike is correct, a NoDefault usually fixes this problem, which is due to the
LDAP server incorrectly returning a result for DEFAULT if it is not found.
Radiator by default will always look for "DEFAULT" entries in the user
database, but this can be altered with the "NoDefault" tag.
regards
Hugh
On Tue, 19 Feb 2002 04:36, Forbes Mike wrote:
> I ran into this problem also, you need to add the line NoDefault
> to your LDAP Authby. See 6.17.12 in the manual. I am not quite sure why
> I did this now, but it seems to work. If it does not find the user it
> then tries the DEFAULT user.
>
> Mike Forbes
>
> On Mon, 18 Feb 2002, Stephen Davies wrote:
> > Hi,
> >
> > I am trying to set radiator to authenticate against and OpenLDAP database
> > version 2.0.28
> >
> > Openldap is working fine with everything else, including my telnet and
> > webmail (written in perl) access.
> >
> > When I try to run radpwtst I get the error in the logfile as:
> >
> > *** Received from 127.0.0.1 port 46475
> > Code: Access-Request
> > Identifier: 118
> > Authentic: 1234567890123456
> > Attributes:
> > User-Name = "stephen"
> > Service-Type = Framed-User
> > NAS-IP-Address = 203.63.154.1
> > NAS-Port = 1234
> > Called-Station-Id = "123456789"
> > Calling-Station-Id = "987654321"
> > NAS-Port-Type = Async
> > User-Password =
> > "<250><5>p<185><25><233>$<168>qd<2><25>z%<133><129>"
> >
> > Mon Feb 18 16:49:13 2002: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT' Mon Feb 18 16:49:13 2002: DEBUG: Deleting session for
> > stephen, 203.63.154.1, 12 34
> > Mon Feb 18 16:49:13 2002: DEBUG: Handling with Radius::AuthLDAP2:
> > Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au,
> > port 389 Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with
> > cn=X,dc=brightonline ,dc=com,dc=au, XXX (server
> > ldap.brightonline.com.au:389)
> > Mon Feb 18 16:49:13 2002: DEBUG: LDAP got result for uid=stephen,
> > ou=Brighteam, dc=brightonline, dc=com, dc=au
> > Mon Feb 18 16:49:13 2002: DEBUG: LDAP got userPassword:
> > {CRYPT}s4LYe7mPaoXHA Mon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2
> > looks for match with stephen Mon Feb 18 16:49:13 2002: DEBUG:
> > Radius::AuthLDAP2 REJECT: Bad Password Mon Feb 18 16:49:13 2002: INFO:
> > Connecting to ldap.brightonline.com.au, port 389 Mon Feb 18 16:49:13
> > 2002: INFO: Attempting to bind with cn=admin,dc=brightonline
> > ,dc=com,dc=au, witchhunt (server ldap.brightonline.com.au:389)
> > Mon Feb 18 16:49:13 2002: DEBUG: No entries for DEFAULT found in LDAP
> > database Mon Feb 18 16:49:13 2002: INFO: Access rejected for stephen: Bad
> > Password Mon Feb 18 16:49:13 2002: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 46475
> > Code: Access-Reject
> > Identifier: 118
> > Authentic: 1234567890123456
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> >
> > LDAP portion of radius.cfg file reads as:
> >
> >
> >ServerChecksPassword
> >
> >Hostldap.brightonline.com.au
> >Port389
> >AuthDN cn=X, dc=brightonline,dc=com,dc=au
> >AuthPasswordXXX
> >BaseDN dc=brightonline,dc=com,dc=au
> >UsernameAttruid
> >PasswordAttruserPassword
> >
> >
> >
> > I have also tried SeverChecksPassword off, and EncryptedPasswordAttr
> > instead of PasswordAttr
> >
> > Some suggestions on the list have been setting the -secret. This has been
> > done.
> >
> >
> > My environment is:
> > perl 5.6.1
> > perl-ldap 0.25
> > radiator 2.19
> > openldap 2.0.28
> >
> > Regards
> >
> > Stephen
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication problem with Radiator 2.19 and OpenLDAP2.0.28
I ran into this problem also, you need to add the line NoDefault
to your LDAP Authby. See 6.17.12 in the manual. I am not quite sure why
I did this now, but it seems to work. If it does not find the user it
then tries the DEFAULT user.
Mike Forbes
On Mon, 18 Feb 2002, Stephen Davies wrote:
> Hi,
>
> I am trying to set radiator to authenticate against and OpenLDAP database version
>2.0.28
>
> Openldap is working fine with everything else, including my telnet and webmail
>(written in perl) access.
>
> When I try to run radpwtst I get the error in the logfile as:
>
> *** Received from 127.0.0.1 port 46475
> Code: Access-Request
> Identifier: 118
> Authentic: 1234567890123456
> Attributes:
> User-Name = "stephen"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = "<250><5>p<185><25><233>$<168>qd<2><25>z%<133><129>"
>
> Mon Feb 18 16:49:13 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon Feb 18 16:49:13 2002: DEBUG: Deleting session for stephen, 203.63.154.1, 12
> 34
> Mon Feb 18 16:49:13 2002: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, port 389
> Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with cn=X,dc=brightonline
> ,dc=com,dc=au, XXX (server ldap.brightonline.com.au:389)
> Mon Feb 18 16:49:13 2002: DEBUG: LDAP got result for uid=stephen, ou=Brighteam,
> dc=brightonline, dc=com, dc=au
> Mon Feb 18 16:49:13 2002: DEBUG: LDAP got userPassword: {CRYPT}s4LYe7mPaoXHA
> Mon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 looks for match with stephen
> Mon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
> Mon Feb 18 16:49:13 2002: INFO: Connecting to ldap.brightonline.com.au, port 389
> Mon Feb 18 16:49:13 2002: INFO: Attempting to bind with cn=admin,dc=brightonline
> ,dc=com,dc=au, witchhunt (server ldap.brightonline.com.au:389)
> Mon Feb 18 16:49:13 2002: DEBUG: No entries for DEFAULT found in LDAP database
> Mon Feb 18 16:49:13 2002: INFO: Access rejected for stephen: Bad Password
> Mon Feb 18 16:49:13 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 46475
> Code: Access-Reject
> Identifier: 118
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
>
> LDAP portion of radius.cfg file reads as:
>
>
>ServerChecksPassword
>
>Hostldap.brightonline.com.au
>Port389
>AuthDN cn=X, dc=brightonline,dc=com,dc=au
>AuthPasswordXXX
>BaseDN dc=brightonline,dc=com,dc=au
>UsernameAttruid
>PasswordAttruserPassword
>
>
>
> I have also tried SeverChecksPassword off, and EncryptedPasswordAttr instead of
>PasswordAttr
>
> Some suggestions on the list have been setting the -secret. This has been done.
>
>
> My environment is:
> perl 5.6.1
> perl-ldap 0.25
> radiator 2.19
> openldap 2.0.28
>
> Regards
>
> Stephen
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication problem with Radiator 2.19 and OpenLDAP 2.0.28
Hi,
I am trying to set radiator to authenticate against
and OpenLDAP database version 2.0.28
Openldap is working fine with everything else,
including my telnet and webmail (written in perl) access.
When I try to run radpwtst I get the error in the
logfile as:
*** Received from 127.0.0.1 port 46475
Code: Access-RequestIdentifier:
118Authentic:
1234567890123456Attributes:
User-Name = "stephen" Service-Type
= Framed-User NAS-IP-Address =
203.63.154.1 NAS-Port =
1234 Called-Station-Id =
"123456789" Calling-Station-Id =
"987654321" NAS-Port-Type =
Async User-Password =
"<250><5>p<185><25><233>$<168>qd<2><25>z%<133><129>"
Mon Feb 18 16:49:13 2002: DEBUG: Handling request
with Handler 'Realm=DEFAULT'Mon Feb 18 16:49:13 2002: DEBUG: Deleting
session for stephen, 203.63.154.1, 1234Mon Feb 18 16:49:13 2002: DEBUG:
Handling with Radius::AuthLDAP2:Mon Feb 18 16:49:13 2002: INFO: Connecting
to ldap.brightonline.com.au, port 389Mon Feb 18 16:49:13 2002: INFO:
Attempting to bind with cn=X,dc=brightonline,dc=com,dc=au, XXX
(server ldap.brightonline.com.au:389)Mon Feb 18 16:49:13 2002: DEBUG: LDAP
got result for uid=stephen, ou=Brighteam,dc=brightonline, dc=com,
dc=auMon Feb 18 16:49:13 2002: DEBUG: LDAP got userPassword:
{CRYPT}s4LYe7mPaoXHAMon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2 looks
for match with stephenMon Feb 18 16:49:13 2002: DEBUG: Radius::AuthLDAP2
REJECT: Bad PasswordMon Feb 18 16:49:13 2002: INFO: Connecting to
ldap.brightonline.com.au, port 389Mon Feb 18 16:49:13 2002: INFO: Attempting
to bind with cn=admin,dc=brightonline,dc=com,dc=au, witchhunt (server
ldap.brightonline.com.au:389)Mon Feb 18 16:49:13 2002: DEBUG: No entries for
DEFAULT found in LDAP databaseMon Feb 18 16:49:13 2002: INFO: Access
rejected for stephen: Bad PasswordMon Feb 18 16:49:13 2002: DEBUG: Packet
dump:*** Sending to 127.0.0.1 port 46475
Code: Access-RejectIdentifier:
118Authentic:
1234567890123456Attributes:
Reply-Message = "Request Denied"
LDAP portion of radius.cfg file reads
as:
ServerChecksPassword
Host
ldap.brightonline.com.au
Port
389
AuthDN cn=X,
dc=brightonline,dc=com,dc=au
AuthPasswordXXX
BaseDN
dc=brightonline,dc=com,dc=au
UsernameAttr
uid
PasswordAttr userPassword
I have also tried SeverChecksPassword off, and
EncryptedPasswordAttr instead of PasswordAttr
Some suggestions on the list have been setting the
-secret. This has been done.
