(RADIATOR) Re: Multiple radius servers RADONLINE table
Hello Gordon - As far as I can see, your configuration is correct. Do the AcctSQL and AuthSQL clauses operate correctly? And could you please send me a trace 4 debug showing what is happening? thanks Hugh On Wed, 30 Jan 2002 08:10, Gordon Smith wrote: Hi Hugh, I'm setting up 2 radius servers that talk to a backend database (MySQL) on a separate box. Problem is, for some reason the local RADONLINE table is updated, which I don't want, as the user can be processed by either radius server. I want the sessions to be checked against the backend DB, which I thought was configured with the SessionDatabase attribute. Can you shed some light on this for me? The goal is to have both front end servers checking the back end radonline table for enforcing simultaneous use policies. Cheers, Gordon This is the relevent config: AuthBy SQL Identifier AcctSQL DBSource dbi:mysql:radmin:d3.morenet.net.nz DBUsername DBAuth zz AuthSelect AccountingTable RADUSAGE AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef NASIDENTIFIER,NAS-IP-Address AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef DNIS,Called-Station-Id AcctColumnDef CALLERID,Calling-Station-Id /AuthBy AuthBy RADMIN Identifier AuthSQL DBSource dbi:mysql:radmin DBUsername xxx DBAuth zzz AddToReply \ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP,\ Service-Type = Framed-User,\ Session-Timeout = 14400,\ Idle-Timeout = 900,\ Ascend-Client-Primary-DNS = 210.185.31.4,\ Ascend-Client-Secondary-DNS = 210.185.31.5 /AuthBy SessionDatabase SQL Identifier SessSQL DBSource dbi:mysql:radmin:d3.morenet.net.nz DBUsername xxx DBAuth zzz /SessionDatabase AuthLog SQL Identifier logAuth DBSource dbi:mysql:radmin:d3.morenet.net.nz DBUsername radmin DBAuth radminpw Table AUTH_LOG LogSuccess 0 LogFailure 1 SuccessQuery INSERT INTO AUTH_LOG \ (ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \ VALUES \ ('OK','%t','%n','%0','%1') FailureQuery INSERT INTO AUTH_LOG \ (ACCESS_OK,TIME_STAMP,USERNAME,SEVERITY,REASON) \ VALUES \ ('NO','%t','%n','%0','%1') /AuthLog Realm infogen.net.nz AuthByPolicy ContinueAlways AuthBy AcctSQL AuthBy AuthSQL AuthLog logAuth SessionDatabase SessSQL /Realm Realm morenet.net.nz AuthByPolicy ContinueAlways AuthBy AcctSQL AuthBy AuthSQL AuthLog logAuth SessionDatabase SessSQL /Realm -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Radius packet or server attack protection.
Hello Balgaa - On Mon, 28 Jan 2002 21:16, User BALGAA System Engineer wrote: Hugh, Some of our dial-up users complain about someone using they username and password. How can I to secure and protect from such attacks and hacking? Now Radiator AAA server (2.19) and NAS's (AS5300,AS5400,Ascend MAX 4060) same subnet. If the customers are always calling from the same telephone number, you can use a Calling-Station-Id check item. Here is an example: someuser Calling-Station-Id = , Password = .. ... This user would then only be able to connect from . regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: broken radius packet
Hello Dan - On Tue, 29 Jan 2002 13:37, Dan Lee Dimke, Ph.D. wrote: Radiator is an amazing program - fast, reliable, and powerful. It appears to handle just about anything that is thrown at it. Thanks for the kind words. However, I'm getting an error that I have been unable to find a solution for in any of the email archives. It is: ERR: Attribute number 9 (vendor 2233623) is not defined in your dictionary I am using the standard dictionary. However, I am unable to find any reference to this vendor number is another of the other dictionaries that are provided with Radiator. Is there a dictionary reference that you might recommend that I copy into to the main dictionary to accommodate this? This looks very much like a broken radius packet. Could you please send me a trace 5 debug from Radiator showing the hex dump of one of these packets, and could you also tell me what NAS is sending it? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) Re: SQLRADIUS questions
Hi Sam, -- Forwarded Message -- Subject: (RADIATOR) Re: SQLRADIUS questions Date: Wed, 23 Jan 2002 10:10:37 -0800 From: Sam Nilsson [EMAIL PROTECTED] To: [EMAIL PROTECTED] This does help quite a bit. Are you saying that I can use the FailureBackoffTime parameter in an AuthBy SQLRADIUS clause to indicate how long to mark the SQL connection unavailable? Yes. Any clause that has an SQL interface accepts FailureBackoffTime (which defaults to 600 seconds). In this case, can i set it to 0 to always attempt to contact the SQL server? Yes, but I would only do this if the SQL server is typically down/uncontactable only for very short periods of time. Can i also use Retries and RetryTimeout as parameters to control the SQL connection attempts? No, Retries and RetryTimeout are to do with proxying: how many times a packet will be retransmitted to the selected host,and the timeout between retransmissions. There is however a Timeout parameter that all SQL clauses take that specifies how long to wait for a dead/slow SQL connection. I'm using mysql although i guess that doesn't matter. Correct. The documentation for radiator is excellent, but it is also difficult to fully document something that is so flexible and full featured. Thanks for your understanding. We are happy to receive suggestions for improvment at any time. Cheers. Thanks for your help. - Sam Mike McCauley wrote: FailureBackoffTime for a host is not used in AuthBy SQLRADIUS. It is only the results of the SQL query that determine which host to use. One way it could decide there are no working hosts would be if the connection to the SQL database failed. Radiator would then assume their were no available hosts until the FailureBackoffTime of the AuthBy SQLRADIUS (as opposed to a host) expired and the SQL connection was reestablished. You can alter this policy by providing one or more hardwired Host clause inside the AuthBy SQLRADIUS. They will be consulted if the SQL connection fails. Hope that helps, but please let me know if not. Cheers. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: SNMP software for Simultaneous-Use attribute
Hugh: I made a mistake. The version I have not been able to get is for Windows. The URL you sent me is for Linux. 'Tunde Ogedengbe Linkserve Limited Plot 308, Adeola Odeku Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED]; Mike McCauley [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, January 22, 2002 1:51 AM Subject: Re: SNMP software for Simultaneous-Use attribute Hello 'Tunde - You should use the NET-SNMP package available from Sourceforge. http://sourceforge.net/projects/net-snmp/ regards Hugh On Tue, 22 Jan 2002 01:20, 'Tunde Ogedengbe wrote: Help I need help from anyone using RADIATOR on Linux. We have not been able to implement Simultaneous-Use successfuly because of our inability to obtain install a Linux-based SNMP software. Can anyone help pls? 'Tunde -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Fwd: Re(2): Radiator Evaluation Request
Hello Alan, On Wed, 9 Jan 2002 10:38, Joanne Davis wrote: Received: from niaws.magnet.mt ([217.30.97.15]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g08BwB331598 for [EMAIL PROTECTED]; Tue, 8 Jan 2002 05:58:11 -0600 X-Map-MIXER-Originators: false To: Joanne Davis [EMAIL PROTECTED] From: Attard Alan at MITTS [EMAIL PROTECTED] Date: 8 Jan 2002 14:41:00 +0100 Subject: Re(2): Radiator Evaluation Request Envelope-ID: [EMAIL PROTECTED] X-Mailer: TeamWARE Connector for MIME Hi Joanne, We have just started testing Radiator in our testing setup. Please find attached our proposed setup. We currently have the same setup, but using Microsoft IAS as our Radius Server. We have managed to authenticate using Radiator with Microsoft Active Directory with a very basic configuration, but we still need lots of configuration. Our Active Directory users reside in different OU's according to there site, eg. CN=user1,OU=site1,DC=isp,DC=mitts,DC=net CN=user2,OU=site2,DC=isp,DC=mitts,DC=net We have different Groups assigned to the users to specify different Policy, eg. GROUP-FullTimeHTTP gives 24hr accees GROUP-AfternoonHTTP gives access from 12:00 to 20:00 We still didn't figure out how to assign these different policies in our configuration file. We need to disable multiple login (we are testing sessions with MS-SQL 2000) Can you please send us an example configuration file which reflects our needs. Regards, The usual way to do something like that is to have an intermediate AuthBy FILE that specifies the additional check items, something like this (untested and incomplete) # This is the real authenticator. It is able to check groups AuthBy whatever Identifier real_authenticator ... /AuthBy Realm DEFAULT AuthBy FILE Filename whatever /AuthBy /Realm And in the file specified in the AuthBy FILE, you would have something like this: DEFAULT Auth-Type=real_authenticator, Group=FullTimeHTTP DEFAULT Auth-Type=real_authenticator, Group=AfternoonHTTP, Time=Al1200-2000 . Cheers. Alan -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: SORRY: bug on 2.19-1?
Hello Utku - You can use DBD::ODBC and a commercial ODBC driver, or you can use DBD::ODBC-Proxy, or you can run a copy of Radiator on the MS box and proxy the relevant radius packets directly to it. This topic has been discussed on the list many times so check the archive site and do a search. www.open.com.au/archives/radiator regards Hugh On Thu, 10 Jan 2002 22:26, Utku Er wrote: We'll I realize that dbdimp.c is not a radiator file. I see this is a bug with freetds_dbd which causes Radiator to hang up... But still is there any other way to use Radiator to connect to an sql server on windows? I do not like sybasefreetds. You guys at open consultants working on this? thanks, Utku. - Original Message - From: Utku Er To: [EMAIL PROTECTED] Sent: Thursday, January 10, 2002 12:51 PM Subject: bug on 2.19-1? Hi, I was testing the radiator 2.19-1(licensed) on redhat latest. Installed from an RPM I am using auth by SQL and using sybase freeTDS to connect. I started it in my shell and run a test with radpwtst. Radiator stopped working with error like below. trace 6 debug is below of that. can anybody tell what is going on here? I know radiator stopped before but I saw the error this time... is the problem database connectivity or radius? by the way, is there any enhancements on radiator to connect a sql database on windows? should we still use sybaseTDS which is not preferred thing to do... thanks, Utku. error message--- root#radpwtst -secret r1dk2y -auth_port 1812 -acct_port 1813 -user erutku -password xx sending Access-Request... dbdimp.c:652: Unhandled type 0x79 No reply sending Accounting-Request Start... No reply sending Accounting-Request Stop... No reply ---debug--- it was running ok Thu Jan 10 12:12:15 2002: DEBUG: Packet dump: *** Received from 127.0.0.1 port 59498 Packet length = 92 01 e1 00 5c 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 01 08 65 72 75 74 6b 75 06 06 00 00 00 02 04 06 cb 3f 9a 01 05 06 00 00 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 02 12 df aa be e0 a4 6e 39 97 e1 c6 68 fc 38 bd a9 62 Code: Access-Request Identifier: 225 Authentic: 1234567890123456 Attributes: User-Name = erutku Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 223170190224164n9151225198h2528189169b Thu Jan 10 12:12:15 2002: DEBUG: Check if Handler cisco-avpair=protocol=vpdn should be used to handle this request Thu Jan 10 12:12:15 2002: DEBUG: Check if Handler Realm=/[a-zA-Z0-9]/ should be used to handle this request Thu Jan 10 12:12:15 2002: DEBUG: Check if Handler DEFAULT_HANDLER should be used to handle this request Thu Jan 10 12:12:15 2002: DEBUG: Handling request with Handler 'DEFAULT_HANDLER' Thu Jan 10 12:12:15 2002: DEBUG: SdbSQL_WoutRealm Deleting session for erutku, 203.63.154.1, 1234 Thu Jan 10 12:12:15 2002: DEBUG: do query is: delete from AAA_SESSIONTABLE where NASIDENTIFIER='203.63.154.1' and NASPORT=012 34 Thu Jan 10 12:12:15 2002: DEBUG: Handling with Radius::AuthSQL Thu Jan 10 12:12:15 2002: DEBUG: Handling with Radius::AuthSQL: CheckBySQL_WoutRealm Thu Jan 10 12:12:15 2002: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from AAA_USERAUTH where USERNAME='erutku' Thu Jan 10 12:12:16 2002: DEBUG: Radius::AuthSQL looks for match with erutku Thu Jan 10 12:12:16 2002: DEBUG: Query is: select NASIDENTIFIER, NASPORT, ACCTSESSIONID from AAA_SESSIONTABLE where USERNAME= 'erutku' and REALM='' Thu Jan 10 12:12:36 2002: INFO: Server started: Radiator 2.19 on etrn an the beat goes on === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: duplicate entries for accounting ( Radiator radius)
Hello Eapen - On Fri, 11 Jan 2002 05:06, Eapen Joseph wrote: Dear Hugh, I get a lot of Duplicate entries for accounting. A part of the log file for the case is given below. Thu Jan 10 18:16:09 2002: ERR: do failed for 'insert into Q8ACCOUNTINGTABLE6 (USERNAME, CALLDATE1, ACCTSTATUSTYPE, ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTI ME, ACCTTERMINATECAUSE, NASIDENTIFIER, NASPORT, CLIENTIPADDRESS) values ('64453215', '2002 01 10 18:16:03', 2, 6, 561296, 3094424, '020110.172641.022183', 2767, 'User-Request', '195.39.142 .22', 108, '62.150.38.14')': Duplicate entry '64453215-2002-01-10 18:16:03' for key 1 Thu Jan 10 18:16:09 2002: ERR: do failed for 'insert into Q8ACCOUNTINGTABLE6 (USERNAME, CALLDATE1, ACCTSTATUSTYPE, ACCTDELAYTIME, ACCTINPUTOCTETS, ACCTOUTPUTOCTETS, ACCTSESSIONID, ACCTSESSIONTI ME, ACCTTERMINATECAUSE, NASIDENTIFIER, NASPORT, CLIENTIPADDRESS) values ('64453215', '2002 01 10 18:16:03', 2, 6, 561296, 3094424, '020110.172641.022183', 2767, 'User-Request', '195.39.142 .22', 108, '62.150.38.14')': Duplicate entry '64453215-2002-01-10 18:16:03' for key 1 Thu Jan 10 18:21:37 2002: ERR: do failed for 'insert into Q8ACCOUNTINGTABLE6 The Dupinterval in the radiator configuraion file is set to 3. On the access-server the configuration is set in such a way so as to send 4(retry_count) accounting packets at a retry_interval of 6 seconds. we also tried changing the Dupinterval to a value greater than 6 so that the second accounting packet send by the access-server is considered as a Duplicate by the radiator. Is it because the access-server is not receiving an ack from the radiatior for the accounting packet? You are correct - if the NAS does not receive an accounting response for an accounting packet, it will resend the packet according to the timeout and retries as configured on the NAS. There are a couple of other possible causes such as Radiator not sending an accounting response or the NAS having a software bug. The best way to check is first of all to look at a trace 4 debug from Radiator to verify that the accounting response is being sent, and if it is then do a debug on the NAS to see what is happening there. If Radiator is sending the accounting response and the NAS is not receiving it, it may be because of saturated links, routing problems or packet filters dropping the packets. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: status Radiator@rdc
Hello Laurens - On Mon, 7 Jan 2002 09:08, Laurens Thissen wrote: Hello Hugh and Mike, Last week we decided to split the function of our Radius system as follows: - 2 radiator daemon's on 2 separate machines, one for KPN Telecom IP Dial and one for Versatel VPOP - 2 separate machines for the DB; one master and one slave with continuous replication. We are considering now which OS and which DB. The choice is between: OS: SUN Solaris or Linux DB: mysql or db2 When you have any advice concerning a specific combination, please let me know. Thanks in advance. We have many customers using both SUN Solaris and Linux, and many customers also using MySQL (not many using DB2 as far as I am aware). The decision about what to use really depends on what you are most comfortable with in terms of vendor support and so on. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Fwd: Huge memory usage
Salut Romain - D'abord je te souhaite la Bonne Annee! Thanks for sending the files (que je les aime!! :). I can't see anything wrong with what you have configured nor can I see anything wrong with the trace file. However, this is the second report of a similar problem in the last month or so, so we would like to investigate further. It would be very helpful if you could send us what version of Linux kernel you are using, what version of MySQL, and copies of top and ps from the following: immediately after booting the machine, immediately after starting Radiator, after one day of Radiator running continuously, then after stopping Radiator. As a general comment, if the memory usage does not drop after stopping Radiator, it follows that the memory being used must be in kernel space not user space, so this may be a kernel bug. thanks for your assistance A+ Hugues I use 2 radiator servers (2.18.2) on slackware 8.0 with MySQL, the first one has a proxy and a radius daemon and the other is a simple radius server. The proxy receive about 12000 requests/day. I noticed that the machine with the proxy consumes a lot of memory (90% of the 512Mo available), only 66% for the other. In fact, after a reboot, the usage is about 20% and slowly increase to 90% after one day. Restarting radiator doesn't reduce the amount of memory consumed. Is it normal ? Maybe the problem is in my config files... or it could be MySQL, I don't know... I planned to use 'CachePasswords' and it seems to be impossible now. Attached files are my config files with no secrets and the level 4 trace of the proxy ( comme tu les aimes Hugh :) Thanks --- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Dynamic Authentication / Proxying
Hello Alex - On Fri, 4 Jan 2002 08:40, Alex Fritz wrote: Hey guys, This is going to be a strange one. The company we are setting up a radius server for has to have the ability to do a sort of dynamic authentication. Let's say they have a user from [EMAIL PROTECTED] and they want to do AuthBy SQL authentication, but if the person doesn't exist in the database then they should be passed through to another server. They shouldn't be passed through if they fail authentication. You should be able to do this with an AuthByPolicy of ContinueWhileAccept, something like this: # define AuthBy SQL AuthBy SQL Identifier CheckDatabase . NoDefaultIfFound . /AuthBy # define AuthBy RADIUS AuthBy RADIUS Identifier ForwardToProxy .. /AuthBy # define Handlers Handler User-Name = /^prefix\-/, Realm = domain.com AuthBy ForwardToProxy . /Handler Handler Realm = domain.com AuthByPolicy ContinueWhileAccept AuthBy CheckDatabase AuthBy ForwardToProxy . /Handler You will also need an entry in the SQL database for a DEFAULT user: DEFAULT Auth-Type = Accept They also need the capability to do want they call Prefix Realms. If a user is [EMAIL PROTECTED] then he should be passed through and [EMAIL PROTECTED] shouldn't be. See the example above. I have a feeling that with these there will need to be either some sort of custom AuthBy module or a Hook. If that is correct, then let me know, but what would be really helpful would be if somebody already has a script that will do this or even something similiar. Thanks for you time. It's really appreciated. You shouldn't need any custom code with the above configuration. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Missing Attributes - Not in Distribution Dictionaries
Hello Alex - I don't have these definitions, so if anyone out there can send them to me I will add them to the standard dictionary in the distribution. regards Hugh On Fri, 4 Jan 2002 16:32, Alex Fritz wrote: Hey guys, This thing is asking me for some attributes that are not in any of the distribution dictionaries. Anybody know them off hand? :) ERR: Attribute number 24 (vendor 2637) is not defined in your dictionary ERR: Attribute number 28 (vendor 529) is not defined in your dictionary ERR: Attribute number 20 (vendor 529) is not defined in your dictionary Thanks guys, Alex Fritz NCN Internet --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Restricting Hours for Passthrough Users
Hello Alex - You will need to do this with a hook in the relevant Realm or Handler. There are some example hooks in the Radiator distribution in the file goodies/hooks.txt. regards Hugh On Thu, 3 Jan 2002 12:30, Alex Fritz wrote: Hey, Been going over a problem with restricting hours for a pass through user. Now, I have gotten direction from the newsgroup about keeping a table of users for passthrough with a time bank to allow me to authenticate their time, then using cascading authby statements to pass them on to the next server for authentication. The problem with this is that then we have to keep a running (consistant) database of the passthrough users, which has to be synchronized with the people that hold the database at the passthrough server. We're not really concerned with keeping track of specifics like which users are active or not, we just want to keep them from going over their time for a month because we feel we can trust the passthrough server to do it. We thought we might make the system just add the user if he doesn't exist and then check the usage. How in the world could you do this with Radiator? Is there possibly a way to do this if your database has Stored Procedure capabilities? Thanks, I know this may be a length one. Alex Fritz NCN Internet --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Allowing Time Zone for Holiday
Hello Chairath - Radiator has no notion of holiday, so you will have to write a hook to implement whatever is required for your application. regards Hugh On Wed, 2 Jan 2002 17:41, Chairath K wrote: Hello Hugh, Currently , we use this clause below for authen time zone user who has realm @hz.qnet AuthBy FILE Identifier TimeZone Filename %D/adsl.users /AuthBy Handler Realm=hz.qnet AuthBy TimeZone /Handler Then in the file adsl.users is below Time = Wk2000-0600 , SaSu-2359, Auth-Type = ... But now , we want to allow these user to log on any time in public holiday (e.g. christmas , new year ). So is there a way to config Radiator? Regards, Chairath P.S. Happy New Year 2002 -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: help with radiator problems