My environment is:
perl 5.6.1
perl-ldap 0.25
radiator 2.19
openldap 2.0.28
Regards
Stephen
Re: (RADIATOR) authentication based on the hour of the day
Hello Eapen - I think you will have to do this in a hook (probably a PostAuthHook). There are some example hooks in the file "goodies/hooks.txt". regards Hugh On Mon, 4 Feb 2002 16:43, Eapen Joseph wrote: > Dear Hugh, > As you said, the time option should work. But the restriction should be > in such a way, so that the session time returned by the time function > should not override the balance time, which is returned as the session > time to the access-server in the normal fashion. > i.e the balancetime or the restriction in time, which ever expires > first should be imposed. > > regards > eapen > > - Original Message - > From: Hugh Irvine <[EMAIL PROTECTED]> > Date: Monday, February 4, 2002 6:59 am > Subject: Re: (RADIATOR) authentication based on the hour of the day > > > Hello Eapen - > > > > You would use the Time = "" check item. > > > > Have a look at section 13.1.13 in the Radiator 2.19 reference manual. > > > > regards > > > > Hugh > > > > On Sun, 3 Feb 2002 20:37, Eapen Joseph wrote: > > > hi, > > > How do i restrict users to authenticate from say 4:00 am till > > > > 2:00 pm > > > > > only? > > > At present we are doing this with a select statement in the > > > AuthSelect section. > > > Is there a way other than this > > > > > > regards > > > eapen > > > > > > === > > > Archive at http://www.open.com.a > > > Announcements on [EMAIL PROTECTED] > > > To unsubscribe, email '[EMAIL PROTECTED]' with > > > 'unsubscribe radiator' in the body of the message. > > > > -- > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > > - > > Nets: internetwork inventory and management - graphical, extensible, > > flexible with hardware, software, platform and database independence. > > === > > Archive at http://www.open.com.a > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication based on the hour of the day
Dear Hugh, As you said, the time option should work. But the restriction should be in such a way, so that the session time returned by the time function should not override the balance time, which is returned as the session time to the access-server in the normal fashion. i.e the balancetime or the restriction in time, which ever expires first should be imposed. regards eapen - Original Message - From: Hugh Irvine <[EMAIL PROTECTED]> Date: Monday, February 4, 2002 6:59 am Subject: Re: (RADIATOR) authentication based on the hour of the day > > Hello Eapen - > > You would use the Time = "" check item. > > Have a look at section 13.1.13 in the Radiator 2.19 reference manual. > > regards > > Hugh > > > On Sun, 3 Feb 2002 20:37, Eapen Joseph wrote: > > hi, > > How do i restrict users to authenticate from say 4:00 am till > 2:00 pm > > only? > > At present we are doing this with a select statement in the > > AuthSelect section. > > Is there a way other than this > > > > regards > > eapen > > > > === > > Archive at http://www.open.com.a > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.a > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication based on the hour of the day
Hello Eapen - You would use the Time = "" check item. Have a look at section 13.1.13 in the Radiator 2.19 reference manual. regards Hugh On Sun, 3 Feb 2002 20:37, Eapen Joseph wrote: > hi, > How do i restrict users to authenticate from say 4:00 am till 2:00 pm > only? > At present we are doing this with a select statement in the > AuthSelect section. > Is there a way other than this > > regards > eapen > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication based on the hour of the day
hi, How do i restrict users to authenticate from say 4:00 am till 2:00 pm only? At present we are doing this with a select statement in the AuthSelect section. Is there a way other than this regards eapen === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Problems
Hello Eric - It looks to me like the shared secrets are not correct. radpwtst uses the shared secret "mysecret" by default, so in your case you should use "radpwtst -secret dogcat .". regards Hugh On Tue, 8 Jan 2002 03:34, Eric Johnson wrote: > I am having problems authenticating with Radiator. I am running NT 4 with > MySQL as the database. My config script is set to first check the NT user > database and then the SQL database. When I use radpwtst I get a bad > authenticator reply and then 2 no reply's which I assume are because the > first request failed. I am using the default user to test. Included is > the trace file (first) and my config file (second). Thanks for your help. > > Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3577 > Code: Access-Request > Identifier: 4 > Authentic: 1234567890123456 > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" > > Mon Jan 7 10:07:34 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' Mon Jan 7 10:07:34 2002: DEBUG: Deleting session for > mikem, 203.63.154.1, 1234 Mon Jan 7 10:07:34 2002: DEBUG: Handling with NT > Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL > Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL: CheckSQL > Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS > where USERNAME='mikem' > > Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL looks for match with mikem > Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password > Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS > where USERNAME='DEFAULT' > > Mon Jan 7 10:07:34 2002: INFO: Access rejected for mikem: Bad Password > Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 3577 > Code: Access-Reject > Identifier: 4 > Authentic: 1234567890123456 > Attributes: > Reply-Message = "Request Denied" > > Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3577 > Code: Accounting-Request > Identifier: 5 > Authentic: <141><245>j6<145><242><213>\;<218>x^^=<22>) > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Start > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > > Mon Jan 7 10:07:34 2002: WARNING: Bad authenticator in request from > 127.0.0.1 (203.63.154.1) Mon Jan 7 10:07:39 2002: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 3577 > Code: Accounting-Request > Identifier: 6 > Authentic: d6B<159><200>u<138><152>FI<216><154><190>S<230>G > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Stop > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 2 > Acct-Output-Octets = 3 > > Mon Jan 7 10:07:39 2002: WARNING: Bad authenticator in request from > 127.0.0.1 (203.63.154.1) > > Foreground > LogStdout > LogDir /Radiator/log > #Dictionary File is in current dir > DictionaryFile ./dictionary > Trace 4 > > >Secret dogcat > DupInterval 0 > > > > Identifier CheckSQL > > DBSourcedbi:mysql:ISP > DBUsername admin > DBAuth lifter > AccountingTable ACCOUNTING > AcctColumnDef USERNAME,User-Name > AcctColumnDef TIME_STAMP,Timestamp,integer > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer > AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer > AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer > AcctColumnDef ACCTSESSIONID,Acct-Session-Id > AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer > AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause > AcctColumnDef NASIDENTIFIER,NAS-Identifier > AcctColumnDef NASPORT,NAS-Port,integer > > > > > > > Identifier CheckNT > > # You must set the domain name here to suit your site > Domain ETHERNET1 > > # ON NT, optionally specify the name of the > # Primary Domain Controller, including the leading > # \\ slashes, to override the default domain
(RADIATOR) Authentication Problems
I am having problems authenticating with Radiator. I am running NT 4 with MySQL as the database. My config script is set to first check the NT user database and then the SQL database. When I use radpwtst I get a bad authenticator reply and then 2 no reply's which I assume are because the first request failed. I am using the default user to test. Included is the trace file (first) and my config file (second). Thanks for your help. Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Access-Request Identifier: 4 Authentic: 1234567890123456 Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>" Mon Jan 7 10:07:34 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT' Mon Jan 7 10:07:34 2002: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Mon Jan 7 10:07:34 2002: DEBUG: Handling with NT Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL Mon Jan 7 10:07:34 2002: DEBUG: Handling with Radius::AuthSQL: CheckSQL Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='mikem' Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL looks for match with mikem Mon Jan 7 10:07:34 2002: DEBUG: Radius::AuthSQL REJECT: Bad Password Mon Jan 7 10:07:34 2002: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='DEFAULT' Mon Jan 7 10:07:34 2002: INFO: Access rejected for mikem: Bad Password Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 3577 Code: Access-Reject Identifier: 4 Authentic: 1234567890123456 Attributes: Reply-Message = "Request Denied" Mon Jan 7 10:07:34 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Accounting-Request Identifier: 5 Authentic: <141><245>j6<145><242><213>\;<218>x^^=<22>) Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Mon Jan 7 10:07:34 2002: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Mon Jan 7 10:07:39 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3577 Code: Accounting-Request Identifier: 6 Authentic: d6B<159><200>u<138><152>FI<216><154><190>S<230>G Attributes: User-Name = "mikem" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Mon Jan 7 10:07:39 2002: WARNING: Bad authenticator in request from 127.0.0.1 (203.63.154.1) Foreground LogStdout LogDir /Radiator/log #Dictionary File is in current dir DictionaryFile ./dictionary Trace 4 Secret dogcat DupInterval 0 Identifier CheckSQL DBSourcedbi:mysql:ISP DBUsername admin DBAuth lifter AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer Identifier CheckNT # You must set the domain name here to suit your site Domain ETHERNET1 # ON NT, optionally specify the name of the # Primary Domain Controller, including the leading # \\ slashes, to override the default domain controller # for the domain you specified above DomainController \\FEZZIK # On Unix, you MUST specify the Domain Controller # name as the NT host name of the domain controller # its not optional. This needs to be set to the NT # name of the Primary Domain Controller, and further
Re: (RADIATOR) Authentication...
Hello GwangHee -
The standard behaviour for Radiator is to look for the exact username, then
DEFAULT, DEFAULT1, DEFAULT2, etc. You can change this by adding NoDefault (or
NoDefaultIfFound) to your AuthBy clause.
..
NoDefault
.
Have a look at section 6.16.11 and 6.16.12 in the Radiator 2.19 reference
manual ("doc/ref.html").
regards
Hugh
On Sat, 15 Dec 2001 08:11, GwangHee Yi wrote:
> Dear Hugh,
>
> I try to authenticate call number 17607614701,
> If user is not in DB, radiator try to authenticate username='DEFAULT'
> Why?
>
> Below is configuration and debug
>
> Thanks,
>
> Configureration..
> ++
>
>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSourcedbi:mysql:radius
> DBUsername *
> DBAuth ***
>
> # Auth Statements
>
> AuthSelect SELECT password,replyattr FROM subscribers WHERE
> username = '%n'
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, reply
>
>
>
> Debug...
> ++
> Bla Bla...
>
> Fri Dec 14 14:01:06 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Dec 14 14:01:06 2001: DEBUG: Deleting session for 17607614701, *.*.*.*,
> Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL
> Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM
> subscribers WHERE username = '17607614701'
> Fri Dec 14 14:01:06 2001: DEBUG: Radius::AuthSQL looks for match with
> 17607614701
> Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM
> subscribers WHERE username = 'DEFAULT'
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication...
Dear Hugh, I try to authenticate call number 17607614701, If user is not in DB, radiator try to authenticate username='DEFAULT' Why? Below is configuration and debug Thanks, Configureration.. ++ # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcedbi:mysql:radius DBUsername * DBAuth *** # Auth Statements AuthSelect SELECT password,replyattr FROM subscribers WHERE username = '%n' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, reply Debug... ++ Bla Bla... Fri Dec 14 14:01:06 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Fri Dec 14 14:01:06 2001: DEBUG: Deleting session for 17607614701, *.*.*.*, Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL Fri Dec 14 14:01:06 2001: DEBUG: Handling with Radius::AuthSQL Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM subscribers WHERE username = '17607614701' Fri Dec 14 14:01:06 2001: DEBUG: Radius::AuthSQL looks for match with 17607614701 Fri Dec 14 14:01:06 2001: DEBUG: Query is: SELECT password,replyattr FROM subscribers WHERE username = 'DEFAULT' === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication Question..
Remember that the Authentication requests can be sent to a different
place than the Accounting requests, via separate lines in your Cisco
config file. Perhaps the AUTH line is not correct...
Dave
> -Original Message-
> From: GwangHee Yi [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, December 12, 2001 1:37 PM
> To: [EMAIL PROTECTED]
> Subject: (RADIATOR) Authentication Question..
>
>
> Dear All,
>
> I am using Cisco2600 Gatekeeper.
>
> I want to authenticate with Radiator.
> I got exact accouting attributes. It's working very well.
> But Cisco Router do not send me an Access-Request.
> Therefore, I can not authenticate with my MySql DB.
>
> Is this Cisco Configuration problem or Radiator Configuration
> problem..
>
> Below is configuration and Debug...
>
> Thanks,
>
> Configuration.
> ==
> Trace 4
> Foreground
> LogStdout
> LogDir .
> DbDir .
>
>
> AuthPort1712
> AcctPort1713
>
>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSourcedbi:mysql:
> DBUsername
> DBAuth *
>
> # Auth Statements
>
> AuthSelect SELECT password,replyattr FROM subscribers
> WHERE username = '%n'
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, reply
>
> # You may want to tailor these for your ACCOUNTING table
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter
>
> AcctLogFileName /var/radius/radius.log
>
>
> Debug
> =
> Code: Accounting-Request
> Identifier: 76
> Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
> Attributes:
> NAS-IP-Address = *
> NAS-Port-Type = Async
> User-Name = "***"
> Called-Station-Id = "***"
> Calling-Station-Id = "***"
> Acct-Status-Type = Stop
> Service-Type = Login-User
> Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//"
> Acct-Input-Octets = 0
> Acct-Output-Octets = 0
> Acct-Input-Packets = 0
> Acct-Output-Packets = 0
> Acct-Session-Time = 11
> cisco-avpair = "pre-bytes-in=0"
> cisco-avpair = "pre-bytes-out=0"
> cisco-avpair = "pre-paks-in=0"
> cisco-avpair = "pre-paks-out=0"
> cisco-avpair = "nas-rx-speed=0"
> cisco-avpair = "nas-tx-speed=0"
> Acct-Delay-Time = 0
>
> Tue Dec 11 17:04:58 2001: DEBUG: Handling request with
> Handler 'Realm=DEFAULT' Tue Dec 11 17:04:58 2001: DEBUG:
> Deleting session for **, *, Tue Dec 11 17:04:58
> 2001: DEBUG: Handling with Radius::AuthSQL Tue Dec 11
> 17:04:58 2001: DEBUG: Handling accounting with
> Radius::AuthSQL Tue Dec 11 17:04:58 2001: DEBUG: do query is:
> insert into ACCOUNTING
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE,
> ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS,
> ACCTSESSIONID, ACCTSESSIONTIME)
> values
> ('**', 1008119098, 'Stop', 0, 0, 0,
> '56///0 B8E9C61F 4050007 EA25B92//', 11)
>
> Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted
> Tue Dec 11 17:04:58 2001: DEBUG: Packet dump:
> *** Sending to *** port 1646
> Code: Accounting-Response
> Identifier: 76
> Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
> Attributes:
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Question..
Hello GwangHee -
Thanks for sending the files.
If the Cisco is not sending an Access-Request you will have to check with
Cisco what you need to configure. The trace file only shows an accounting
request that is being processed correctly, so if you are not seeing any
access requests I would have to conclude that the Cisco is not sending them.
regards
Hugh
On Thu, 13 Dec 2001 05:37, GwangHee Yi wrote:
> Dear All,
>
> I am using Cisco2600 Gatekeeper.
>
> I want to authenticate with Radiator.