Hello Laurens - On Mon, 31 Dec 2001 11:52, Laurens Thissen wrote: Dear Open Systems consultants, I wasn't involved directly in the problem solving regarding our Radiator system at RDC Datacentrum, till now. Looking at the e-mail exchange from the last few days, I must conclude that your support is beneath my expectations. I regret that you feel this way, as we always try to provide excellent support to everyone who uses Radiator. I think you will find that I have spent a very great deal of time assisting RDC over the past several months, and I am happy to continue doing so. The total Radius system has been configured based on your specifications, also the indexing of the database, the OS, Radiator itself and Radmin. As we are not on site it is quite difficult for us to see exactly what is happening on your system. I have made numerous suggestions including the latest one to do some trace 4 logging with the LogMicroseconds parameter so as to ascertain exactly where the time is being spent, and the results of those tests indicate that Radiator itself is responding very quickly, but the SQL queries to the database are taking an extremely long time (around one second per authentication). You should look closely at the debug output that you sent to me to see which queries are taking the longest and then investigate those. The 6 digit number following the timestamp in the debug log indicates the number of microseconds that have elapsed (ie. the first digit of the six indicates tenths of a second). I really appreciate when you do the following: - good en sufficiant problem solving (and not only answers like look at the database index, because it's slow, we came already to the same conclusion) I think the way forward is to do some performance measurements on your database to find out where the problem lies. There may or may not be a problem with the indexes, or there may be a problem with the database server process itself. I would suggest you check the tuning suggestions for your particular database and use whatever tools are provided with it to see exactly what is going on. As mentioned previously, from what I can see in the trace 4 debug from Radiator, there does not appear to be a problem with Radiator itself. - when there are any recommendations to increase the stabilization of our Radiator system, please give them! In the next few days at the beginnen of the new year, our customers (growing to 16000 and now already 7000) will make many concurrent dial-up (up till 1000) connections, so we must have a stable Radius system! - when there are any points at your side not to be clear regarding our problem, please give us a call. At the 2nd of January we start at RDC with ultimate efford to implement a stable Radius (Radiator) system, I am convinced that you'll join us! So please mail us your advice or questions before the 2nd of January. May be it is good to make a conference call? We have many customers with millions of customers in SQL databases and transaction rates of several hundred per second, so I am sure that your system will provide excellent service. I am happy to participate in a conference call, providing we can arrange a suitable time. I am located in Melbourne Australia and we are approximately 10 hours ahead of you, so your morning is my early evening. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: SQL Server (DPR#11789)
-- Forwarded Message -- Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Alex Fritz [EMAIL PROTECTED]] Date: Fri, 28 Dec 2001 21:26:58 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From [EMAIL PROTECTED] Fri Dec 28 21:26:57 2001 Received: from ncninternet.com (ns1.ncninternet.com [63.252.251.123]) by server1.open.com.au (8.11.0/8.11.0) with ESMTP id fBT3Qv331217 for [EMAIL PROTECTED]; Fri, 28 Dec 2001 21:26:57 -0600 Received: from cc529972a [24.18.25.28] by ncninternet.com (SMTPD32-7.04) id A0902390138; Fri, 28 Dec 2001 23:11:44 -0600 From: Alex Fritz [EMAIL PROTECTED] To: Radiator Support [EMAIL PROTECTED] Subject: RE: SQL Server (DPR#11789) Date: Fri, 28 Dec 2001 23:03:04 -0600 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Hey guys, I emailed you earlier today about using Radiator with SQL Server 2000. I emailed ActiveState and got some information I thought pertained to this problem and I was curious if it was possible to use the solution mentioned below rather than ODBC. Thanks. Alex Fritz Kerdaino Enterprises -Original Message- From: Troy Topnik [mailto:[EMAIL PROTECTED]] Sent: Friday, December 28, 2001 5:07 PM To: [EMAIL PROTECTED] Subject: Re: SQL Server (DPR#11789) Alex, There is no DBD module for MS Sql. You may want to try using MSSQL::Dblib and/or MSSQL::Sqllib. http://www.algonet.se/~sommar/mssql/ You can install DBIx-MSSQLReporter or DBIx::AnyDBD using PPM which also may provide the database connectivity you need. I'm not sure if any of the above will work with Radiator. You may have to use DBD-ODBC in the end. Best regards, Troy Topnik, [EMAIL PROTECTED] Customer Relationship Representative, ActiveState http://www.ActiveState.com Hi, I am using a software package called Radiator in order to perform Radius authentication and accounting. It runs off of ActivePerl and I previously was using this system on an Oracle database. Now I am setting this system up for somebody using SQL Server 2000 and I am a little lost in finding the correct PPM package to allow Perl to directly connect to MS-SQL. The Radius package specified to search for DBD packages of which I haven't seen any I can use to connect to SQL Server other than ODBC. I really don't want to use ODBC because of it inefficiency. Please let me know what solutions are available. Thank you, Alex Fritz Kerdaino Enterprises PS- This is urgent, we have to get this done quickly, so if you could give this message a high priority, I would appreciate it. Whatever you can do will be greatly appreciated though. Thanks again! :) --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 --- -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: SQL Server (DPR#11789)
Hello Alex, Hey guys, I emailed you earlier today about using Radiator with SQL Server 2000. I emailed ActiveState and got some information I thought pertained to this problem and I was curious if it was possible to use the solution mentioned below rather than ODBC. Thanks. Both DBIx-MSSQLReporter and DBIx::AnyDBD rely on DBI, so there is no new transport mechanism provided by them. Dont know anything about MSSQL::Dblib MSSQL::Sqllib. Cheers. Alex Fritz Kerdaino Enterprises -Original Message- From: Troy Topnik [mailto:[EMAIL PROTECTED]] Sent: Friday, December 28, 2001 5:07 PM To: [EMAIL PROTECTED] Subject: Re: SQL Server (DPR#11789) Alex, There is no DBD module for MS Sql. You may want to try using MSSQL::Dblib and/or MSSQL::Sqllib. http://www.algonet.se/~sommar/mssql/ You can install DBIx-MSSQLReporter or DBIx::AnyDBD using PPM which also may provide the database connectivity you need. I'm not sure if any of the above will work with Radiator. You may have to use DBD-ODBC in the end. Best regards, Troy Topnik, [EMAIL PROTECTED] Customer Relationship Representative, ActiveState http://www.ActiveState.com Hi, I am using a software package called Radiator in order to perform Radius authentication and accounting. It runs off of ActivePerl and I previously was using this system on an Oracle database. Now I am setting this system up for somebody using SQL Server 2000 and I am a little lost in finding the correct PPM package to allow Perl to directly connect to MS-SQL. The Radius package specified to search for DBD packages of which I haven't seen any I can use to connect to SQL Server other than ODBC. I really don't want to use ODBC because of it inefficiency. Please let me know what solutions are available. Thank you, Alex Fritz Kerdaino Enterprises PS- This is urgent, we have to get this done quickly, so if you could give this message a high priority, I would appreciate it. Whatever you can do will be greatly appreciated though. Thanks again! :) --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 12/11/2001 -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
FW: (RADIATOR) Re: Please help.
Sam, For IP address allocation in Radiator, use AuthBy DYNADDRESS and AddressAllocator SQL. Below is an example of radius.cfg. Regards, Harrison AddressAllocator SQL Identifier myallocator DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx DBUsernamexyz DBAuth xyz DefaultLeasePeriod 86000 LeaseReclaimInterval 300 FindQuery select TIME_STAMP,YIADDR,SUBNETMASK,DNSSERVER from RADPOOLwhere POOL='%0' and STATE=0 order by TIME_STAMP limit 1 AllocateQuery update RADPOOL set STATE=1,TIME_STAMP=%0,EXPIRY=%1,USERNAME='%2',CALLINGSTATIONID='%{Calling-Station-Id}' \ where YIADDR='%3' and TIME_STAMP%4 AddressPool trial1 Subnetmask 255.255.255.0 Rangexxx.xxx.xxx.xxx yyy.yyy.yyy.yyy /AddressPool AddressPool trial2 Subnetmask 255.255.255.0 Rangexxx.xxx.xxx.xxx yyy.yyy.yyy.yyy /AddressPool /AddressAllocator SQL Handler Client-Id = x.x.x.x AuthBy xxx AuthBy yyy AuthBy DYNADDRESS Allocator myallocator PoolHint %{Reply:PoolHint} MapAttribute yiaddr, Framed-IP-Address MapAttribute subnetmask, Framed-IP-Netmask StripFromReply PoolHint StripFromReply Framed-IP-Netmask AddToReplyIfNotExist Service-Type = Framed-User AddToReplyIfNotExist Framed-Protocol = PPP /AuthBy DYNADDRESS /Handler -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sam CheungSent: Tuesday, December 18, 2001 3:06 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: (RADIATOR) Re: Please help.Dear Genius, I am trying to config. a radiator (2.19-demo) allocating IP address dynamicallyusing DB1 to get the authentication info. from DB1 (an mysql server stored usernameand password) and using DB2 (another mysql server) to log the dhcp client info.,DHCPpool and leased IP, etc. using the database which created by a script calledmysqlCreate.sql. Can you give me some suggestion what to put down in the config.cfg?Thanks so much for paying attention. Thanks a lot.Best Regards,Sam Cheung * This Email is virus-scanned and identified clean.
(RADIATOR) Re: problem with forking daemon and database connections
Hello Damir, thanks for this. I can tell you have put a lot of effort into finding this problem. We have rolled your code into the next release, but under the control of a new global parameter ForkClosesFDs which by default is off. If it does not break anyone, we will default it to on. Cheers. On Wed, 5 Dec 2001 11:07, Damir Dzeko wrote: Hello Mike, I had a strange and hard to trace problem with Radiator server that was connected to Oracle database (for maintaining session database and accounting) and had a handler (for IPASS requests) that would fork. Every time the server forked our radiusd would lose it's connection to database. That resulted in errors like: ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute) in the middle of a query execution. The problem was hard to trace because the reason for failure was not in the broken query but somewhere else. After many hours of work I discovered that closing a few file descriptors just after the daemon forked a child (in the child process) would prevent it from happening. Here are those few lines of code that do the job for me: use IO::Handle; in file radiusd.pl, sub safeFork: elsif (defined $pid) { # Child. # ddzeko # # close kid's file descriptors ; # (this will teach the kid to stay out of # parent's database business) # if (1) { my ($io) = new IO::Handle; for (my $i = 3; $i 20; $i++) { $io-fdopen($i, 'r') $io-close; } } # /ddzeko return 1; } Greetings, --damir; -- I am travelling at the moment, and there may be delays in our correspondence. Mike McCauley, Open System Consultants, [EMAIL PROTECTED], www.open.com.au === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Please help.
Dear Genius, I am trying to config. a radiator (2.19-demo) allocating IP address dynamically using DB1 to get the authentication info. from DB1 (an mysql server stored username and password) and using DB2 (another mysql server) to log the dhcp client info., DHCPpool and leased IP, etc. using the database which created by a script called mysqlCreate.sql. Can you give me some suggestion what to put down in the config.cfg? Thanks so much for paying attention. Thanks a lot. Best Regards, Sam Cheung
(RADIATOR) Re: assign ip from radius to AS5300 NAS
Hello Manoj - On Sun, 16 Dec 2001 23:59, Manoj Agrawal wrote: Hi! We are an ISP. We have two types of account one for internet account and another one is for email only account. Both users dial the same number to access our network. I want to assign IPs address to email only users from Radiator radius to AS5300 NAS so that I can block those IPs only to our email servers. But, for Internet users I am assigning IPs from AS5300 NAS and it works fine. So, how can I assign IPs from radius to AS5300 NAS. For those users with IP addresses, you would add a reply item like this: # define a user with a Framed-IP-Address someuser Password = , . Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = n.n.n.n, Framed-IP-Netmask = m.m.m.m, .. This topic has been discussed on the list previously, so have a look at the archive site and do a search (www.open.com.au/archives/radiator). You should also check the Cisco web site for any IOS version specific radius dependencies. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: (RADMIN) Re: Please help.
Hello Sam - Please only post to the Radiator mailing list, we do not need to see your messages in mailing lists not intended for Radiator. It looks to me like you have not built the Oracle tables. You cannot write to a database without actually building the tables that you are going to use. Note that the table names are different for Radiator and Radmin. Radiator uses a table called SUBSCRIBERS for user definitions and Radmin uses a table called RADUSERS. There are other similar differences. You will have to build the tables that are appropriate to your requirements and then use the tools designed for those tables. regards Hugh At 15:18 +0800 01/11/29, Sam Cheung wrote: Dear Genius, I am trying to config. a radiator (2.19-demo) using AuthBy SQL in order to contact to a Oracle 8.1.7(the oracle and the radiator are on the same machine.) However, I did not succeed. I've got the following errors when performing a command ./buildsql -dbsource dbi:Oracle:rad -dbusername sys -dbauth change_on_install -v -password /etc/passwd . . . . .insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('mailsrv', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 16. Insert user mailsrv failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('test', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 17. Insert user test failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('test1', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 18. Insert user test1 failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) . . . p.s. I've also complied and installed DBI (DBD-Oracle-1.12) and DBD ( DBI-1.20) successfully using sunwork shop c compiler. Platform: Solaris 8 Machine: Sun Microsystems Ultra 5 cpu:333 MHz Ram:128M Thanks a lot for paying attention and so much appreciate. Best Regards, Sam Cheung E-mail: [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radmin/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radmin' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Re: (RADMIN) Re: Please help.
Sam, In your Radiator directory there is a directory called 'goodies', in there you will find a file called 'ansiCreate.sql'. If you run that in you Oracle database it will create the default tables for Radiator. Read it carefully first so you understand what it does. Also download the manual: http://www.open.com.au/radiator/ref.html Its very well written and will answer most of your questions - as a user I have found it very useful :-) Good luck! Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hugh Irvine Sent: Thursday, November 29, 2001 8:26 AM To: Sam Cheung; [EMAIL PROTECTED] Subject: (RADIATOR) Re: (RADMIN) Re: Please help. Hello Sam - Please only post to the Radiator mailing list, we do not need to see your messages in mailing lists not intended for Radiator. It looks to me like you have not built the Oracle tables. You cannot write to a database without actually building the tables that you are going to use. Note that the table names are different for Radiator and Radmin. Radiator uses a table called SUBSCRIBERS for user definitions and Radmin uses a table called RADUSERS. There are other similar differences. You will have to build the tables that are appropriate to your requirements and then use the tools designed for those tables. regards Hugh At 15:18 +0800 01/11/29, Sam Cheung wrote: Dear Genius, I am trying to config. a radiator (2.19-demo) using AuthBy SQL in order to contact to a Oracle 8.1.7(the oracle and the radiator are on the same machine.) However, I did not succeed. I've got the following errors when performing a command ./buildsql -dbsource dbi:Oracle:rad -dbusername sys -dbauth change_on_install -v -password /etc/passwd . . . . .insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('mailsrv', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 16. Insert user mailsrv failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('test', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 17. Insert user test failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('test1', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 18. Insert user test1 failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) . . . p.s. I've also complied and installed DBI (DBD-Oracle-1.12) and DBD ( DBI-1.20) successfully using sunwork shop c compiler. Platform: Solaris 8 Machine: Sun Microsystems Ultra 5 cpu:333 MHz Ram:128M Thanks a lot for paying attention and so much appreciate. Best Regards, Sam Cheung E-mail: [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radmin/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radmin' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Please help.
Dear Genius, I am trying to config. a radiator (2.19-demo) using AuthBy SQL in order to contact to a Oracle 8.1.7(the oracle and the radiator are on the same machine.) However, I did not succeed. I've got the following errors when performing a command ./buildsql -dbsource dbi:Oracle:rad -dbusername sys -dbauth change_on_install -v -password /etc/passwd . . . . .insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('mailsrv', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 16. Insert user mailsrv failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('test', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 17. Insert user test failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) insert into SUBSCRIBERS (USERNAME, PASSWORD ) values ('test1', 'x' ) DBD::Oracle::db do failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) at ./buildsql line 204, FILE chunk 18. Insert user test1 failed: ORA-00942: table or view does not exist (DBD ERROR: OCIStmtExecute) . . . p.s. I've also complied and installed DBI (DBD-Oracle-1.12) and DBD ( DBI-1.20) successfully using sunwork shop c compiler. Platform: Solaris 8 Machine: Sun Microsystems Ultra 5 cpu:333 MHz Ram:128M Thanks a lot for paying attention and so much appreciate. Best Regards, Sam Cheung E-mail: [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Variable Session Timeout
Hello Mustafa - On Thursday 15 November 2001 02:47, Mustafa Mal wrote: Hi Hugh, I want to configure Radius so that the users are given extra session time during off peak hours. Eg. If the session time in the database is two hours, then during off peak hours, the session time should be two hours and during peak hours the session time is two hours. Can Radius be configured for accomplishing this or do I have to modify the query. The Database is in MySql. It is probably easiest to do what you describe in a PostAuthHook. There are some example hooks in the file goodies/hooks.txt in the Radiator distribution that should give you some ideas. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Error in manual, attributes appear twice in the dictionary
Title: Re: Error in manual, attributes appear twice in the di These mistakes exist in Version 2.18 and 2.19 of the manual (pdf and html). - Section 6.4.19 - Section 6.5.9 - Section 14.0 A la prochaine Hughes ! - Original Message - From: Hugh Irvine To: Romain Vergniol ; Mailing-List Radiator Cc: Charles Delorme Sent: Saturday, November 10, 2001 1:25 PM Subject: Re: Error in manual, attributes appear twice in the dictionary Salut Romain - Could you tell me which version of the Radiator manual you are looking at? I thought I had fixed all of those mistakes. :-( (please send me the section number if it hasn't already been fixed in Radiator 2.19) And yes, there are some synonyms in the dictionaries, so you are quite right to comment out those entries that you don't use. Note that the synonyms will all work when encoding the radius packets going out. However it will only be the last one in the list that will be used to decode any incoming packets containing that attribute. A+ Hugues At 14:21 +0100 01/11/9, Romain Vergniol wrote: Hello, I noticed that the 'RewriteUsername' that Convert a MSN realm/user into user@realm described in the reference manual doesn't work. It should be : RewriteUsername s/^(.*)\/(.*)/$2\@$1/ and not : RewriteUsername s/^(.*)\\(.*)/$2\@$1/
(RADIATOR) Re: Error in manual, attributes appear twice in the dictionary
Title: Re: Error in manual, attributes appear twice in the di Salut Romain - Could you tell me which version of the Radiator manual you are looking at? I thought I had fixed all of those mistakes. :-( (please send me the section number if it hasn't already been fixed in Radiator 2.19) And yes, there are some synonyms in the dictionaries, so you are quite right to comment out those entries that you don't use. Note that the synonyms will all work when encoding the radius packets going out. However it will only be the last one in the list that will be used to decode any incoming packets containing that attribute. A+ Hugues At 14:21 +0100 01/11/9, Romain Vergniol wrote: Hello, I noticed that the 'RewriteUsername' that Convert a MSN realm/user into user@realm described in the reference manual doesn't work. It should be : RewriteUsername s/^(.*)\/(.*)/$2\@$1/ and not : RewriteUsername s/^(.*)\\(.*)/$2\@$1/ Also, in the dictionary, some attributes appear twice : - Ascend-IP-Pool (218 integer)and Maximum-Time (218 integer) - Ascend-Handle-IPX (222 integer)and User-ID (222 string) - Ascend-Netware-TimeOut (223 integer) et User-Realm (223 string) If the type (integer or string) is different from one to another,I think it couldbe a sourceof problems. So I put the attributes that I don't use in comment. Romain VERGNIOL -- C E G E D I M -- Service Réseau Boulogne 116 rue d'Aguesseau BP 405 - 92103 Boulogne-Billancourt FRANCE Tel ligne directe : 01 49 09 84 02 Fax : 01 46 03 45 95 -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
(RADIATOR) Re: NB
Hi Dave - :-) Have you seen the latest tag on slashdot? codito ergo sum http://www.slashdot.org cheers Hugh At 8:11 -0500 01/11/9, Dave Kitabjian wrote: NB. We have all seen it at the bottom of Hugh's emails while on travel. But what, you've asked yourself, does NB mean? And right you should. As you would expect from someone of Hugh's level of erudition, the term is from Latin. It stands for nota bene, which means note well; take notice. An example of its usage from 1721 can be found in M. Prior's Daphne and Apollo (65): Next, nota bene, you shall never rove. I hope this clears up the confusion. Perhaps this should be added to the Radiator manual? Dave :) regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: Daylight Saving
Hello Barry - This is but one reason why most operators just use stop records and calculate the start time by subtracting the Acct-Session-Time. regards Hugh At 21:03 +1100 01/11/9, Barry Andersson wrote: Hi everyone, I'm intrigued as to how others handle the change to and from Dayligh Saving time in Australia when it comes to RADIUS. Do your servers remain on local time? Do you add an hour when daylight saving kicks in and if you do what about the guy that phoned in just before and hung up just after and can't understand the one hour session? Or worse still the user who dials in just before 3am and hangs up 2 minutes later at 2.02am. Barry Andersson Simplex ISP === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Remote access ACL control with Radius
Hello Manoj - What does a trace 4 debug from Radiator show? Is the reply attribute actually being sent in the reply correctly? If it is in the reply, you will then have to check on the Cisco to see what the Cisco is doing with the reply. You can use the debug command on the Cisco to see what is really happening. It may be case that you will have to use a cisco-avpair to return the filter that you want to apply. In any case, if this is an issue with the Cisco, you will have to check with the vendor to see how to implement it. regards Hugh Hello hugh, We are using AS5300 for remote access. In the AS5300 the access list are like this: access-list 100 permit tcp any host 202.79.68.100 eq pop3 access-list 100 permit tcp any host 202.79.68.100 eq smtp access-list 100 deny tcp any any The host 202.79.68.100 is our mail server. on the radius server the configuration is like this: ##Default for ETRNMAIL (Email only) users for LOGIN using 15100 (sun AS5300) DEFAULT NAS-IP-Address = 202.79.68.192, Auth-Type = Check_SYSTEM, Group = etrnmail, Simultaneous-Use = 1 Framed-Protocol = PPP, Framed-MTU = 768, Idle-Timeout = 60, Session-Timeout = 7200, Framed-Compression = Van-Jacobson-TCP-IP, Filter-Id = 100.in, Fall-Through = No ##Default for PPP users for LOGIN (AS5300) DEFAULT NAS-IP-Address = 202.79.68.192, Auth-Type = Check_SYSTEM, Group = ppp, S imultaneous-Use = 1 Framed-Protocol = PPP, Framed-MTU = 768, Idle-Timeout = 600, Framed-Compression = Van-Jacobson-TCP-IP, Fall-Through = No As you can see above there are two entry on radius one is with Filter-id attribute that allows dialup users to check their mails only not internet access and another is without Filter-id attributes that allows dialup users to access internet as well as mails. In our case, the Filter-id is not working i mean users in group that have Filter-id attributes can access internet as well. We need them to allow only access their mails. On the other hand, the setting without Filter-id group are working fine. Hoping a productive reply from you. Thanks, manoj -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: Remote access ACL control with Radius