> I got exact accouting attributes. It's working very well.
> But Cisco Router do not send me an Access-Request.
> Therefore, I can not authenticate with my MySql DB.
>
> Is this Cisco Configuration problem or Radiator Configuration problem..
>
> Below is configuration and Debug...
>
> Thanks,
>
> Configuration.
> ==
> Trace 4
> Foreground
> LogStdout
> LogDir .
> DbDir .
>
>
> AuthPort1712
> AcctPort1713
>
>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSourcedbi:mysql:
> DBUsername
> DBAuth *
>
> # Auth Statements
>
> AuthSelect SELECT password,replyattr FROM subscribers WHERE
> username = '%n'
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, GENERIC, reply
>
> # You may want to tailor these for your ACCOUNTING table
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter
>
> AcctLogFileName /var/radius/radius.log
>
>
> Debug
> =
> Code: Accounting-Request
> Identifier: 76
> Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
> Attributes:
> NAS-IP-Address = *
> NAS-Port-Type = Async
> User-Name = "***"
> Called-Station-Id = "***"
> Calling-Station-Id = "***"
> Acct-Status-Type = Stop
> Service-Type = Login-User
> Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//"
> Acct-Input-Octets = 0
> Acct-Output-Octets = 0
> Acct-Input-Packets = 0
> Acct-Output-Packets = 0
> Acct-Session-Time = 11
> cisco-avpair = "pre-bytes-in=0"
> cisco-avpair = "pre-bytes-out=0"
> cisco-avpair = "pre-paks-in=0"
> cisco-avpair = "pre-paks-out=0"
> cisco-avpair = "nas-rx-speed=0"
> cisco-avpair = "nas-tx-speed=0"
> Acct-Delay-Time = 0
>
> Tue Dec 11 17:04:58 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Dec 11 17:04:58 2001: DEBUG: Deleting session for **, *,
> Tue Dec 11 17:04:58 2001: DEBUG: Handling with Radius::AuthSQL
> Tue Dec 11 17:04:58 2001: DEBUG: Handling accounting with Radius::AuthSQL
> Tue Dec 11 17:04:58 2001: DEBUG: do query is: insert into ACCOUNTING
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
> ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME)
> values
> ('**', 1008119098, 'Stop', 0, 0, 0, '56///0
> B8E9C61F 4050007 EA25B92//', 11)
>
> Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted
> Tue Dec 11 17:04:58 2001: DEBUG: Packet dump:
> *** Sending to *** port 1646
> Code: Accounting-Response
> Identifier: 76
> Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
> Attributes:
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Question..
-- Forwarded Message --
Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from
["GwangHee Yi" <[EMAIL PROTECTED]>]
Date: Tue, 11 Dec 2001 16:51:45 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
>From [EMAIL PROTECTED] Tue Dec 11 16:51:45 2001
Received: from ns2.neworbit.net
(dt1A-hfc-0251-d8d99338.rdc1.sdca.coxatwork.com [216.217.147.56]) by
server1.open.com.au (8.11.0/8.11.0) with ESMTP id fBBMpi315726
for <[EMAIL PROTECTED]>; Tue, 11 Dec 2001 16:51:44 -0600
Received: from gwanghee ([192.168.100.6])
by ns2.neworbit.net (8.11.0/8.11.0) with SMTP id fBC1Vvb16056
for <[EMAIL PROTECTED]>; Tue, 11 Dec 2001 17:31:58 -0800
Message-ID: <001501c182a3$5985b6e0$[EMAIL PROTECTED]>
From: "GwangHee Yi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Authentication Question..
Date: Tue, 11 Dec 2001 16:24:22 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
Dear All,
I am using Cisco2600 Gatekeeper.
I want to authenticate with Radiator.
I got exact accouting attributes. It's working very well.
But Cisco Router do not send me an Access-Request.
Therefore, I can not authenticate with my MySql DB.
Is this Cisco Configuration problem or Radiator Configuration problem..
Below is configuration and Debug...
Thanks,
Configuration.
==
Trace 4
Foreground
LogStdout
LogDir .
DbDir .
AuthPort1712
AcctPort1713
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSourcedbi:mysql:
DBUsername
DBAuth *
# Auth Statements
AuthSelect SELECT password,replyattr FROM subscribers WHERE username
= '%n'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, reply
# You may want to tailor these for your ACCOUNTING table
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter
AcctLogFileName /var/radius/radius.log
Debug
=
Code: Accounting-Request
Identifier: 76
Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
Attributes:
NAS-IP-Address = 216.217.147.58
NAS-Port-Type = Async
User-Name = "***"
Called-Station-Id = "***"
Calling-Station-Id = "***"
Acct-Status-Type = Stop
Service-Type = Login-User
Acct-Session-Id = "56//SDGK1/0 B8E9C61F 4050007 EA25B92//"
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Session-Time = 11
cisco-avpair = "pre-bytes-in=0"
cisco-avpair = "pre-bytes-out=0"
cisco-avpair = "pre-paks-in=0"
cisco-avpair = "pre-paks-out=0"
cisco-avpair = "nas-rx-speed=0"
cisco-avpair = "nas-tx-speed=0"
Acct-Delay-Time = 0
Tue Dec 11 17:04:58 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Dec 11 17:04:58 2001: DEBUG: Deleting session for **, *,
Tue Dec 11 17:04:58 2001: DEBUG: Handling with Radius::AuthSQL
Tue Dec 11 17:04:58 2001: DEBUG: Handling accounting with Radius::AuthSQL
Tue Dec 11 17:04:58 2001: DEBUG: do query is: insert into ACCOUNTING
(USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME)
values
('**', 1008119098, 'Stop', 0, 0, 0, '56//SDGK1/0
B8E9C61F 4050007 EA25B92//', 11)
Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted
Tue Dec 11 17:04:58 2001: DEBUG: Packet dump:
*** Sending to *** port 1646
Code: Accounting-Response
Identifier: 76
Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
Attributes:
---
--
I am travelling at the moment, and there may be delays in our correspondence.
Mike McCauley, Open System Consultants, [EMAIL PROTECTED], www.open.com.au
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Question..
Dear All,
I am using Cisco2600 Gatekeeper.
I want to authenticate with Radiator.
I got exact accouting attributes. It's working very well.
But Cisco Router do not send me an Access-Request.
Therefore, I can not authenticate with my MySql DB.
Is this Cisco Configuration problem or Radiator Configuration problem..
Below is configuration and Debug...
Thanks,
Configuration.
==
Trace 4
Foreground
LogStdout
LogDir .
DbDir .
AuthPort1712
AcctPort1713
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSourcedbi:mysql:
DBUsername
DBAuth *
# Auth Statements
AuthSelect SELECT password,replyattr FROM subscribers WHERE username
= '%n'
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, GENERIC, reply
# You may want to tailor these for your ACCOUNTING table
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,inter
AcctLogFileName /var/radius/radius.log
Debug
=
Code: Accounting-Request
Identifier: 76
Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
Attributes:
NAS-IP-Address = *
NAS-Port-Type = Async
User-Name = "***"
Called-Station-Id = "***"
Calling-Station-Id = "***"
Acct-Status-Type = Stop
Service-Type = Login-User
Acct-Session-Id = "56///0 B8E9C61F 4050007 EA25B92//"
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Session-Time = 11
cisco-avpair = "pre-bytes-in=0"
cisco-avpair = "pre-bytes-out=0"
cisco-avpair = "pre-paks-in=0"
cisco-avpair = "pre-paks-out=0"
cisco-avpair = "nas-rx-speed=0"
cisco-avpair = "nas-tx-speed=0"
Acct-Delay-Time = 0
Tue Dec 11 17:04:58 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Dec 11 17:04:58 2001: DEBUG: Deleting session for **, *,
Tue Dec 11 17:04:58 2001: DEBUG: Handling with Radius::AuthSQL
Tue Dec 11 17:04:58 2001: DEBUG: Handling accounting with Radius::AuthSQL
Tue Dec 11 17:04:58 2001: DEBUG: do query is: insert into ACCOUNTING
(USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTIME)
values
('**', 1008119098, 'Stop', 0, 0, 0, '56///0
B8E9C61F 4050007 EA25B92//', 11)
Tue Dec 11 17:04:58 2001: DEBUG: Accounting accepted
Tue Dec 11 17:04:58 2001: DEBUG: Packet dump:
*** Sending to *** port 1646
Code: Accounting-Response
Identifier: 76
Authentic: 0*<23><165>g<202><147><214>P<200>2<180><151>"<250><4>
Attributes:
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication through DNIS.
Hello Wasim -
The trace 4 below (thanks for sending it) shows that your NAS is sending the
number "7159" as the value for the Called-Station-Id (note the spelling). You
can check for this in a users file as follows:
cool Password = ., Called-Station-Id = 7159, Simultaneous-Use = 4
Service-Type = Framed-User,
Framed-Protocol = PPP
Note that Called-Station-Id is the number that the user has dialled.
If you want to check the number the user is dialling from you would do this:
cool Password = ., Calling-Station-Id = 13155131, Simultaneous-Use = 4
Service-Type = Framed-User,
Framed-Protocol = PPP
All check items must appear on the first line of a user definition and the
reply items on the second and following lines with white space at the
beginning and a comma at the end of every reply line except the last.
Have a look at section 13 of the Radiator 2.19 reference manual.
regards
Hugh
On Sat, 8 Dec 2001 20:22, Wasim Ahmed Khan wrote:
> Hi All,
>
> I want to authenticate few of our users defined in radiator's user file
> on basis of DNIS. How can we do that through radiator. As first i try
> to pass Called-Station-ID attribute in users file but strangely it is
> not authenticating. Here is sumthing detail shows:
> It is picking "7159" as called-station-Id.
>
> Is there any other way to authenticate specific user on the basis on
> DNIS or otherwise where i m wrong in this whole scenario.
>
> Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on
> netops-2
> Wed Dec 8 12:31:40 1999: DEBUG: Packet dump:
> *** Received from 202.63.217.245 port 1645
> Code: Access-Request
> Identifier: 226
> Authentic:
> <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
> Attributes:
> NAS-IP-Address = 202.63.217.245
> NAS-Port = 62
> Cisco-NAS-Port = "Async62"
> NAS-Port-Type = Async
> User-Name = "cool"
> Called-Station-Id = "7159"
> Calling-Station-Id = "215219321"
> User-Password = "<240>Q<142><218><240>K<177>T?
> 1@<15><215>z<250><224>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Wed Dec 8 12:31:40 1999: DEBUG: Handling request with
> Handler 'Realm=DEFAULT'
> Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool,
> 202.63.217.245, 62
> Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
> Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
> Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'cool' or sa.shell = 'cool')
> and ma.customerid = sa.customerid
> and sa.active <> 0 and ma.active <> 0
>
> Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt
> (date,userid,password,cli) values ('12/8/1999
> 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321')
>
> Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match
> with cool
> Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT')
> and ma.customerid = sa.customerid
> and sa.active <> 0 and ma.active <> 0
>
> Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt
> (date,userid,password,cli) values ('12/8/1999
> 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321')
>
> Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE
> Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users
> Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with
> cool
> Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool
> Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use
> Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
> *** Sending to 202.63.217.245 port 1645
> Code: Access-Accept
> Identifier: 226
> Authentic:
> <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Simultaneous-Use = 4
> Called-Station-Id = "13155131"
>
> Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
> *** Received from 202.63.217.245 port 1646
> Code: Accounting-Request
> Identifier: 227
> Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17>
> Attributes:
> NAS-IP-Address = 202.63.217.245
> NAS-Port = 62
> Cisco-NAS-Port = "Async62"
> NAS-Port-Type = Async
> User-Name = "cool"
> Called-Station-Id = "7159"
> Calling-Station-Id = "215219321"
> Acct-Status-Type = Start
>
(RADIATOR) Authentication through DNIS.
Hi All,
I want to authenticate few of our users defined in radiator's user file
on basis of DNIS. How can we do that through radiator. As first i try
to pass Called-Station-ID attribute in users file but strangely it is
not authenticating. Here is sumthing detail shows:
It is picking "7159" as called-station-Id.
Is there any other way to authenticate specific user on the basis on
DNIS or otherwise where i m wrong in this whole scenario.
Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on
netops-2
Wed Dec 8 12:31:40 1999: DEBUG: Packet dump:
*** Received from 202.63.217.245 port 1645
Code: Access-Request
Identifier: 226
Authentic:
<155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
Attributes:
NAS-IP-Address = 202.63.217.245
NAS-Port = 62
Cisco-NAS-Port = "Async62"
NAS-Port-Type = Async
User-Name = "cool"
Called-Station-Id = "7159"
Calling-Station-Id = "215219321"
User-Password = "<240>Q<142><218><240>K<177>T?
1@<15><215>z<250><224>"
Service-Type = Framed-User
Framed-Protocol = PPP
Wed Dec 8 12:31:40 1999: DEBUG: Handling request with
Handler 'Realm=DEFAULT'
Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool,
202.63.217.245, 62
Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day,
ma.extension+ma.overdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subaccounts sa
where (sa.login = 'cool' or sa.shell = 'cool')
and ma.customerid = sa.customerid
and sa.active <> 0 and ma.active <> 0
Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt
(date,userid,password,cli) values ('12/8/1999
12:31:40','cool','ðQÚðK±T?1@×zúà','215219321')
Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match
with cool
Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day,
ma.extension+ma.overdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subaccounts sa
where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT')
and ma.customerid = sa.customerid
and sa.active <> 0 and ma.active <> 0
Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt
(date,userid,password,cli) values ('12/8/1999
12:31:41','cool','ðQÚðK±T?1@×zúà','215219321')
Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE
Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users
Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with
cool
Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT:
Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool
Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use
Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
*** Sending to 202.63.217.245 port 1645
Code: Access-Accept
Identifier: 226
Authentic:
<155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Simultaneous-Use = 4
Called-Station-Id = "13155131"
Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
*** Received from 202.63.217.245 port 1646
Code: Accounting-Request
Identifier: 227
Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17>
Attributes:
NAS-IP-Address = 202.63.217.245
NAS-Port = 62
Cisco-NAS-Port = "Async62"
NAS-Port-Type = Async
User-Name = "cool"
Called-Station-Id = "7159"
Calling-Station-Id = "215219321"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "0123"
Framed-Protocol = PPP
Acct-Delay-Time = 0
Wed Dec 8 12:31:42 1999: DEBUG: Handling request with
Handler 'Realm=DEFAULT'
Wed Dec 8 12:31:42 1999: DEBUG: Adding session for cool,
202.63.217.245, 62
Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthEMERALD
Wed Dec 8 12:31:42 1999: DEBUG: Handling accounting with
Radius::AuthEMERALD
Wed Dec 8 12:31:42 1999: DEBUG: do query is: insert into Calls
(UserName, CallDate, AcctStatusType, AcctDelayTime,
AcctSessionId, NASIdentifier, CallerID, NASPort)
values
('cool', 'Dec 8, 1999 12:31', 1,
0, '0123', '202.63.217.245', '215219321', 62)
Wed Dec 8 12:31:43 1999: DEBUG: Accounting accepted
Wed Dec 8 12:31:43 1999: DEBUG: Packet dump:
*** Sending to 202.63.217.245 port 1646
Regards,
Wasim Ahmed Khan.
Application Programmer.
eWorld Internet Services.
Karachi,
Pakistan.
Ph:(92-21)111-246-246.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication through DNIS.
Hello Wasim -
The trace 4 below (thanks for sending it) shows that your NAS is sending the
number "7159" as the value for the Called-Station-Id (note the spelling). You
can check for this in a users file as follows:
cool Password = ., Called-Station-Id = 7159, Simultaneous-Use = 4
Service-Type = Framed-User,
Framed-Protocol = PPP
Note that Called-Station-Id is the number that the user has dialled.
If you want to check the number the user is dialling from you would do this:
cool Password = ., Calling-Station-Id = 13155131, Simultaneous-Use = 4
Service-Type = Framed-User,
Framed-Protocol = PPP
All check items must appear on the first line of a user definition and the
reply items on the second and following lines with white space at the
beginning and a comma at the end of every reply line except the last.
Have a look at section 13 of the Radiator 2.19 reference manual.
regards
Hugh
On Sat, 8 Dec 2001 20:22, Wasim Ahmed Khan wrote:
> Hi All,
>
> I want to authenticate few of our users defined in radiator's user file
> on basis of DNIS. How can we do that through radiator. As first i try
> to pass Called-Station-ID attribute in users file but strangely it is
> not authenticating. Here is sumthing detail shows:
> It is picking "7159" as called-station-Id.
>
> Is there any other way to authenticate specific user on the basis on
> DNIS or otherwise where i m wrong in this whole scenario.
>
> Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on
> netops-2
> Wed Dec 8 12:31:40 1999: DEBUG: Packet dump:
> *** Received from 202.63.217.245 port 1645
> Code: Access-Request
> Identifier: 226
> Authentic:
> <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
> Attributes:
> NAS-IP-Address = 202.63.217.245
> NAS-Port = 62
> Cisco-NAS-Port = "Async62"
> NAS-Port-Type = Async
> User-Name = "cool"
> Called-Station-Id = "7159"
> Calling-Station-Id = "215219321"
> User-Password = "<240>Q<142><218><240>K<177>T?
> 1@<15><215>z<250><224>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Wed Dec 8 12:31:40 1999: DEBUG: Handling request with
> Handler 'Realm=DEFAULT'
> Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool,
> 202.63.217.245, 62
> Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
> Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
> Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'cool' or sa.shell = 'cool')
> and ma.customerid = sa.customerid
> and sa.active <> 0 and ma.active <> 0
>
> Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt
> (date,userid,password,cli) values ('12/8/1999
> 12:31:40','cool','ðQÚðK±T?1@×zúà','215219321')
>
> Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match
> with cool
> Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day,
> ma.extension+ma.overdue, maExpireDate),
> DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
> sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
> from masteraccounts ma, subaccounts sa
> where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT')
> and ma.customerid = sa.customerid
> and sa.active <> 0 and ma.active <> 0
>
> Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt
> (date,userid,password,cli) values ('12/8/1999
> 12:31:41','cool','ðQÚðK±T?1@×zúà','215219321')
>
> Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE
> Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users
> Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with
> cool
> Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool
> Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use
> Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
> *** Sending to 202.63.217.245 port 1645
> Code: Access-Accept
> Identifier: 226
> Authentic:
> <155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Simultaneous-Use = 4
> Called-Station-Id = "13155131"
>
> Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
> *** Received from 202.63.217.245 port 1646
> Code: Accounting-Request
> Identifier: 227
> Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17>
> Attributes:
> NAS-IP-Address = 202.63.217.245
> NAS-Port = 62
> Cisco-NAS-Port = "Async62"
> NAS-Port-Type = Async
> User-Name = "cool"
> Called-Station-Id = "7159"
> Calling-Station-Id = "215219321"
> Acct-Status-Type = Start
>
(RADIATOR) Authentication through DNIS.
Hi All,
I want to authenticate few of our users defined in radiator's user file
on basis of DNIS. How can we do that through radiator. As first i try
to pass Called-Station-ID attribute in users file but strangely it is
not authenticating. Here is sumthing detail shows:
It is picking "7159" as called-station-Id.
Is there any other way to authenticate specific user on the basis on
DNIS or otherwise where i m wrong in this whole scenario.
Wed Dec 8 12:28:48 1999: INFO: Server started: Radiator 2.18.1 on
netops-2
Wed Dec 8 12:31:40 1999: DEBUG: Packet dump:
*** Received from 202.63.217.245 port 1645
Code: Access-Request
Identifier: 226
Authentic:
<155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
Attributes:
NAS-IP-Address = 202.63.217.245
NAS-Port = 62
Cisco-NAS-Port = "Async62"
NAS-Port-Type = Async
User-Name = "cool"
Called-Station-Id = "7159"
Calling-Station-Id = "215219321"
User-Password = "<240>Q<142><218><240>K<177>T?
1@<15><215>z<250><224>"
Service-Type = Framed-User
Framed-Protocol = PPP
Wed Dec 8 12:31:40 1999: DEBUG: Handling request with
Handler 'Realm=DEFAULT'
Wed Dec 8 12:31:40 1999: DEBUG: Deleting session for cool,
202.63.217.245, 62
Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
Wed Dec 8 12:31:40 1999: DEBUG: Handling with Radius::AuthEMERALD
Wed Dec 8 12:31:40 1999: DEBUG: Query is: select DateAdd(Day,
ma.extension+ma.overdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subaccounts sa
where (sa.login = 'cool' or sa.shell = 'cool')
and ma.customerid = sa.customerid
and sa.active <> 0 and ma.active <> 0
Wed Dec 8 12:31:41 1999: DEBUG: Query is: insert into badattempt
(date,userid,password,cli) values ('12/8/1999
12:31:40','cool','ðQÚðK±T?1@×zúà','215219321')
Wed Dec 8 12:31:41 1999: DEBUG: Radius::AuthEMERALD looks for match
with cool
Wed Dec 8 12:31:41 1999: DEBUG: Query is: select DateAdd(Day,
ma.extension+ma.overdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subaccounts sa
where (sa.login = 'DEFAULT' or sa.shell = 'DEFAULT')
and ma.customerid = sa.customerid
and sa.active <> 0 and ma.active <> 0
Wed Dec 8 12:31:42 1999: DEBUG: Query is: insert into badattempt
(date,userid,password,cli) values ('12/8/1999
12:31:41','cool','ðQÚðK±T?1@×zúà','215219321')
Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthFILE
Wed Dec 8 12:31:42 1999: DEBUG: Reading users file ./users
Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE looks for match with
cool
Wed Dec 8 12:31:42 1999: DEBUG: Radius::AuthFILE ACCEPT:
Wed Dec 8 12:31:42 1999: DEBUG: Access accepted for cool
Wed Dec 8 12:31:42 1999: WARNING: No such attribute Simultaneous-Use
Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
*** Sending to 202.63.217.245 port 1645
Code: Access-Accept
Identifier: 226
Authentic:
<155><196><19><166>uXV<235><205><168><149><236><234><152><149>$
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Simultaneous-Use = 4
Called-Station-Id = "13155131"
Wed Dec 8 12:31:42 1999: DEBUG: Packet dump:
*** Received from 202.63.217.245 port 1646
Code: Accounting-Request
Identifier: 227
Authentic: <139><232>b;:g<212>J<226><199><248><155><210>L<175><17>
Attributes:
NAS-IP-Address = 202.63.217.245
NAS-Port = 62
Cisco-NAS-Port = "Async62"
NAS-Port-Type = Async
User-Name = "cool"
Called-Station-Id = "7159"
Calling-Station-Id = "215219321"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "0123"
Framed-Protocol = PPP
Acct-Delay-Time = 0
Wed Dec 8 12:31:42 1999: DEBUG: Handling request with
Handler 'Realm=DEFAULT'
Wed Dec 8 12:31:42 1999: DEBUG: Adding session for cool,
202.63.217.245, 62
Wed Dec 8 12:31:42 1999: DEBUG: Handling with Radius::AuthEMERALD
Wed Dec 8 12:31:42 1999: DEBUG: Handling accounting with
Radius::AuthEMERALD
Wed Dec 8 12:31:42 1999: DEBUG: do query is: insert into Calls
(UserName, CallDate, AcctStatusType, AcctDelayTime,
AcctSessionId, NASIdentifier, CallerID, NASPort)
values
('cool', 'Dec 8, 1999 12:31', 1,
0, '0123', '202.63.217.245', '215219321', 62)
Wed Dec 8 12:31:43 1999: DEBUG: Accounting accepted
Wed Dec 8 12:31:43 1999: DEBUG: Packet dump:
*** Sending to 202.63.217.245 port 1646
Regards,
Wasim Ahmed Khan.
Application Programmer.
eWorld Internet Services.
Karachi,
Pakistan.