Yep, You'll have to use the cisco-avpair (you should be able to find the exact syntax to use in Radiator - I'm sure Hugh can help you with that). The syntax for the cisco is as follows (we're using the AS5350, and this works like a champ): ip:dns-servers=20.1.20.21 20.1.20.23 ip:inacl#1=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.21 ip:inacl#2=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.23 ip:inacl#3=permit icmp any any ip:inacl#4=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.30 ip:inacl#5=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.201 ip:inacl#6=permit ip 5.5.0.0 0.0.255.255 host 20.1.20.203 ip:inacl#7=permit tcp 5.5.0.0 0.0.255.255 host 1.1.8.5 eq 1352 The first line take care of DNS assignment for the client, the following lines gives the permit statement on the ACL. Your lines should look something like: ip:inacl#1=permit tcp any host 202.79.68.100 eq pop3 ip:inacl#2=permit tcp any host 202.79.68.100 eq smtp The deny is implicit, as usual with Cisco. Success! Rik Hugh Irvine [EMAIL PROTECTED]To: Manoj Agrawal [EMAIL PROTECTED] u cc: [EMAIL PROTECTED] Sent by:Subject: (RADIATOR) Re: Remote access ACL control with Radius owner-radiator@o pen.com.au 11/01/2001 01:33 PM Hello Manoj - What does a trace 4 debug from Radiator show? Is the reply attribute actually being sent in the reply correctly? If it is in the reply, you will then have to check on the Cisco to see what the Cisco is doing with the reply. You can use the debug command on the Cisco to see what is really happening. It may be case that you will have to use a cisco-avpair to return the filter that you want to apply. In any case, if this is an issue with the Cisco, you will have to check with the vendor to see how to implement it. regards Hugh Hello hugh, We are using AS5300 for remote access. In the AS5300 the access list are like this: access-list 100 permit tcp any host 202.79.68.100 eq pop3 access-list 100 permit tcp any host 202.79.68.100 eq smtp access-list 100 deny tcp any any The host 202.79.68.100 is our mail server. on the radius server the configuration is like this: ##Default for ETRNMAIL (Email only) users for LOGIN using 15100 (sun AS5300) DEFAULT NAS-IP-Address = 202.79.68.192, Auth-Type = Check_SYSTEM, Group = etrnmail, Simultaneous-Use = 1 Framed-Protocol = PPP, Framed-MTU = 768, Idle-Timeout = 60, Session-Timeout = 7200, Framed-Compression = Van-Jacobson-TCP-IP, Filter-Id = 100.in, Fall-Through = No ##Default for PPP users for LOGIN (AS5300) DEFAULT NAS-IP-Address = 202.79.68.192, Auth-Type = Check_SYSTEM, Group = ppp, S imultaneous-Use = 1 Framed-Protocol = PPP, Framed-MTU = 768, Idle-Timeout = 600, Framed-Compression = Van-Jacobson-TCP-IP, Fall-Through = No As you can see above there are two entry on radius one is with Filter-id attribute that allows dialup users to check their mails only not internet access and another is without Filter-id attributes that allows dialup users to access internet as well as mails. In our case, the Filter-id is not working i mean users in group that have Filter-id attributes can access internet as well. We need them to allow only access their mails. On the other hand, the setting without Filter-id group are working fine. Hoping a productive reply from you. Thanks, manoj -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller
(RADIATOR) Re: (RADIATOR-ANNOUNCE) Version 2.19 released
Hello Mariano - Thanks for the kind words - we appreciate it. And I'm glad that we are keeping you happy - if you have any more good ideas for Radiator please let us know! regards Hugh El 28 Oct 2001 a las 13:08, Mike McCauley escribió: We are pleased to announce the release of Radiator version 2.19 This version provides native RSA SecurID certification, some significant new features for proxying, many minor new features and some bug fixes. New AuthBy SQLRADIUS provides proxying based on an SQL table. Looks up the target radius server from an SQL table that can depend on Realm, Called-Station-Id etc. Complictated indirect target mapping is also suported. Useful for managing large number of remotes servers, such as in a wholesale ISP. Example tables in goodies/*.sql, plus example config file in goodies/sqlradius.cfg. Obsoletes goodies/AuthSQLRadius.pm. Great idea! New AuthBy INTERNAL allows you to handle different types of requests in fixed, parameterised ways. Col Added MainLoopHook which is called once per second during the main dispatch loop. Nice to see my own proposals implemented :-) Fixed a problem with timers persisting through a HUP or reset. Identified by Mariano Absatz ([EMAIL PROTECTED]). THANX... BTW, to the rest of the list, the hot-fix for this, when reported, took EXACTLY 6 hours, including, probably, Mike sleep hours. YOU DON'T GET BETTER USER SUPPORT THAN THIS ANYWHERE AT ANY PRICE Test Oracle radius authentication: Oracle 8 can authenticate Oracle users through Radius. Note: Oracle always upper-cases user names. See the Radiator FAQ for more details. goodies/sybaseCreate.sql did not drop RADLOG. Nice... I hope I never have to use this ;-) Added StripFromRequest and AddToRequest parameters to Handler and Realm. Great! Added new SQL AcctColumnDef type 'literal' that lets you build columns literally. No quotes are applied. Also interesting... Added new global parameter DefineFormattedGlobalVar like DefineGlobalVar but which honours special formatting characters. DefineGlobalVar is now deprecated, and will be removed one day. Great! It even has the same name I used so I don't have to upgrade my config files So good to see my code in production... I might get to think I even remember how to code from when I was young... :-)) Added AddToRequestIfNotExist parameter to Handlers and Realms AuthBy RADIUS now also honours AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly. Great!... everything should be available at a Handler-level... Added new pseudo reply item Exec-Program which runs an external program only if the user successfully authenticates. Similar to Exec-Program in Cistron. Suggested by Klaas Koopman ([EMAIL PROTECTED]). Nice one. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator-announce' in the body of the message. How good to see the best (only?) product in its class get better and better!! FYI, I have just developed a system based on Radiator/Oracle/Apache w/mod_perl of which the customer said I couldn't find anything close to this flexibility. And I KNOW they've reviewed a bunch of commercial radius server... -- Mariano Absatz El Baby -- Nostalgia: The good old days multiplied by a bad memory... -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: (RADIATOR-ANNOUNCE) Version 2.19 released
El 28 Oct 2001 a las 13:08, Mike McCauley escribió: We are pleased to announce the release of Radiator version 2.19 This version provides native RSA SecurID certification, some significant new features for proxying, many minor new features and some bug fixes. New AuthBy SQLRADIUS provides proxying based on an SQL table. Looks up the target radius server from an SQL table that can depend on Realm, Called-Station-Id etc. Complictated indirect target mapping is also suported. Useful for managing large number of remotes servers, such as in a wholesale ISP. Example tables in goodies/*.sql, plus example config file in goodies/sqlradius.cfg. Obsoletes goodies/AuthSQLRadius.pm. Great idea! New AuthBy INTERNAL allows you to handle different types of requests in fixed, parameterised ways. Col Added MainLoopHook which is called once per second during the main dispatch loop. Nice to see my own proposals implemented :-) Fixed a problem with timers persisting through a HUP or reset. Identified by Mariano Absatz ([EMAIL PROTECTED]). THANX... BTW, to the rest of the list, the hot-fix for this, when reported, took EXACTLY 6 hours, including, probably, Mike sleep hours. YOU DON'T GET BETTER USER SUPPORT THAN THIS ANYWHERE AT ANY PRICE Test Oracle radius authentication: Oracle 8 can authenticate Oracle users through Radius. Note: Oracle always upper-cases user names. See the Radiator FAQ for more details. goodies/sybaseCreate.sql did not drop RADLOG. Nice... I hope I never have to use this ;-) Added StripFromRequest and AddToRequest parameters to Handler and Realm. Great! Added new SQL AcctColumnDef type 'literal' that lets you build columns literally. No quotes are applied. Also interesting... Added new global parameter DefineFormattedGlobalVar like DefineGlobalVar but which honours special formatting characters. DefineGlobalVar is now deprecated, and will be removed one day. Great! It even has the same name I used so I don't have to upgrade my config files So good to see my code in production... I might get to think I even remember how to code from when I was young... :-)) Added AddToRequestIfNotExist parameter to Handlers and Realms AuthBy RADIUS now also honours AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly. Great!... everything should be available at a Handler-level... Added new pseudo reply item Exec-Program which runs an external program only if the user successfully authenticates. Similar to Exec-Program in Cistron. Suggested by Klaas Koopman ([EMAIL PROTECTED]). Nice one. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator-announce' in the body of the message. How good to see the best (only?) product in its class get better and better!! FYI, I have just developed a system based on Radiator/Oracle/Apache w/mod_perl of which the customer said I couldn't find anything close to this flexibility. And I KNOW they've reviewed a bunch of commercial radius server... -- Mariano Absatz El Baby -- Nostalgia: The good old days multiplied by a bad memory... === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Fwd: Re: Fwd: Re:SNMP Error
thanx hugh!!! I will try that and update you regards hakim === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Ip Allocator error
Hello Dave - There are two problems in what you show below. The first is that you have the AddressPool definition commented out, so there are no addresses configured in the AuthBy DYNADDRESS. The second is that you have not defined a PoolHint to say where you want the address to come from. There is an example configuration file in goodies/addressallocator.cfg in the Radiator distribution, and you should also have a look at sections 6.42 and 6.49 in the reference manual in doc/ref.html. regards Hugh On Tuesday 23 October 2001 19:27, dave_vill wrote: sir, I was trying to set-up the radiator radius server as the one who will assign the ip address to the clients (dial-in-users) and im having a problem on error messages during the authentication process and i hope that you can help me regarding this matter. I am using a mssql database for storing the user names and passwords and already created a table for the RADPOOL. Pasted below is the error message and my config file. Error Message: Tue Oct 23 16:46:40 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Oct 23 16:46:40 2001: DEBUG: Deleting session for supercom, 192.168.254.1, 268435458 Tue Oct 23 16:46:40 2001: DEBUG: Handling with Radius::AuthSQL Tue Oct 23 16:46:40 2001: DEBUG: Handling with Radius::AuthSQL: Tue Oct 23 16:46:40 2001: DEBUG: Query is: select PASSWORD from SUBSCRIBERS where USERNAME='test Tue Oct 23 16:46:40 2001: DEBUG: Radius::AuthSQL looks for match with supercom Tue Oct 23 16:46:40 2001: DEBUG: Radius::AuthSQL ACCEPT: Tue Oct 23 16:46:40 2001: DEBUG: Handling with Radius::AuthDYNADDRESS Tue Oct 23 16:46:40 2001: DEBUG: Query is: select TIME_STAMP, YIADDR, SUBNETMASK, DNSSERVER from RADPOOL where POOL='' and STATE=0 order by TIME_STAMP Tue Oct 23 16:46:40 2001: INFO: Access rejected for test: No available addresses Tue Oct 23 16:46:40 2001: DEBUG: Packet dump: *** Sending to 192.168.254.1 port 5... Code: Access-Reject Identifier: 26 Authentic: %172y29j149|151j1830c11195;163 Attributes: Reply-Message = Request Denied Config File: Client DEFAULT Secret mysecret DupInterval 0 IgnoreAcctSignature /Client ClientListSQL DBSourcedbi:ODBC:radius DBUsername radius DBAuth radius /ClientListSQL AddressAllocator SQL Identifier ipallocator DBSourcedbi:ODBC:radius DBUsername radius DBAuth radius DefaultLeasePeriod 86400 LeaseReclaimInterval 86400 #AddressPool pool # Subnetmask 255.255.255.0 # Range 192.1.1.1 192.1.1.10 #/AddressPool /AddressAllocator Realm DEFAULT AuthByPolicy ContinueWhileAccept AuthBy SQL DBSourcedbi:ODBC:radius DBUsername radius DBAuth radius DefaultSimultaneousUse 1 AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer-date AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer-date AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address /AuthBy AuthBy DYNADDRESS Allocator ipallocator /AuthBy /Realm Log SQL DBSourcedbi:ODBC:radius DBUsername radius DBAuth radius /Log SQL regards, dave , , 001029200011 , e-mail: [EMAIL PROTECTED] -- Do you VisualMail? Grab a copy of the best WebMailer right now! http://www.mintersoft.com/visualmail -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: SNMP Error
hi Hugh!!! I managed to get rid of the error. Thu Oct 4 10:35:55 2001: ERR: There is no value named -5755 for attribute Sessi on-Timeout. Using 0. Basically my query was sending a negative session timeout. Corrected the query :) But i still get the Cannot Find Module error!!! I m sending you a trace 4 copy snapshot, if that helps in any case!!! I have installed the uucd-snmp the one mentioned in the documentation (for SnmpGetprog). Is there some module which i have missed to install? Trace 4 dump (i have replaced the nasip by xx) Thu Oct 18 15:37:55 2001: DEBUG: Checking if user is still online: Cisco, 901976123, xx.xx.xx.40, 75, 1330 Thu Oct 18 15:37:55 2001: DEBUG: Running command `c:\radiator-2.18.2\snmp\usr\bin\snmpget.exe xx.xx.xx.40 public .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18.75` Thu Oct 18 15:37:56 2001: NOTICE: Session for 901976123 at xx.xx.xx.40:75 has gone away Thu Oct 18 15:37:56 2001: DEBUG: Deleting session for 901976123, xx.xx.xx.40, 75 Thu Oct 18 15:37:56 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xx.xx.xx.40' and NASPORT=075 Thu Oct 18 15:37:56 2001: DEBUG: Handling with Radius::AuthSQL Thu Oct 18 15:37:56 2001: DEBUG: Handling with Radius::AuthSQL Thu Oct 18 15:37:56 2001: DEBUG: Query is: select password,balancetime,multiple from testauthenticationtable where (username='901976123' and balancetime 0) Thu Oct 18 15:37:56 2001: DEBUG: Radius::AuthSQL looks for match with 901976123 Thu Oct 18 15:37:56 2001: DEBUG: Handling with Radius::AuthSQL Thu Oct 18 15:37:56 2001: DEBUG: Handling with Radius::AuthSQL Thu Oct 18 15:37:56 2001: DEBUG: Query is: select password,authenticationtable.balancetime from AUTHENTICATIONTABLE,ACCOUNTPLAN where (username='901976123' and status = 1 and startdate is null and expirydate is null and authenticationtable.balancetime 0 and accountplan.accountplan = authenticationtable.accountplan and accountplan.type='H' and accountplan.accountplan '13KD') Thu Oct 18 15:37:56 2001: DEBUG: Radius::AuthSQL looks for match with 901976123 Thu Oct 18 15:37:56 2001: DEBUG: Radius::AuthSQL ACCEPT: Thu Oct 18 15:37:56 2001: DEBUG: Access accepted for 901976123 Thu Oct 18 15:37:56 2001: DEBUG: Packet dump: *** Sending to xx.xx.xx.40 port 1645 Code: Access-Accept Identifier: 152 Authentic: 26225Y255137165251422361180 Attributes: Session-Timeout = 21600 Service-Type = Framed-User Framed-Protocol = PPP Class = FTHU Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Thu Oct 18 15:37:56 2001: DEBUG: Packet dump: *** Received from xx.xx.xx.41 port 1646 Code: Accounting-Request Identifier: 251 Authentic: 176181D228198180139\p241155188/243217k Attributes: NAS-IP-Address = xx.xx.xx.41 NAS-Port = 150 NAS-Port-Type = Async User-Name = 633556385 Called-Station-Id = 840840 Calling-Station-Id = 4564006 Acct-Status-Type = Start Class = FTHU Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 1E39 Framed-Protocol = PPP Acct-Delay-Time = 0 Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler Acct-Status-Type = Stop Class = FTHU should be used to handle this request Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler Acct-Status-Type = Stop Class = NFTHU should be used to handle this request Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler Acct-Status-Type = Stop Class = FTMU should be used to handle this request Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler Acct-Status-Type = Stop Class = NFTMU should be used to handle this request Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler Acct-Status-Type = Stop Class = OGFR should be used to handle this request Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler Acct-Status-Type = Stop Class = TEST should be used to handle this request Thu Oct 18 15:37:56 2001: DEBUG: Check if Handler should be used to handle this request Thu Oct 18 15:37:57 2001: DEBUG: Handling request with Handler '' Thu Oct 18 15:37:57 2001: DEBUG: Adding session for 633556385, xx.xx.xx.41, 150 Thu Oct 18 15:37:57 2001: DEBUG: do query is: delete from RADONLINE where NASIDENTIFIER='xx.xx.xx.41' and NASPORT=0150 Thu Oct 18 15:37:57 2001: DEBUG: do query is: insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('633556385', 'xx.xx.xx.41', 0150, '1E39', 1003444676, '', 'Async', 'Framed-User') Thu Oct 18 15:37:57 2001: DEBUG: Handling with Radius::AuthSQL Thu Oct 18 15:37:57 2001: DEBUG: Handling accounting with Radius::AuthSQL Thu Oct 18 15:37:57 2001: DEBUG: Accounting accepted Thu Oct 18 15:37:57 2001: DEBUG: Packet dump: *** Sending to
(RADIATOR) Re: using Util::format_special() in setVariable
Alright... but I'm stubborn enough to keep messing around... what about adding a keyword 'DefineFormattedGlobalVar' (or whatever is appropriate) that allows me to do this without breaking existing config files? I think it should suffice this change in ServerConfig.pm (now I'm working over release 2.18.4): # diff -C5 ServerConfig.pm.ORI ServerConfig.pm *** ServerConfig.pm.ORI Tue Oct 9 09:09:35 2001 --- ServerConfig.pm Tue Oct 9 09:12:25 2001 *** *** 188,197 --- 188,203 { my ($name, $v) = split(/\s+/, $value); main::setVariable($name, $v); return 1; } + elsif ($keyword eq 'DefineFormattedGlobalVar') + { + my ($name, $v) = split(/\s+/, $value); + main::setVariable($name, Radius::Util::format_special($v)); + return 1; + } elsif ($keyword eq 'LogFile') { $self-{LogFile} = $value; # Allow the default logger to be rejigged during startup Radius::Log::setupDefaultLogger El 6 Oct 2001, a las 15:18, Hugh Irvine escribió: Hello Mariano - Just one further point on this - Mike and I discussed it at some length, however we were concerned that (1) it would only work for a single level of nesting, and (2) that it would break any previously defined %n string in a GlobalVar (such as SQL queries for example). Note that in the current Radiator design philosophy you would probably be much better off doing this sort of complex setup in a StartupHook. As Mike says, we thank you for the suggestion and encourage you to keep coming up with them. regards Hugh On Saturday 06 October 2001 13:16, Mike McCauley wrote: Hello Mariano, Thank you for your contribution. We have carefully considerd this, and we dont think its a good idea to add this to the base code.We think that it is too likely to break other users configurations. But thanks for your suggestion: keep them coming. Cheers. On Sat, 6 Oct 2001 09:05, you wrote: Hi people, I added one more level of indirection in my config files and everything went nuts... my %{GlobalVar:xxx}'s went crazy. Then I noted that the problem was that I was setting %{GlobalVar:xxx}'s whose contents included other %{GlobalVar:xxx}'s and this ones weren't translated... I made a really small change to radiusd and it started working (I think)... Am I the first one to try to do this? The idea is that now setVariable (in radiusd) sets the global variable to the value of its argument, but first calls Util::format_special() so, for my particular case, it can interpolate previously defined global variables, but you might use it for any of the %XXX stuff that make sense while parsing the config files... Can this change have unwanted side-effects? I think it's a really small and useful patch (well, if I'm the first, maybe my concept of useful is completely insane) :-D So, FWIW, here's the patch (based on 2.18.2): # diff -C5 radiusd.ORI radiusd *** radiusd.ORIFri Oct 5 19:41:09 2001 --- radiusd Fri Oct 5 19:42:11 2001 *** *** 275,285 # as %{GlobalVar:name} sub setVariable { my ($name, $value) = @_; ! $main::globals{$name} = $value; } sub getVariable { return $main::globals{$_[0]}; --- 275,285 # as %{GlobalVar:name} sub setVariable { my ($name, $value) = @_; ! $main::globals{$name} = Radius::Util::format_special($value); } sub getVariable { return $main::globals{$_[0]}; -- Mariano Absatz El Baby -- God is REAL, unless explicitly declared INTEGER. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: (RADMIN) Unable to properly use stored crypted passwords in Radiator/Radmin...
Hello Colin, On Fri, 5 Oct 2001 02:31, Colin D. Easton wrote: Hi, I've upgraded from Radiator 2.8.2/Radmin 1.4 where I've stored crypted UNIX passwords in an SQL db. i.e. username x has a stored password of {crypt} I tested the new release of Radiator 2.8.3/Radmin 1.5 where the stored password is able to be crypted by default but the routines store just the password in crypted format. I was able to change my password and the routines below worked ok, however I was then unable to login or authenticate. What am I missing? If you are using a Radmin PasswordFormat of 'crypt', then all passwords will stored into theRadmin database as straight Unix crypt, (ie without the {crypt} tag). Up until now, you could make AuthBy RADMIN understand straight unix crypt passwords only by customising. Attached is a new version of AuthRADMIN.pm that understands the EncrypttedPasswrod parameter, same as AuthBy SQL. If you do that, it will auth against plain UNix crypt, but still recognise the ones with the {crypt} tag, and auth against them properly. So install the attached AuthRADMIN.pm, set EncryptedPassword in your AuthBy RADMIN, and continue to use Radmin PasswordFormat of 'crypt' Cheers. crypt Colin .../Radmin/Site.pm snippet which allows stored insert/updates of crypted passwords in Radiator/Radmin: # Here are some sample hooks that maintain PASS_WORD in the RADUSERS # table # as the Unix encrypted version of the plaintext password # entered by the user. ### # Heres an example pre_insert_hook. # Change the new password to Unix crypt before insertion sub db_pre_insert_hook { my ($db, $newobj) = @_; # Change the new plaintext password to Unix crypt $newobj-{PASS_WORD} = Radmin::Util::unixEncryptPassword($newobj-{PASS_WORD}) if $newobj-{Type} eq 'RADUSERS'; } ### # Heres an example pre_update_hook. # If the password has been changed, re-encrypt it sub db_pre_update_hook { my ($db, $newobj, $oldobj) = @_; # If the password is not 13 chars, its been changed # to a new one: reencrypt $newobj-{PASS_WORD} = Radmin::Util::unixEncryptPassword($newobj-{PASS_WORD}) if $newobj-{Type} eq 'RADUSERS' length $newobj-{PASS_WORD} != 13; } 1; === Archive at http://www.open.com.au/archives/radmin/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radmin' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Using RADIUS as authentication provider for WIN2K RRAS
Hello Ali - You will first of all need to start Radiator (radiusd) as a service on the ports that you want it to listen on. Then you will be able to send authentication requests to it and it should respond. Note that you can also use the radpwtst program for testing. hth Hugh On Tuesday 02 October 2001 17:22, Alireza Veiseh wrote: Does anybody know how to setup Routhing and Remote Access (RRAS) of WIN2k to use the radiator as the authentication provider? Do I need to edit the registory to add the raditor as a new service first? Here is what I have done, but it doesn't work: 1. Opened the property window of the RRAS 2. selected the Security tab 3. selected the RADIUS Authentication as the Authentication provider 4. selected the Configure button 5. added the radiusd as the Server name and changed the port to 1647 (I'm sure this port works) 6. clicked Ok When I restart the RRAS the server name is not recognized! When I changed the server name to localhost's Ip address, no error message appeared, however the authentication failed! Alireza -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Fwd: BOUNCE radiator@open.com.au: Message too long (40000 chars)
Hello - Hi Hugh, I have another problem. as I pass the requests from the proxy server to the default realm at startup of the proxy I am sending request that are messing up the default server. When running radius I never had any problem and still do not, below is what I am talking about. please advise best way around this, The requests that you show in the debug trace are configuration requests from an Ascend MAX. You can turn these requests off on the MAX as shown in the following item from the Radiator FAQ: 71. My TNT sends authentication request for silly user names like banner, route1 etc By Default Ascend TNT will try to configure itself at startup by asking for various configuraiton items from the Radius server. You can turn this behaviour off with: read EXTERNAL-AUTH set rad-auth-client allow-auth-config-rqsts = no To turn off the Remote config for a Max it's the following Ethernet-Mod Config-TServ options-Remote Conf=No hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Time Check item
To Radiator Gurus :) I am currently using the Time Check item to block access to some users for a certain period of time.To allow access anytime, I have setthetime check item to Al-2359. Unfortunately, when the user logs on after 23:59 say 23:59:01, RADIATOR won't allow access. RADIATOR produces the following log: Tue Sep 25 23:59:24 2001: INFO: Access rejected for radiator: Time: not within an allowable Time range How could I set the TIME check item so that user will be allowed access anytime. Currently the TIME check item is stored in a mYSQL table which radiator queries to authenticate users. I have tried leaving the field blank, but authentication fails. Any ideas on how I can go about this. Thanks Egie.