Ph:(92-21)111-246-246.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To
Re: (RADIATOR) Authentication CHAP
Ciao Giuseppe - Radiator will automatically handle CHAP-Password as long as you have the cleartext password available in the user defintion. regards Hugh On Friday 26 October 2001 01:08, Giuseppe Denora wrote: > Hi everybody, > > I' m trying to set up a Radiator Authenticator using the clause ETERNAL>. > I use a little perl module for CHAP-authentication. my Cisco NAS doesn't > pass to the > module the attribute CHAP-Challenge (only the CHAP-Password) for hashing > the clear text password. > > Does anybody know HOW to get THE CHAP-CHALLENGE from Ciscos?? > > > > === > Working Online - Internet, Telematica e Soluzioni di Rete > --- > Web www.working.it - Email [EMAIL PROTECTED] > Work.Net S.r.l. > Via XXV Aprile 37 - 21100 Varese - ITALY > Tel. +39-332-320.720 - Fax +39-332-310.202 > Via Cavour 15 - 21013 Gallarate - VA - ITALY > Tel. +39-331-776.818 - Fax +39-331-788.245 > === > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication CHAP
Hi everybody, I' m trying to set up a Radiator Authenticator using the clause . I use a little perl module for CHAP-authentication. my Cisco NAS doesn't pass to the module the attribute CHAP-Challenge (only the CHAP-Password) for hashing the clear text password. Does anybody know HOW to get THE CHAP-CHALLENGE from Ciscos?? === Working Online - Internet, Telematica e Soluzioni di Rete --- Web www.working.it - Email [EMAIL PROTECTED] Work.Net S.r.l. Via XXV Aprile 37 - 21100 Varese - ITALY Tel. +39-332-320.720 - Fax +39-332-310.202 Via Cavour 15 - 21013 Gallarate - VA - ITALY Tel. +39-331-776.818 - Fax +39-331-788.245 === === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication when SQL/proxyRadius is down
Hello David - On Wednesday 17 October 2001 01:13, [EMAIL PROTECTED] wrote: > Hi > I'm testing (Radiator/Radmin DEMO ) with some possible configuratin to > solve our requirements. > Overview: Radius server is connected to other server with SQL database. > Radius do Authby SQL or Auth by Radius (proxy) - based on @realm > > So in case of SQL database or proxy radius server is down I would like to > authenticate (send Access accept) users ( possible users with bad password > - it doesn't matter - it's free dial up ) and do accounting to file on > radius server. > You would do something like this: # define AuthBy clauses Identifier CheckSQL DBSource . DBUsername . DBAuth . .. AcctFailedLogFileName . AcctFailedLogFileFormat . Identifier ForwardToProxy .. NoReplyHook . AcctFailedLogFileName . AcctFailedLogFileFormat . Identifier AcceptAll # define Realms AuthByPolicy ContinueUntilAccept AuthBy CheckSQL AuthBy AcceptAll . Identifier AcceptAll AuthBy ForwardToProxy . There is an example NoReplyHook in the file "goodies/hooks.txt" that will work with what is shown above. Also have a look at sections 6.28 and 6.29 in the Radiator reference manual included in the file "doc/ref.html" in the distribution. If you have any other questions please ask. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication when SQL/proxyRadius is down
Hi I'm testing (Radiator/Radmin DEMO ) with some possible configuratin to solve our requirements. Overview: Radius server is connected to other server with SQL database. Radius do Authby SQL or Auth by Radius (proxy) - based on @realm So in case of SQL database or proxy radius server is down I would like to authenticate (send Access accept) users ( possible users with bad password - it doesn't matter - it's free dial up ) and do accounting to file on radius server. Thanks for any idea David Kramar === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Problem
I need help pls! and very URGENTLY too! My RADIATOR Authentication is suddenly rejecting all passwords. It is logging encrypted passwords in password.log. I am not using encryption at all. I am authentication via ODBC. I tried with User flat file without any success. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Harrison Ng" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 10, 2001 11:11 AM Subject: Re: (RADIATOR) FW: Load Balancing > > Hello Harrison - > > No - seconds only are supported. > > regards > > Hugh > > > On Monday 10 September 2001 17:23, Harrison Ng wrote: > > > > BTW, can those time related parameters accepts milliseconds, such as > > RetryTimeout, FailureBackoffTime. > > > > Harrison > > > > > -Original Message- > > > From: Harrison Ng > > > Sent: Monday, September 10, 2001 3:21 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: Load Balancing > > > > > > Hi, > > > > > > We are using Ericsson GSN, the primary and secondary failover timer in > > > GSN is restricted to merely 6 seconds. After these 6 secs, it drops the > > > call. > > > > > > So our radiator server need to respond very fast, I mean fast in doing > > > username/password authentication, accounting logging, ip address > > > allocation and forward accounting information to 3rd party business > > > partners and reply back to GSN at last. If we divide 6 secs into 2 > > > halves, there will be only 3 secs for primary radius, and 3 secs for > > > secondary radius. > > > > > > Our first question is it possible to change the behaviour (perhaps an > > > extra parameter) of so > > > that when radius proxy does not receive response from the first radius > > > server, then just stop it and let the radius server marked failure and > > > reply nothing to GSN. Let the radius server sit still until > > > FailureBackupoffTime is reached. Do not even try to forward request to > > > the second listed, until the list is exhausted. > > > > > > Second can we set the timeout value (perhaps to zero) for the very first > > > accounting forward packet. The RetryTimeout only suitable for > > > retransmitting packet. Lost accounting packet is not a concern to us, as > > > long as the radius server work very fast. > > > > > > We tried optimize every things such as using radius proxy to distribute > > > loading to several radius server, put database server in another unix > > > box, field indexing, lots of memory and etc. Maybe our question is a bit > > > strange. Perhaps someone can suggest us a workaround. Thanks. > > > > > > > > > Regards, > > > Harrison > > > SmarTone BroadBand Services Ltd. > > > Content-Type: text/html; charset="iso-8859-1"; name="Attachment: 1" > Content-Transfer-Encoding: quoted-printable > Content-Description: > > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication BY SQL
We are setting our RADIUS to authenticate via SQL Database. The Radius is communicating properly with the SQL database. However, The Radius server is rejecting all password even though the passwords are correct (Pls see log below) Pls help. -- from SUbsInfo where USERNAME='otisvi' Thu Sep 6 15:20:39 2001: DEBUG: Radius::AuthSQL looks for match with otisvi Thu Sep 6 15:20:39 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:39 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:39 2001: INFO: Access rejected for otisvi: Bad Password Thu Sep 6 15:20:39 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 120 Authentic: <140>*'<197><8><168>v`[<135>6?<14><16><206><146> Attributes: Reply-Message = "Request Denied" Thu Sep 6 15:20:40 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Access-Request Identifier: 121 Authentic: <209><217><156><201><232><148><255><148>_H<229><227><145><230><17><2 30> Attributes: User-Name = "otisvi" User-Password = "<138>c9<145><24><152><11><186>*<176>1<238>lM<166><146>" NAS-IP-Address = 195.166.231.247 NAS-Port = 773 Acct-Session-Id = "50594945" USR-Interface-Index = 2029 Service-Type = Framed-User Framed-Protocol = PPP USR-Chassis-Call-Slot = 4 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 5 USR-Connect-Speed = NONE Calling-Station-Id = "" Called-Station-Id = "" NAS-Port-Type = Async Thu Sep 6 15:20:40 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Sep 6 15:20:40 2001: DEBUG: Deleting session for otisvi, 195.166.231.247, 773 Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='otisvi' Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL looks for match with otisvi Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:40 2001: INFO: Access rejected for otisvi: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 121 Authentic: <209><217><156><201><232><148><255><148>_H<229><227><145><230><17><2 30> Attributes: Reply-Message = "Request Denied" Thu Sep 6 15:20:40 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Access-Request Identifier: 122 Authentic: <15><181><128><13><218><240><162><8><13><254>]<199>t&<0>z Attributes: User-Name = "prawa" User-Password = "<244><154><157><245><214>j<30><190>i<188>P<159><<230><2 21>6" NAS-IP-Address = 195.166.231.247 NAS-Port = 12 Acct-Session-Id = "721209" USR-Interface-Index = 1268 Service-Type = Framed-User Framed-Protocol = PPP USR-Chassis-Call-Slot = 1 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 12 USR-Connect-Speed = NONE Calling-Station-Id = "" Called-Station-Id = "" NAS-Port-Type = Async Thu Sep 6 15:20:40 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Sep 6 15:20:40 2001: DEBUG: Deleting session for prawa, 195.166.231.247, 1 2 Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='prawa' Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL looks for match with prawa Thu Sep 6 15:20:40 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:40 2001: INFO: Access rejected for prawa: Bad Password Thu Sep 6 15:20:40 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 122 Authentic: <15><181><128><13><218><240><162><8><13><254>]<199>t&<0>z Attributes: Reply-Message = "Request Denied" Thu Sep 6 15:20:42 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:42 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Acce
Re: (RADIATOR) Authentication to radius with Flat File
Hello Janice - There are several things wrong with what you show below, including the user definition which should have all the check items on the first line and all the reply items on the second and subsequent lines, like this: # user records have all check items on the first line (no comma at the end) # reply items are on the second and subsequent lines (commas except the last) bob12 User-Password = "forpccw" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 202.79.95.17, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP You will also need to uncomment the RewriteUsername to strip the suffix off the username before checking it in the AuthBy FILE. I will also need to see the complete configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. thanks Hugh At 19:23 +0800 01/8/1, Wong, Janice wrote: >hi all, > >I need to create a client to be authenticated using a fixed ip address. I >have created a flat file containing user information to assign the framed ip >address function for a specific user. But I do not seem to get >authentication and it always give me a handler error msg trying to reach >203.63.154.1 > >This is my configuration on Radius.cfg > > ># Framed ip address testing > > Secret x > IgnoreAcctSignature > > ># allow all clients to use the same secret > > Secret x > > > > > AcctLogFileFormat file:"/usr/local/radiator/LogFormat" > AcctLogFileName /usr/local/radiator/radacct/usage.testingrealm > #RewriteUsername s/^([^@]+).*/$1/ > > Filename %D/testuser > > > > >The user file : > >bob12 User-Password = "forpccw", > Service-Type = Framed-User > Framed-Protocol = PPP, > Framed-IP-Address = 202.79.95.17, > Framed-IP-Netmask = >255.255.255.255, > Framed-Routing = None, > Framed-MTU = 1500, > Framed-Compression = Van- >Jacobson-TCP-IP > >radpwtst logfile error: > >Code: Accounting-Request >Identifier: 67 >Authentic: }<163>kN$<220>T<150><142>U<188><193><183><245><234><15> >Attributes: > User-Name = "[EMAIL PROTECTED]" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > Acct-Session-Id = "1234" > Acct-Status-Type = Stop > Acct-Delay-Time = 0 > Acct-Session-Time = 1000 > Acct-Input-Octets = 2 > Acct-Output-Octets = 3 > >Wed Aug 1 19:11:00 2001: WARNING: Bad authenticator in request from DEFAULT >(203.63.154.1) > >Attributes: > User-Name = "[EMAIL PROTECTED]" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > User-Password = "<163>N<220><236><150>y<14><238>k(<135>Fp73<140>" > >Wed Aug 1 19:10:50 2001: DEBUG: Check if Handler Realm=.net.sg should >be used to handle this request >Wed Aug 1 19:10:50 2001: WARNING: Could not find a handler: request is >ignored >Wed Aug 1 19:10:55 2001: DEBUG: Packet dump: > >Am I missing any commands or configuration to enable the authentication? > >Janice >=== >Archive at http://www.open.com.au/archives/radiator/ >Announcements on [EMAIL PROTECTED] >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication to radius with Flat File
hi all, I need to create a client to be authenticated using a fixed ip address. I have created a flat file containing user information to assign the framed ip address function for a specific user. But I do not seem to get authentication and it always give me a handler error msg trying to reach 203.63.154.1 This is my configuration on Radius.cfg # Framed ip address testing Secret x IgnoreAcctSignature # allow all clients to use the same secret Secret x AcctLogFileFormat file:"/usr/local/radiator/LogFormat" AcctLogFileName /usr/local/radiator/radacct/usage.testingrealm #RewriteUsername s/^([^@]+).*/$1/ Filename %D/testuser The user file : bob12 User-Password = "forpccw", Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 202.79.95.17, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van- Jacobson-TCP-IP radpwtst logfile error: Code: Accounting-Request Identifier: 67 Authentic: }<163>kN$<220>T<150><142>U<188><193><183><245><234><15> Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Wed Aug 1 19:11:00 2001: WARNING: Bad authenticator in request from DEFAULT (203.63.154.1) Attributes: User-Name = "[EMAIL PROTECTED]" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = "<163>N<220><236><150>y<14><238>k(<135>Fp73<140>" Wed Aug 1 19:10:50 2001: DEBUG: Check if Handler Realm=.net.sg should be used to handle this request Wed Aug 1 19:10:50 2001: WARNING: Could not find a handler: request is ignored Wed Aug 1 19:10:55 2001: DEBUG: Packet dump: Am I missing any commands or configuration to enable the authentication? Janice === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication failing..........please help !!!