(RADIATOR) Re: Cisco NAS not returning Acct-Terminate-Cause
Hello - You will need to check with Cisco about this - although I seem to remember some discussion a while back, so you should also check the archive site to see if there is something there (http://www.open.com.au/archives/radiator/). regards Hugh On Wednesday 26 September 2001 02:03, cistron wrote: Hello All, I am running Radiator 2.18.4. I have added AddtoReply Service-Type . for Cisco. I can get accounting on other NASs but on Cisco Acct-Terminate-Cause is returned null although it should give User request as is the case with the other NAS. It is also shown in the dictionary file. Can you kindly tell what I am missing. Thanks and Regards. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Time check item
Hello Edgar - I would just remove the Time check item, as you did. Why is Radiator rejecting the request? Can you send me a copy of the configuration and a trace 4 debug showing what is happening? thanks Hugh On Wednesday 26 September 2001 10:47, you wrote: To Radiator Gurus :) I am currently using the Time Check item to block access to some users for a certain period of time. To allow access anytime, I have set the time check item to Al-2359. Unfortunately, when the user logs on after 23:59 say 23:59:01, RADIATOR won't allow access. RADIATOR produces the following log: Tue Sep 25 23:59:24 2001: INFO: Access rejected for radiator: Time: not within a n allowable Time range How could I set the TIME check item so that user will be allowed access anytime. Currently the TIME check item is stored in a mYSQL table which radiator queries to authenticate users. I have tried leaving the field blank, but authentication fails. Any ideas on how I can go about this. Thanks Egie. - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Edgar R Gutierrez [EMAIL PROTECTED] Sent: Tuesday, May 29, 2001 1:37 PM Subject: Re: MOdificatin on prepareAndExecute Hello Edgar - The variable $sth is a DBI statement handle which will allow you to use any of the DBI routines as well as any of the SqlDb routines. I suggest you have a look at what operations are supported on $sth in DBI. My cursory reading or DBI.pm would indicate that something like this might be what you want: my $rows = $sth-rows; regards Hugh On Tuesday 29 May 2001 11:36, you wrote: Ok... Anyway, it would be helpful if you could make available SqlDb routines which can enable users to count the number of rows affected by a query. This would really help us in writing Hooks without having to re-write code that already exists. If ever there is an existing routine which I can use to do this, please tell me. If not, I guess I just have to do this on my own for now until a version of Radiator can be released which can allow me to do this. Thanks anyway. Your support is highly appreciated. --- Edgar R Gutierrez Technical Operations Manager Impact Information Systems Corp. Mobile: +63917 9802340 Telephone:+632 7291840 Local 21 Fax: +632 8167179 Email: [EMAIL PROTECTED] URL: www.impactnet.com are you on the internet yet? - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Edgar R Gutierrez [EMAIL PROTECTED] Sent: Tuesday, May 29, 2001 8:37 AM Subject: Re: MOdificatin on prepareAndExecute Hello Edgar - I am sorry, but I am not able to assist you with this sort of question. If you have questions regarding Radiator configurations, I am happy to help, but if you want to learn how to modify the source code you will have to do it on your own. We do not provide this sort of assistance. As a general rule I always try to do as much as I can with the configuration file, and only in certain circumstances will I use a Hook. The only modifications to the source code are additions to the base product that are rolled in to the standard distribution. BTW - the latest version of Radiator is 2.18.1. regards Hugh On Monday 28 May 2001 18:13, you wrote: I am currently using Radiator v. 2.16.3. I modified line 213 of SqlDb.pm previous: return; modified: return $rc; This is to return the number of lines affected by the sql statement. Will this work? --- Edgar R Gutierrez Technical Operations Manager Impact Information Systems Corp. Mobile: +63917 9802340 Telephone:+632 7291840 Local 21 Fax: +632 8167179 Email: [EMAIL PROTECTED] URL: www.impactnet.com are you on the internet yet? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To
(RADIATOR) Re: GetProfile
I have created a table of profiles to return various attributes for different categories of customers. Only attrributes of the 1st profile are being returned successfully. The others are ignored. What can be the problem? Below is my profile table: email:3com:Idle-Timeout =120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0, USR-IP-Input-Filter = 1 ACCEPT dst-addr = x.x.x.x/19,USR-IP-Input-Filter = 2 DENY full:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0 full-x.x.x.x:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-IP-Address =x.x.x.x full-x.x.x.x:3com:Idle-Timeout =120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-IP-Address = x.x.x.x full-y.y.y.y:3com:Idle-Timeout =120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-IP-Address = y.y.y.y === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: UseAddressHInt Problems
I have implemented UseAddressHint option to allow customers connect with specific Framed-IP-Address addresses on their machines. However, the system rather than use the specified IPs is allocating from its pool to the connect. What can be wrong? I am using Radiator 2.18 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Kyle [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, August 11, 2001 1:48 AM Subject: Re: (RADIATOR) Handler clause Hello Kyle - What you show below is not correct. Keep in mind that what is used in either Realms or Handlers is the information received in the incoming request (for the most part). If you want to send different attributes to different NAS clients, you should use the PostAuthHook construct, perhaps in conjunction with a StartupHook and/or some information in a database. There are some example hooks that implement a scheme like this in the file called goodies/hooks.txt in the Radiator distribution. Alternatively you could do something like this: # define Client clauses with Identifiers Client . Identifier Ascend .. /Client Client . Identifier Patton .. /Client # define Handlers Handler Realm = myRealm, Client-Identifier = Ascend .. /Handler Handler Realm = myRealm, Client-Identifier = Patton .. /Handler Note that the above will work for a small number of Realms and NAS's, but for anything more you should consider the hooks. regards Hugh On Saturday 11 August 2001 01:58, Kyle wrote: Hugh, Is is legal in the realms.cfg file to place a Handler clause indside of a Realm clause? Lets say if I wanted to do something like: Realm myReal Handler someNasAttribute // Make some replies /Handler Handler someOtherNasAttribute // Make some other replies /Handler /Realm I remember reading something on this, but cant find it again. Basicaly, I want to be able to take a single value, such as idle-timeout, and be able to pass it to a nas in its correct format. I.E, out Ascend would take the value as Ascend-Idle-Timeout where as our Patton would take the value as just Idle-Timeout. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: GetProfile
Hello 'Tunde - As always, I will need to see a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is going on. I will also need to see the hook code. thanks Hugh On Wednesday 19 September 2001 11:09, 'Tunde Ogedengbe wrote: I have created a table of profiles to return various attributes for different categories of customers. Only attrributes of the 1st profile are being returned successfully. The others are ignored. What can be the problem? Below is my profile table: email:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0, USR-IP-Input-Filter = 1 ACCEPT dst-addr = x.x.x.x/19,USR-IP-Input-Filter = 2 DENY full:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0 full-x.x.x.x:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-IP-Address = x.x.x.x full-x.x.x.x:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-IP-Address = x.x.x.x full-y.y.y.y:3com:Idle-Timeout = 120,Framed-Protocol=PPP,Framed-IP-Netmask=255.255.255.0,Framed-IP-Address = y.y.y.y -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RE: AccLogFileFormat
Hello Paul - You have to specify which AuthLog you want to use, FILE, SQL or SYSLOG. #define AuthLog FILE AuthLog FILE . /AuthLog hth Hugh On Tuesday 18 September 2001 15:53, Paul Thorton wrote: Hi, As per previous email. I have attempted to use the AuthLog option instead to get the code / Pwd returned, but it looks like The AuthBy module is not installed. Where can I get this? Can't locate Radius/AuthLog.pm in @INC (@INC contains: . /usr/local/lib/perl5/5.6.1/sun4-solaris /usr/local/lib/perl5/5.6.1 /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005/sun4-solaris /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl .) at /usr/local/lib/perl5/site_perl/5.005/Radius/ServerConfig.pm line 106, FILE line 22. Thanks, Paul I have set up a new AcctLogFileFormat and was wondering why I am not getting 2 values back? AcctLogFileName /var/log/radius/new.log AcctLogFileFormat %{Timestamp}|%{Acct-Session-Id}|%{Acct-Status-Type}|%{User-Name}|%{User- Password}|%{Class}|%{NAS-IP-Address}|%{NAS-Port}|%{NAS-Port-Type}|%{Fram ed-Protocol}|%{Framed-IP-Address}|%{Called-Station-Id}|%{Calling-Station -Id}|%{Ascend-Disconnect-Cause}|%{Acct-Input-Octets}|%{Acct-Output-Octet s}|%{Acct-Session-Time}|%{Reply:code} All values are being returned except for: %{User-Password} - Any and %{Reply:code} - Access Accept or Reject for example I can do it in a hook, but the replyhook does not work in AuthBy File I.E. my $original_packet = ${$_[2]}; my $reply_packet = ${$_[0]}; my $debug_what = $reply_packet-code(); - Here my $debug_pwd = $original_packet-decode_password($original_packet-{Client}-{Secret}); Can someone please help? Thanks, Paul === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: AccLogFileFormat
Hi, As per previous email. I have attempted to use the AuthLog option instead to get the code / Pwd returned, but it looks like The AuthBy module is not installed. Where can I get this? Can't locate Radius/AuthLog.pm in @INC (@INC contains: . /usr/local/lib/perl5/5.6.1/sun4-solaris /usr/local/lib/perl5/5.6.1 /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.005/sun4-solaris /usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl .) at /usr/local/lib/perl5/site_perl/5.005/Radius/ServerConfig.pm line 106, FILE line 22. Thanks, Paul I have set up a new AcctLogFileFormat and was wondering why I am not getting 2 values back? AcctLogFileName /var/log/radius/new.log AcctLogFileFormat %{Timestamp}|%{Acct-Session-Id}|%{Acct-Status-Type}|%{User-Name}|%{User- Password}|%{Class}|%{NAS-IP-Address}|%{NAS-Port}|%{NAS-Port-Type}|%{Fram ed-Protocol}|%{Framed-IP-Address}|%{Called-Station-Id}|%{Calling-Station -Id}|%{Ascend-Disconnect-Cause}|%{Acct-Input-Octets}|%{Acct-Output-Octet s}|%{Acct-Session-Time}|%{Reply:code} All values are being returned except for: %{User-Password} - Any and %{Reply:code} - Access Accept or Reject for example I can do it in a hook, but the replyhook does not work in AuthBy File I.E. my $original_packet = ${$_[2]}; my $reply_packet = ${$_[0]}; my $debug_what = $reply_packet-code(); - Here my $debug_pwd = $original_packet-decode_password($original_packet-{Client}-{Secret}); Can someone please help? Thanks, Paul === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: REPLYATTR SQL problem