Hi everone, I am new to the field of Radiator. We are in a process of testing it for our needs. I am running into some problems and any help to it would be greatly appreciated. I am sending my radius.cfg file which is stored under /usr/local/etc directory. I am also sending a copy of my users file, which contains the default user "mikem" as well as a newly created user by the name "moin". I have stored this file at both /etc/radiator and /usr/local/etc directories. I did not change anything else from the initial config. Please note that i have removed the IP address of our client from the file and replaced it with "a.b.c.d" The "radpwtst" command works properly and its output is sending Access-Request... OK sending Accounting-Request Start... OK sending Accounting-Request Stop... OK As far as the hardware config is concerned, Its a Linux box with Redhat on it, 933 Mhz P III processor, 256 MB RAM, 35 GB hard disk, etc. Please take time to view the config and suggest anything i need to change. Is there something that i am overlooking. U can also reach me at 303 735 4809. Thanks. Imran. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ # radius.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # a simple system. You can then add and change features. # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # This example will authenticate from a standard users file in # the current directory and log accounting to a file in the current # directory. # It will accept requests from any client and try to handle request # for any realm. # And it will print out what its doing in great detail. # # You should consider this file to be a starting point only # $Id: linux-radius.cfg,v 1.1 2001/05/17 05:33:34 mikem Exp mikem $ #Foreground #LogStdout LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 3 # You will probably want to add other Clients to suit your site, # one for each NAS you want to work with # THIS IS THE 5500 CLIENT- ATTEMPTING A NON-NAMESERVED ENTRY Secret imran Secret mysecret DupInterval 0 Filename %D/users # Log accounting to a detail file AcctLogFileName %L/detail Filename %D/users # Log accounting to a detail file AcctLogFileName %L/detail # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the reference # manual at /usr/share/doc/Radiator-2.18.1/ref.html # # You can test this user with the command # radpwtst mikem Password=fred Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP moinPassword=pete Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP
Re: (RADIATOR) Authentication Thru Radiator with system passwd file
Hi , I have got authentication successful by changing 'users' file configuration and its path as well as radius.cfg's cofiguration and its path . Thanks for recommendations and assistance. Regards Javaid Sajjad On Sat, 23 Jun 2001, Hugh Irvine wrote: > > Hello Javaid - > > If you send me a copy of your configuration file (no secrets) > together with a trace 4 debug from Radiator, I will take a look. > > regards > > Hugh > > > At 7:10 PM +0500 6/22/01, <[EMAIL PROTECTED]> wrote: > >Hi, > > > >Thanx for that suggestion but it is not working- i think something should > >be done with 'users' file in /src/local/etc/radddb in our case. So any > >changes are required for that file? > > > > > > > >On Fri, 22 Jun 2001, Hugh Irvine wrote: > > > >> > >> Hello Javaid - > >> > >> > > >> >Hello ! > >> > > >> >Would you plese let me know how to configure Radiator's radius.cfg file > >> >for authentication through > >> >Linux default passwd file ie /etc/passwd which is in our case is flat > >> >one not shadow.Further more we > >> >want to authenticate from Livingston Access Server throu Radiator server > >> >which is on Linux 6.2 having > >> >flat passwd file. > >> >Any assistance will be highly appreciated . > >> > >> You would simply specify an AuthBy UNIX clause, like this: > >> > >> > >>Filename /etc/passwd > >> > >> > >> Note that you will only be able to use PAP authentication with this setup. > >> > >> regards > >> > >> Hugh > >> > >> > > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) authentication through unix passwd file
Hello Faisal - At 11:41 AM +0500 6/23/01, Syed Faisal Qadri wrote: >Hello Every body, > >I am unable to get authentication done through the radiator using the >local flat passwd file, I am attaching my configuration file for >reference. As well as the configuration file, I will need to see a trace 4 debug from Radiator showing what is happening. BTW you will not be able to use CHAP authentication with AuthBy UNIX. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication through unix passwd file
Hello Every body, I am unable to get authentication done through the radiator using the local flat passwd file, I am attaching my configuration file for reference. Regards, Faisal Qadri. radius.cfg
Re: (RADIATOR) Authentication Thru Radiator with system passwd file
--- Forwarded mail from [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Fri, 22 Jun 2001 07:13:41 -0500 To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [<[EMAIL PROTECTED]>] >From [EMAIL PROTECTED] Fri Jun 22 07:13:41 2001 Received: from mail.cyberaccess.com.pk ([203.133.252.19]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f5MCDaD27083; Fri, 22 Jun 2001 07:13:37 -0500 Received: from localhost (jsajjad@localhost) by mail.cyberaccess.com.pk (8.9.3/8.8.7) with ESMTP id TAA25183; Fri, 22 Jun 2001 19:10:31 +0500 Date: Fri, 22 Jun 2001 19:10:31 +0500 (PKT) From: <[EMAIL PROTECTED]> To: Hugh Irvine <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Authentication Thru Radiator with system passwd file In-Reply-To: <a04320401b758ee90c517@[10.17.64.33]> Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, Thanx for that suggestion but it is not working- i think something should be done with 'users' file in /src/local/etc/radddb in our case. So any changes are required for that file? On Fri, 22 Jun 2001, Hugh Irvine wrote: > > Hello Javaid - > > > > >Hello ! > > > >Would you plese let me know how to configure Radiator's radius.cfg file > >for authentication through > >Linux default passwd file ie /etc/passwd which is in our case is flat > >one not shadow.Further more we > >want to authenticate from Livingston Access Server throu Radiator server > >which is on Linux 6.2 having > >flat passwd file. > >Any assistance will be highly appreciated . > > You would simply specify an AuthBy UNIX clause, like this: > > > Filename /etc/passwd > > > Note that you will only be able to use PAP authentication with this setup. > > regards > > Hugh > > ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Thru Radiator with system passwdfile
Hello Javaid - If you send me a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator, I will take a look. regards Hugh At 7:10 PM +0500 6/22/01, <[EMAIL PROTECTED]> wrote: >Hi, > >Thanx for that suggestion but it is not working- i think something should >be done with 'users' file in /src/local/etc/radddb in our case. So any >changes are required for that file? > > > >On Fri, 22 Jun 2001, Hugh Irvine wrote: > >> >> Hello Javaid - >> >> > >> >Hello ! >> > >> >Would you plese let me know how to configure Radiator's radius.cfg file >> >for authentication through >> >Linux default passwd file ie /etc/passwd which is in our case is flat >> >one not shadow.Further more we >> >want to authenticate from Livingston Access Server throu Radiator server >> >which is on Linux 6.2 having >> >flat passwd file. >> >Any assistance will be highly appreciated . >> >> You would simply specify an AuthBy UNIX clause, like this: >> >> >> Filename /etc/passwd >> >> >> Note that you will only be able to use PAP authentication with this setup. >> >> regards >> >> Hugh >> >> -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication Thru Radiator with system passwdfile
Hello Javaid - > >Hello ! > >Would you plese let me know how to configure Radiator's radius.cfg file >for authentication through >Linux default passwd file ie /etc/passwd which is in our case is flat >one not shadow.Further more we >want to authenticate from Livingston Access Server throu Radiator server >which is on Linux 6.2 having >flat passwd file. >Any assistance will be highly appreciated . You would simply specify an AuthBy UNIX clause, like this: Filename /etc/passwd Note that you will only be able to use PAP authentication with this setup. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication Thru Radiator with system passwd file
--- Forwarded mail from [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Fri, 22 Jun 2001 04:27:30 -0500 To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Javaid Sajjad <[EMAIL PROTECTED]>] >From [EMAIL PROTECTED] Fri Jun 22 04:27:29 2001 Received: from mail.cyberaccess.com.pk (IDENT:root@[203.133.252.19]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f5M9RKD26686 for <[EMAIL PROTECTED]>; Fri, 22 Jun 2001 04:27:26 -0500 Received: from cyberaccess.com.pk ([203.133.252.20]) by mail.cyberaccess.com.pk (8.9.3/8.8.7) with ESMTP id QAA19073; Fri, 22 Jun 2001 16:24:08 +0500 Message-ID: <[EMAIL PROTECTED]> Date: Fri, 22 Jun 2001 16:18:17 +0500 From: Javaid Sajjad <[EMAIL PROTECTED]> X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: Authentication Thru Radiator with system passwd file Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello ! Would you plese let me know how to configure Radiator's radius.cfg file for authentication through Linux default passwd file ie /etc/passwd which is in our case is flat one not shadow.Further more we want to authenticate from Livingston Access Server throu Radiator server which is on Linux 6.2 having flat passwd file. Any assistance will be highly appreciated . Regards Javaid Sajjad ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication to NT Domain
Hello Andrew - > >Hi there, > >I am having problem with Radiator when passing authentication to NT Domain. >However, the Radius authentication is operational when authenticating to a >test file What platform are you running on? What hardware and what software? What version of Radiator? With what configuration file? And what does a trace 4 show? When sending problem reports, please include all of the information listed above. many thanks Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication to NT Domain
--- Forwarded mail from [EMAIL PROTECTED] Date: Mon, 19 Feb 2001 17:40:13 +1100 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [[EMAIL PROTECTED]] >From mikem Mon Feb 19 17:40:09 2001 Received: by oscar.open.com.au (8.9.0/8.9.0) id RAA27691 for [EMAIL PROTECTED]; Mon, 19 Feb 2001 17:40:09 +1100 (EST) From: [EMAIL PROTECTED] >Received: from melint01.au.logical.com ([203.63.37.248]) by perki.connect.com.au with ESMTP id RAA04046 (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Mon, 19 Feb 2001 17:21:23 +1100 (EST) Subject: Authentication to NT Domain To: [EMAIL PROTECTED] X-Mailer: Lotus Notes Release 5.0 (Intl) 30 March 1999 Message-ID: <[EMAIL PROTECTED]> Date: Mon, 19 Feb 2001 17:18:17 +1100 X-MIMETrack: Serialize by Router on MELINT01/SERVERS/AP/LOGICAL(Release 5.0.3 (Intl)|21 March 2000) at 02/19/2001 05:18:15 PM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi there, I am having problem with Radiator when passing authentication to NT Domain. However, the Radius authentication is operational when authenticating to a test file I would really appreciate your help !!! Thanks Andrew Charan ---End of forwarded mail from [EMAIL PROTECTED] -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Authentication problem
Hello, Everything works fine now. Thanks for your support. Mike McCauley wrote: > > Hello Nacho, > > Thanks for the detailed description of this problem. > Basically the problem is this. > The default configuration for LDAP2 is to reject empty passwords, as protection > against a problem in the Perl LDAP module. This is causing CHAP access requests > to be incorrectly rejected. > > The fix is to downlaoded a new version of AuthLDAP2.pm from the 2.16.3 patches > area. > > We apologise for this problem. Thank you for reporting it to us. > > Cheers. > -- Ignacio Paredes | email: [EMAIL PROTECTED] Eurocomercial | Tfno: +34 91 4359687 Informatica y Comunicaciones | Fax: +34 91 4313240 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication based on Calling-Station-ID
Hello Lisa - At 10:26 +0100 31/10/00, Lisa Goulet wrote: >Hi All, > >I saw a posting from May about authentication based on Calling-Station-Id. >There was a suggestion about creating a BLACKLIST etc. > >Are there any new features in the Radiator that enable this authentication >directly? > No there aren't. regards Hugh -- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication based on Calling-Station-ID
This is what you can do if you authenticat using some LDAP variant:
# This will check Calling-Station_id against
# LDAP attribute mobile
Identifier Check-LDAP-mobile
Host ldap.your.domain
AuthDN cn=Directory Manager
AuthPassword some_password
BaseDN o=your_base
# Calling-Station-Id is used to search
# instead of UsernameAttr and PasswordAttr
SearchFilter (mobile=%{Calling-Station-Id})
NoDefaultIfFound
This will allow a user based on his registered "mobile" number.
If you include any of the PasswordAttibutes, the password is also checked,
otherwise you just get a couple of warnings at startup time.
/Ingvar
-Original Message-
From: Lisa Goulet [mailto:[EMAIL PROTECTED]]
Sent: den 31 oktober 2000 10:27
To: '[EMAIL PROTECTED] '
Subject: (RADIATOR) Authentication based on Calling-Station-ID
Hi All,
I saw a posting from May about authentication based on Calling-Station-Id.
There was a suggestion about creating a BLACKLIST etc.
Are there any new features in the Radiator that enable this authentication
directly?
Thanks,
Lsia
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Authentication problem
Hello Nacho,
Thanks for the detailed description of this problem.
Basically the problem is this.
The default configuration for LDAP2 is to reject empty passwords, as protection
against a problem in the Perl LDAP module. This is causing CHAP access requests
to be incorrectly rejected.
The fix is to downlaoded a new version of AuthLDAP2.pm from the 2.16.3 patches
area.
We apologise for this problem. Thank you for reporting it to us.
Cheers.
> >X-Authentication-Warning: oscar.open.com.au: majordom set sender to
> >[EMAIL PROTECTED] using -f
> >>Received: from leira.eurocomercial.es (leira.eurocomercial.es
> >>[194.224.214.253]) by perki.connect.com.au with SMTP id VAA19020
> > (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Mon, 30 Oct 2000
> >21:16:45 +1100 (EST)
> >Date: Mon, 30 Oct 2000 11:18:22 +
> >From: Nacho Paredes <[EMAIL PROTECTED]>
> >Organization: EICSA
> >X-Accept-Language: en
> >To: [EMAIL PROTECTED]
> >Subject: (RADIATOR) Authentication problem
> >Sender: [EMAIL PROTECTED]
> >
> >This is really annoying me.
> >
> >I've already posted this, but I'm going to put it in a more
> >comprehensive way.
> >
> >We are using Radiator 2.16.3 + OpenLDAP + MySQL
> >We use LDAP for authentication and MySQL por IP allocation.
> >
> >This configuration works fine with radpwtst, the authentication is ok
> >and the IP allocation works fine. But when we try a dial-in access we
> >got the request rejected for an empty password. If we setup our ppp
> >client with the refuse-chap option, Radiator gets a User-Password
> >attribute (instead CHAP-Password) and everyting is ok.
> >
> >I include the config file and the log file with two accesses. The first
> >failed and the second successful.
> >
> >Thanks for your help
> >
> >* Configuration File ***
> >Foreground
> >LogStdout
> >LogDir .
> >DbDir /opt/servicios/RadSQL
> ># User a lower trace level in production systems:
> >Trace 4
> >
> >BindAddress yyy.yyy.yyy.98
> >
> ># Radius proxy
> >
> > Secret xx
> >
> >
> ># Radius proxy
> >
> > Secret xx
> >
> >
> ># You will probably want to change this to suit your site.
> >
> > Secret xx
> > DupInterval 0
> >
> >
> >
> > Identifier myallocator
> >
> > DBSourcedbi:mysql:radius:172.16.20.150
> > DBUsername xxx
> > DBAuth xxx
> >
> >
> > Subnetmask 255.255.255.240
> > Range xxx.xxx.xxx.98 xxx.xxx.xxx.126
> >
> >
> >
> >
> > AuthByPolicy ContinueWhileAccept
> > RewriteUsername s/^([^@]+).*/$1/
> >
> > Host 172.16.20.150
> > Port 389
> > AuthDN cn=x,car=x
> > AuthPassword xx
> > BaseDN rlm=pruebasql,car=xx
> > UsernameAttr uid
> > PasswordAttr userpassword
> > ReplyAttr replyitems
> > Debug 255
> >
> >
> > Allocator myallocator
> >
> > PoolHint %{Reply:PoolHint}
> >
> > MapAttribute yiaddr, Framed-IP-Address
> > MapAttribute subnetmask, Framed-IP-Netmask
> >
> > StripFromReply PoolHint
> >
> >
> > MaxSessions 10
> > AcctLogFileName %L/detail-pruebasql
> >
> >
> >
> >Log File
> >Mon Oct 30 10:25:45 2000: DEBUG: Packet dump:
> >*** Received from aaa.aa.216.52 port 34071
> >Code: Access-Request ---> FAILED ACCESS
> >Identifier: 5
> >Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152>
> >Attributes:
> > User-Name = "user2@pruebasql"
> > CHAP-Password = "<3> <18>2-<133>P<15>Z<232><232>P<237><11>$ <191>"
> > NAS-Port = 528
> > Acct-Session-Id = "34538485"
> > USR-Interface-Index = 1784
> > Tunnel-Supports-Tags = 0
> > Service-Type = Framed-U
(RADIATOR) Authentication based on Calling-Station-ID
Hi All, I saw a posting from May about authentication based on Calling-Station-Id. There was a suggestion about creating a BLACKLIST etc. Are there any new features in the Radiator that enable this authentication directly? Thanks, Lsia === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authentication problem
This is really annoying me.
I've already posted this, but I'm going to put it in a more
comprehensive way.
We are using Radiator 2.16.3 + OpenLDAP + MySQL
We use LDAP for authentication and MySQL por IP allocation.
This configuration works fine with radpwtst, the authentication is ok
and the IP allocation works fine. But when we try a dial-in access we
got the request rejected for an empty password. If we setup our ppp
client with the refuse-chap option, Radiator gets a User-Password
attribute (instead CHAP-Password) and everyting is ok.
I include the config file and the log file with two accesses. The first
failed and the second successful.
Thanks for your help
* Configuration File ***
Foreground
LogStdout
LogDir .
DbDir /opt/servicios/RadSQL
# User a lower trace level in production systems:
Trace 4
BindAddress yyy.yyy.yyy.98
# Radius proxy
Secret xx
# Radius proxy
Secret xx
# You will probably want to change this to suit your site.
Secret xx
DupInterval 0
Identifier myallocator
DBSourcedbi:mysql:radius:172.16.20.150
DBUsername xxx
DBAuth xxx
Subnetmask 255.255.255.240
Range xxx.xxx.xxx.98 xxx.xxx.xxx.126
AuthByPolicy ContinueWhileAccept
RewriteUsername s/^([^@]+).*/$1/
Host 172.16.20.150
Port 389
AuthDN cn=x,car=x
AuthPassword xx
BaseDN rlm=pruebasql,car=xx
UsernameAttr uid
PasswordAttr userpassword
ReplyAttr replyitems
Debug 255
Allocator myallocator
PoolHint %{Reply:PoolHint}
MapAttribute yiaddr, Framed-IP-Address
MapAttribute subnetmask, Framed-IP-Netmask
StripFromReply PoolHint
MaxSessions 10
AcctLogFileName %L/detail-pruebasql
Log File
Mon Oct 30 10:25:45 2000: DEBUG: Packet dump:
*** Received from aaa.aa.216.52 port 34071
Code: Access-Request ---> FAILED ACCESS
Identifier: 5
Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152>
Attributes:
User-Name = "user2@pruebasql"
CHAP-Password = "<3> <18>2-<133>P<15>Z<232><232>P<237><11>$ <191>"
NAS-Port = 528
Acct-Session-Id = "34538485"
USR-Interface-Index = 1784
Tunnel-Supports-Tags = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Chassis-Call-Slot = 3
Chassis-Call-Span = 1
Chassis-Call-Channel = 16
Connect-Speed = 300_BPS
Calling-Station-Id = "98519"
Called-Station-Id = "90166"
NAS-Port-Type = Async
Mon Oct 30 10:25:45 2000: DEBUG: Handling request with Handler
'Realm=pruebasql'
Mon Oct 30 10:25:45 2000: DEBUG: Rewrote user name to user2
Mon Oct 30 10:25:45 2000: DEBUG: Deleting session for user2@pruebasql,
aaa.aa.216.52, 528
Mon Oct 30 10:25:45 2000: DEBUG: Handling with Radius::AuthLDAP2
Mon Oct 30 10:25:45 2000: DEBUG: Radius::AuthLDAP2 rejected user2
because of an empty password
Mon Oct 30 10:25:45 2000: INFO: Access rejected for user2: Empty
password
Mon Oct 30 10:25:45 2000: DEBUG: Packet dump:
*** Sending to aaa.aa.216.52 port 34071
Code: Access-Reject
Identifier: 5
Authentic: <194><204><155>3<206><164>&<246><240>P<241><221>O~I<152>
Attributes:
Port-Message = "Request Denied"
Mon Oct 30 10:27:43 2000: DEBUG: Packet dump:
*** Received from aaa.aa.216.52 port 34071
Code: Access-Request ->SUCCESSFUL
ACCESS
Identifier: 9
Authentic: <3>-<179>d<31><254><231>s<6><211><134>6<247><236>H<29>
Attributes:
User-Name = "user2@pruebasql"
User-Password = "<208><233><128>#$[<18><22>#<176>EF$<157><254><202>"
NAS-Port = 534
Acct-Session-Id = "34931520"
USR-Interface-Index = 1790
Tunnel-Supports-Tags = 0
Service-Type = Framed-User
Framed-Protocol = PPP
Chassis-Call-Slot = 3
Chassis-Call-Span = 1
Chassis-Call-Channel = 22
Connect-Speed = 300_BPS
Calling-Station-Id = "98519"
Called-Station-Id = "90166"
NAS-Port-Type = Async
Mon Oct 30 10:27:43 2000: DEBUG: Handling request with Handler
'Realm=pruebasql'
Mon Oct 30 10:27:43 2000: DEBUG: Rewrote user name to user2
Mon Oct 30 10:27:43 2000: DEBUG: Deleting session for user2@pruebasql,
aaa.aa.216.52, 534
Mon Oct 30 10:27:43 2000: DEBUG: Handling with Radius::AuthLDAP2
Mon Oct 30 10:27:43 2000: DEBUG: Connecting to bbb.bb.20.150, port 389
Mon Oct 30 10:27:46 2000: DEBUG:
Re: (RADIATOR) authentication
Hello Jeremy - On Sat, 26 Aug 2000, Jeremy Gault wrote: > Hi, > > We've been using Radiator for some time now -- and it's great. > But I have a couple of questions I wanted to throw out here on the list > since I'm sure some other people have done these before (and know if it is > possible or not.) > > > 1. Is it possible to limit logins by time of day? As in, a user can > only login between certain hours? (I think this can be done -- there > is something about it in our users file that a former admin put in > there -- but I just want to make sure.) > Yes - you would use the "Time = ..." check item. See section 13.1.11 in the Radiator 2.16.3 reference manual. > 2. A more interesting question, is it possible to limit the total time > used per month? For example, after jdoe has been logged in for 75 > hours that month, he will be disconnected and can't login anymore? > Yes, but you will need to use an SQL database and keep track of the time remaining and return it in a Session-Timeout reply attribute. You will also need a monthly cron (or similar) job to recharge the monthly accounts. > 3. Is it possible to authenticate users by Caller ID? > Yes - by using the Calling-Station-Id and/or Called-Station-Id attributes. This has been discussed on the list previously so have a look at the archive site: http://www.starport.net/~radiator > Basically, this would be used in a VoIP setup. Anyhow, if anyone > has done this / knows if it can be done / how then please let me know. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) authentication
Hi, We've been using Radiator for some time now -- and it's great. But I have a couple of questions I wanted to throw out here on the list since I'm sure some other people have done these before (and know if it is possible or not.) 1. Is it possible to limit logins by time of day? As in, a user can only login between certain hours? (I think this can be done -- there is something about it in our users file that a former admin put in there -- but I just want to make sure.) 2. A more interesting question, is it possible to limit the total time used per month? For example, after jdoe has been logged in for 75 hours that month, he will be disconnected and can't login anymore? 3. Is it possible to authenticate users by Caller ID? Basically, this would be used in a VoIP setup. Anyhow, if anyone has done this / knows if it can be done / how then please let me know. Thanks. Jeremy === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication via MySQL
MySQL's PASSWORD() function uses a proprietary hash algorithm. Ms. Jung,
what you probably want to do instead (if you really want your passwords
encrypted), is to use MySQL's also-built-in ENCRYPT() function. Is does a
Unix-crypt compatible hash.
... SET ENCRYPTEDPASSWORD = ENCRYPT("mypassword") ...
It takes an optional second argument to use as the SALT for the hash, but
you shouldn't need that. :)
HTH...
Mike Nerone <mailto:[EMAIL PROTECTED]>
Network Operations Manager
Internet Direct, Inc.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Hugh Irvine
> Sent: Thursday, 08 June 2000 1853
> To: Patricia Jung; [EMAIL PROTECTED]
> Subject: Re: (RADIATOR) Authentication via MySQL
>
>
>
> Hello Patricia -
>
> On Fri, 09 Jun 2000, Patricia Jung wrote:
> > Hi Hugh and all :)
> >
> > On Thu, Jun 08, 2000 at 09:03:54AM +1000, Hugh Irvine wrote:
> > >
> > > Curious. The trace shows that the Access-Request is being
> accepted, however the
> > > accounting requests are being rejected due to bad
> authenticators. Have you got
> > Exactly...
> >
> > > always accept a user if the password field is NULL. It
> appears from the
> > > configuration file above, that you are looking at the second
> field in the SQL
> > > response rather than the first. You might try this:
> > My fault: one should never quote configfiles while debugging ;)
> >
> > The final solution: The PASSWORD-column in the MySQL-database
> includes a
> > password that was created by the
> MySQL-password('passwordtext')-statement.
> > The radpwtst-password-option, however, was followed by the
> plain passwordtext.
> > Thus, the string "passwordtext" was compared with "07213ca6267303ce",
> > and this is obviously not the same...
> >
> > Therefore I wonder whether it is possible to use
> MySQL-password() at all?
> >
>
> What sort of encryption does MySQL-password(...) use?
>
> thanks
>
> Hugh
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>
>
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL
Hello Patricia -
On Fri, 09 Jun 2000, Patricia Jung wrote:
> Hi Hugh and all :)
>
> On Thu, Jun 08, 2000 at 09:03:54AM +1000, Hugh Irvine wrote:
> >
> > Curious. The trace shows that the Access-Request is being accepted, however the
> > accounting requests are being rejected due to bad authenticators. Have you got
> Exactly...
>
> > always accept a user if the password field is NULL. It appears from the
> > configuration file above, that you are looking at the second field in the SQL
> > response rather than the first. You might try this:
> My fault: one should never quote configfiles while debugging ;)
>
> The final solution: The PASSWORD-column in the MySQL-database includes a
> password that was created by the MySQL-password('passwordtext')-statement.
> The radpwtst-password-option, however, was followed by the plain passwordtext.
> Thus, the string "passwordtext" was compared with "07213ca6267303ce",
> and this is obviously not the same...
>
> Therefore I wonder whether it is possible to use MySQL-password() at all?
>
What sort of encryption does MySQL-password(...) use?
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL
Hi Hugh and all :)
On Thu, Jun 08, 2000 at 09:03:54AM +1000, Hugh Irvine wrote:
>
> Curious. The trace shows that the Access-Request is being accepted, however the
> accounting requests are being rejected due to bad authenticators. Have you got
Exactly...
> always accept a user if the password field is NULL. It appears from the
> configuration file above, that you are looking at the second field in the SQL
> response rather than the first. You might try this:
My fault: one should never quote configfiles while debugging ;)
The final solution: The PASSWORD-column in the MySQL-database includes a
password that was created by the MySQL-password('passwordtext')-statement.
The radpwtst-password-option, however, was followed by the plain passwordtext.
Thus, the string "passwordtext" was compared with "07213ca6267303ce",
and this is obviously not the same...
Therefore I wonder whether it is possible to use MySQL-password() at all?
Thanks for all the help :)
Patricia
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication for ftpd
Hello Tuncay - On Thu, 08 Jun 2000, Tuncay MARGILIC wrote: > > > > Hi there, > > > I am planning to setup an ftp server that will handle 3k users. I heard that > it is possible to make the authentication on radius. but I don't know how. > Does anyone have informaion about it. Any documents or faq. > > The Operating system will be Linux or Solaris. > You can use PAM (pluggable authentication modules) to authenticate via RADIUS. And here is a good place to start: http://www.kernel.org/pub/linux/libs/pam/ hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authentication via MySQL
Hello Patricia -
On Thu, 08 Jun 2000, Patricia Jung wrote:
> Hi,
>
> I really hope you don't mind a maybe stupid question but it really eats
> up my days... The question is: why hasn't my testuser the slightest chance
> of authentication?
>
> I'm playing a bit with a MySQL database that later will include the users
> database, but currently only has one valid testuser, trish:
>
> $ mysql -u radiususer -p
> [...]
> mysql> use radius;
> mysql> select * from SUBSCRIBERS where USERNAME='trish';
> +--+---+---+
> | USERNAME | PASSWORD | HOMEDIR |
> +--+---+---+
> | trish| 71e5e1e45222b | /local/home/trish |
> [...]
>
> My radius.cfg looks like this:
>
> Foreground
> LogStdout
> LogDir /local/home/trish/Radiator-config
> DbDir /local/home/trish/Radiator-config
>
> FingerProg /usr/bin/finger
> Trace 5
>
> include %D/clients.cfg
>
>
>
> DBSourcedbi:mysql:radius
> DBUsername radiususer
> DBAuth blafasel
>
> FailureBackoffTime 300
>
> AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
>
> #AuthColumnDef 1, User-Password, check
> AuthColumnDef 1, Encrypted-Password, check
>
>
>
>
>
>
> When running radpwtst -user trish -password xyz (no matter whether xyz equals
> the correct password or not), the debug output looks like this:
>
>
> Wed Jun 7 19:08:15 2000: INFO: Server started: Radiator 2.16
> Wed Jun 7 19:08:20 2000: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 3981
>
> Packet length = 77
> [...]
> Code: Access-Request
> Identifier: 125
> Authentic: 1234567890123456
> Attributes:
> User-Name = "trish"
> Service-Type = Framed-User
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> User-Password = "<155><231>><207><195>=<4><246><188>8<9><160><216>}x<153>"
>
> Wed Jun 7 19:08:20 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Wed Jun 7 19:25:00 2000: DEBUG: Deleting session for trish, 203.63.154.1, 1234
> Wed Jun 7 19:25:00 2000: DEBUG: Handling with Radius::AuthSQL
> Wed Jun 7 19:25:00 2000: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where
>USERNAME='trish'
>
> Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL looks for match with trish
>
> Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL ACCEPT:
> Wed Jun 7 19:25:00 2000: DEBUG: Access accepted for trish
> Wed Jun 7 19:25:00 2000: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 4018
> Code: Access-Accept
> Identifier: 105
> Authentic: 1234567890123456
> Attributes:
>
> Wed Jun 7 19:25:00 2000: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4018
>
> Packet length = 67
> [...]
> Code: Accounting-Request
> Identifier: 106
> Authentic: <230><222>C{<146>pR<10><192><8><177><143>H<191><151><198>
> Attributes:
> User-Name = "trish"
> Service-Type = Framed-User
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "1234"
> Acct-Status-Type = Start
>
> Wed Jun 7 19:25:00 2000: WARNING: Bad authenticator in request from 127.0.0.1
>(203.63.154.1)
> Wed Jun 7 19:25:05 2000: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 4018
>
> Packet length = 91
> [...]
> Code: Accounting-Request
> Identifier: 107
> Authentic: <254><167>o<234>)<143><198><179>X<231>?<138>y<194>0<202>
> Attributes:
> User-Name = "trish"
> Service-Type = Framed-User
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> NAS-Port-Type = Async
> Acct-Session-Id = "1234"
> Acct-Status-Type = Stop
> Acct-Delay-Time = 0
> Acct-Session-Time = 1000
> Acct-Input-Octets = 2
> Acct-Output-Octets = 3
>
> Wed Jun 7 19:25:05 2000: WARNING: Bad authenticator in request from 127.0.0.1
>(203.63.154.1)
>
>
Curious. The trace shows that the Access-Request is being accepted, however the
accounting requests are being rejected due to bad authenticators. Have you got
a correct Client entry for localhost (127.0.0.1)? And AuthBy SQL will only
always accept a user if the password field is NULL. It appears from the
configuration file above, that you are looking at the second field in the SQL
response rather than the first. You might try this:
Replace this:
> AuthColumnDef 1, Encrypted-Password, check
with this:
AuthColumnDef 0, Encrypted-Password, check
And you will need Encrypted-Password if the password field is indeed encrypted.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Ava
(RADIATOR) Authentication for ftpd
Title: Authentication for ftpd Hi there, I am planning to setup an ftp server that will handle 3k users. I heard that it is possible to make the authentication on radius. but I don't know how. Does anyone have informaion about it. Any documents or faq. The Operating system will be Linux or Solaris. Tuncay Margilic
(RADIATOR) Authentication via MySQL
Hi,
I really hope you don't mind a maybe stupid question but it really eats
up my days... The question is: why hasn't my testuser the slightest chance
of authentication?
I'm playing a bit with a MySQL database that later will include the users
database, but currently only has one valid testuser, trish:
$ mysql -u radiususer -p
[...]
mysql> use radius;
mysql> select * from SUBSCRIBERS where USERNAME='trish';
+--+---+---+
| USERNAME | PASSWORD | HOMEDIR |
+--+---+---+
| trish| 71e5e1e45222b | /local/home/trish |
[...]
My radius.cfg looks like this:
Foreground
LogStdout
LogDir /local/home/trish/Radiator-config
DbDir /local/home/trish/Radiator-config
FingerProg /usr/bin/finger
Trace 5
include %D/clients.cfg
DBSourcedbi:mysql:radius
DBUsername radiususer
DBAuth blafasel
FailureBackoffTime 300
AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
#AuthColumnDef 1, User-Password, check
AuthColumnDef 1, Encrypted-Password, check
When running radpwtst -user trish -password xyz (no matter whether xyz equals
the correct password or not), the debug output looks like this:
Wed Jun 7 19:08:15 2000: INFO: Server started: Radiator 2.16
Wed Jun 7 19:08:20 2000: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3981
Packet length = 77
[...]
Code: Access-Request
Identifier: 125
Authentic: 1234567890123456
Attributes:
User-Name = "trish"
Service-Type = Framed-User
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
User-Password = "<155><231>><207><195>=<4><246><188>8<9><160><216>}x<153>"
Wed Jun 7 19:08:20 2000: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Jun 7 19:25:00 2000: DEBUG: Deleting session for trish, 203.63.154.1, 1234
Wed Jun 7 19:25:00 2000: DEBUG: Handling with Radius::AuthSQL
Wed Jun 7 19:25:00 2000: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where
USERNAME='trish'
Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL looks for match with trish
Wed Jun 7 19:25:00 2000: DEBUG: Radius::AuthSQL ACCEPT:
Wed Jun 7 19:25:00 2000: DEBUG: Access accepted for trish
Wed Jun 7 19:25:00 2000: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 4018
Code: Access-Accept
Identifier: 105
Authentic: 1234567890123456
Attributes:
Wed Jun 7 19:25:00 2000: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4018
Packet length = 67
[...]
Code: Accounting-Request
Identifier: 106
Authentic: <230><222>C{<146>pR<10><192><8><177><143>H<191><151><198>
Attributes:
User-Name = "trish"
Service-Type = Framed-User
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Start
Wed Jun 7 19:25:00 2000: WARNING: Bad authenticator in request from 127.0.0.1
(203.63.154.1)
Wed Jun 7 19:25:05 2000: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 4018
Packet length = 91
[...]
Code: Accounting-Request
Identifier: 107
Authentic: <254><167>o<234>)<143><198><179>X<231>?<138>y<194>0<202>
Attributes:
User-Name = "trish"
Service-Type = Framed-User
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 2
Acct-Output-Octets = 3
Wed Jun 7 19:25:05 2000: WARNING: Bad authenticator in request from 127.0.0.1
(203.63.154.1)
@row in AuthSQL.pm's sub findUser gets the correct PASSWORD from the database,
thus, the problem should have to do with comparing. I tried both,
Encrypted-Password, and User-Password, without success, just to make sure.
Any hints where I should see next?
Thanks a lot
Patricia
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Authentication through MySQL database
Hello Tuncay - On Fri, 21 Apr 2000, Tuncay MARGILIC wrote: > > Hello, > > I am planning to add TNT Max boxes to my network. I still have Cisco 5300 on > the network. The question is how can I go on checking the simultanius use of > the users. Max-User is set to 1 and I check (Radiator does) the 5300 box > with SNMP but the TNT boxes have to be used with finger. What should I do. > Is there anyway like creating a client table on radius database and give the > attributes of each NAS and make the radiator use different types of user > avaliability checking. Or make the TNT boxes accessible via SNMP (But the > vendor ID's are different) > Radiator already has support for mixed NAS environments. You simply specify NasType with each of your Client definitions: NasType Cisco Secret . NasType Ascend # or NasType AscendSNMP Secret . Have a look at section 6.4.5 in the Radiator 2.15 reference manual. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