Hugh: The length of the CHECKATTR REPLYATTR is 400 characters. Find below some information (Config, ReplyAttr Trace 4 Debug) Config File: Foreground LogStdout LogDir e:/radiator/radiator-2.18.2 DbDir e:/radiator/radiator-2.18.2 Trace 3 LogFile %L/logfile AuthPort 1645 AcctPort 1646 #DictionaryFile %D/dictionary Client x.x.x.x Secret xxx IgnoreAcctSignature /Client # This will authenticate users from SubsInfo Realm DEFAULT PasswordLogFileName pwdtunde AcctLogFileName %L/detail AuthBy SQL # Adjust DBSource, DBUsername, DBAuth to suit your DB DefaultSimultaneousUse 5 DBSource dbi:ODBC:optiusers DBUsername sa DBAuth dl380linkserve AuthSelect select PASSWORD, CHECKATTR, REPLYATTR from SubsInfo where USERNAME='%n' AuthColumnDef 0, User-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, GENERIC, reply # store accounting records in RADUSAGEmm table AccountingTable AcctInfo AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address # You can arrange to log accounting to a file if the # SQL insert fails with AcctFailedLogFileName # That way you could recover from a broken SQL # server AcctFailedLogFileName %D/missedaccounting /AuthBy /Realm ReplyAttr Values --- Idle-Timeout = 120, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Filter-Id = email, USR-IP-Input-Filter = 1 ACCEPT dst-addr = 195.166.232.000/24, USR-IP-Input-Filter = 2 ACCEPT dst-addr = 195.166.228.000/24, USR-IP-Input-Filter = 3 ACCEPT dst-addr = 195.166.226.000/24, USR-IP-Input-Filter = 4 ACCEPT dst-addr = 195.166.230.000/24, USR-IP-Input-Filter = 5 ACCEPT dst-addr = 195.166.232.000/24, USR-IP-Input-Filter = 6 REJECT tcp-dst-port = 80, USR-IP-Input-Filter = 7 REJECT tcp-src-port = 80, USR-IP-Input-Filter = 8 DENY Trace 4 Debug - Tue Sep 11 10:03:30 2001: ERR: Attribute number 38998 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:30 2001: ERR: Attribute number 39000 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:32 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary DBD::ODBC::st fetchrow failed: [Microsoft][ODBC Microsoft Access Driver]String d ata, right truncated on column number 3 (REPLYATTR) (SQL-01004)(DBD: st_fetch/SQ LFetch (long truncated) err=1) at Radius/SqlDb.pm line 283. Tue Sep 11 10:03:32 2001: INFO: Access rejected for merinv: No such user Tue Sep 11 10:03:33 2001: ERR: Attribute number 38998 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:33 2001: ERR: Attribute number 39000 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:33 2001: ERR: Attribute number 39001 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:33 2001: ERR: Attribute number 39051 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:33 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:33 2001: ERR: Attribute number 38998 (vendor 429) is not define d in your dictionary Tue Sep 11 10:03:33 2001: ERR: Attribute number 39000 (vendor 429) is not define d in your dictionary 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 11, 2001 2:25 AM Subject: (RADIATOR) Re: REPLYATTR SQL problem Hello 'Tunde - On Tuesday 11 September 2001 04:35, 'Tunde Ogedengbe wrote: Hello: Does the RELPYATTR field have a field length limitation? I am having problems with Attributes loaded in my SQL database which is about 400 long. The ODBC Driver is reporting an error String truncated . I am authenticating via MySQL. Pls help resolve this problem. The REPLYATTR field is defined in your database - what size have you defined it to be? And when are you getting the error? As usual, I will need to see a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator and a copy of the table definitions for the database. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork
(RADIATOR) Re: Grouping Check Repl Attributes
I have different Check Reply Attributes for different categories of customers. For instance, I apply Filter USR-IP-Input Filter on some customers, I restrict some customers to connect at a particular period while other customers have no restriction. With a large size of customers, I want to avoid setting up these attributes for each customer. I want to be able to create 4 default categories of attributes of Check Reply items. I can now specify which category each customer belongs to. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 11, 2001 2:28 AM Subject: Re: Grouping Check Repl Attributes Hello 'Tunde - On Tuesday 11 September 2001 05:12, 'Tunde Ogedengbe wrote: Hugh: I have three categories of Check Reply Items. How can I avoid repeating the Check Reply Items for each user by attaching each user to its Check Reply Attribute Group. I am using MySQL to authenticate. I am not quite sure I understand what you are trying to do, could you provide a bit more detail on the requirement please? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: DNS Suffix question ?
Hello Tuncay - There is currently nothing defined in the radius protocol to support this, which is why Ascend has their own vendor-specific and Cisco has their own cisco-avpair. You should really ask your NAS vendor what support there is for this in their software (and let us know what you find). regards Hugh On Tuesday 11 September 2001 19:41, Tuncay MARGILIC wrote: Hello, I am trying to send DNS suffix (eg. domain.com) at each users reply. But I was not able to find the attribute on the dictionary. Is there anyway to do that. Regards, Tuncay -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Grouping Check Repl Attributes
Hello 'Tunde - Thanks for the additional information. Probably the simplest thing to do is use multiple AuthBy SQL clauses, the first to look up the user together with the Check and Reply item tags, then a second one to look up the definitions for those tags. You could also use a system of Profiles that are loaded into Radiator's memory at startup and use a PostAuthHook to do the processing. There is an example of a similar system in the file goodies/hooks.txt in the Radiator distribution. There is also support in the latest version of Radiator (2.18.4) for multiple AuthSQLStatements that could be used for the same purpose as well. hth Hugh On Tuesday 11 September 2001 18:38, 'Tunde Ogedengbe wrote: I have different Check Reply Attributes for different categories of customers. For instance, I apply Filter USR-IP-Input Filter on some customers, I restrict some customers to connect at a particular period while other customers have no restriction. With a large size of customers, I want to avoid setting up these attributes for each customer. I want to be able to create 4 default categories of attributes of Check Reply items. I can now specify which category each customer belongs to. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 11, 2001 2:28 AM Subject: Re: Grouping Check Repl Attributes Hello 'Tunde - On Tuesday 11 September 2001 05:12, 'Tunde Ogedengbe wrote: Hugh: I have three categories of Check Reply Items. How can I avoid repeating the Check Reply Items for each user by attaching each user to its Check Reply Attribute Group. I am using MySQL to authenticate. I am not quite sure I understand what you are trying to do, could you provide a bit more detail on the requirement please? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Grouping Check Repl Attributes
Hello 'Tunde - On Tuesday 11 September 2001 05:12, 'Tunde Ogedengbe wrote: Hugh: I have three categories of Check Reply Items. How can I avoid repeating the Check Reply Items for each user by attaching each user to its Check Reply Attribute Group. I am using MySQL to authenticate. I am not quite sure I understand what you are trying to do, could you provide a bit more detail on the requirement please? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Authentication Problem
Hello 'Tunde - On Monday 10 September 2001 22:44, 'Tunde Ogedengbe wrote: I need help pls! and very URGENTLY too! My RADIATOR Authentication is suddenly rejecting all passwords. It is logging encrypted passwords in password.log. I am not using encryption at all. I am authentication via ODBC. I tried with User flat file without any success. I will need to see a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: REPLYATTR SQL problem
Hello 'Tunde - On Tuesday 11 September 2001 04:35, 'Tunde Ogedengbe wrote: Hello: Does the RELPYATTR field have a field length limitation? I am having problems with Attributes loaded in my SQL database which is about 400 long. The ODBC Driver is reporting an error String truncated . I am authenticating via MySQL. Pls help resolve this problem. The REPLYATTR field is defined in your database - what size have you defined it to be? And when are you getting the error? As usual, I will need to see a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator and a copy of the table definitions for the database. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: IP restriction
Hugh: We have series of Netservers that assign specific range of IP to connecting customers. We want to force compliance from within Radius. This means that specifying in RADIUS what IP range the Netserver can assign to the customer. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 06, 2001 12:22 AM Subject: (RADIATOR) Re: IP restriction Hello 'Tunde - On Wednesday 05 September 2001 21:18, 'Tunde Ogedengbe wrote: I have a set of Netservers. How do I restrict the use of of IP to a particular Netserver within Radius? I don't understand the question, sorry. Could you explain what you mean? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Authentication BY SQL
for spaspool: Bad Password Thu Sep 6 15:20:43 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 125 Authentic: 14312322280150158243205$215182f6k157 Attributes: Reply-Message = Request Denied Thu Sep 6 15:20:45 2001: ERR: Attribute number 39049 (vendor 429) is not define d in your dictionary Thu Sep 6 15:20:45 2001: DEBUG: Packet dump: *** Received from 195.166.231.247 port 1645 Code: Access-Request Identifier: 126 Authentic: {247248X149145159215v130187J161235242! Attributes: User-Name = prawa User-Password = 185o197q1(177252195A#18121721227 NAS-IP-Address = 195.166.231.247 NAS-Port = 12 Acct-Session-Id = 721209 USR-Interface-Index = 1268 Service-Type = Framed-User Framed-Protocol = PPP USR-Chassis-Call-Slot = 1 USR-Chassis-Call-Span = 1 USR-Chassis-Call-Channel = 12 USR-Connect-Speed = NONE Calling-Station-Id = Called-Station-Id = NAS-Port-Type = Async Thu Sep 6 15:20:45 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Sep 6 15:20:45 2001: DEBUG: Deleting session for prawa, 195.166.231.247, 1 2 Thu Sep 6 15:20:45 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:45 2001: DEBUG: Handling with Radius::AuthSQL Thu Sep 6 15:20:45 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='prawa' Thu Sep 6 15:20:45 2001: DEBUG: Radius::AuthSQL looks for match with prawa Thu Sep 6 15:20:45 2001: DEBUG: Radius::AuthSQL REJECT: Bad Password Thu Sep 6 15:20:45 2001: DEBUG: Query is: select PASSWORD, CHECKATTR, REPLYATTR from SUbsInfo where USERNAME='DEFAULT' Thu Sep 6 15:20:45 2001: INFO: Access rejected for prawa: Bad Password Thu Sep 6 15:20:45 2001: DEBUG: Packet dump: *** Sending to 195.166.231.247 port 1645 Code: Access-Reject Identifier: 126 Authentic: {247248X149145159215v130187J161235242! Attributes: Reply-Message = Request Denied 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 06, 2001 12:22 AM Subject: (RADIATOR) Re: IP restriction Hello 'Tunde - On Wednesday 05 September 2001 21:18, 'Tunde Ogedengbe wrote: I have a set of Netservers. How do I restrict the use of of IP to a particular Netserver within Radius? I don't understand the question, sorry. Could you explain what you mean? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: IP restriction
Hello 'Tunde - You usually do this by specifying a suitable Framed-IP-Netmask in the reply attributes, but you will have to check with the vendor what is correct for a Netserver. Here is what usually works however: Framed-IP-Netmask = 255.255.255.254 regards Hugh On Thursday 06 September 2001 21:07, 'Tunde Ogedengbe wrote: Hugh: We have series of Netservers that assign specific range of IP to connecting customers. We want to force compliance from within Radius. This means that specifying in RADIUS what IP range the Netserver can assign to the customer. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: 'Tunde Ogedengbe [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 06, 2001 12:22 AM Subject: (RADIATOR) Re: IP restriction Hello 'Tunde - On Wednesday 05 September 2001 21:18, 'Tunde Ogedengbe wrote: I have a set of Netservers. How do I restrict the use of of IP to a particular Netserver within Radius? I don't understand the question, sorry. Could you explain what you mean? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: IP restriction
Hello 'Tunde - On Wednesday 05 September 2001 21:18, 'Tunde Ogedengbe wrote: I have a set of Netservers. How do I restrict the use of of IP to a particular Netserver within Radius? I don't understand the question, sorry. Could you explain what you mean? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Radiator on Windows 2000
Hugh On Friday 31 August 2001 02:22, 'Tunde Ogedengbe wrote: Hugh: See conf below: (radius.cfg) Foreground LogStdout Trace 3 PidFile /usr/local/etc/raddb/radiusd.pid AuthPort 1645 AcctPort 1646 LogDir /usr/local/etc/raddb DbDir /usr/local/etc/raddb LogFile %L/logfile.%Y.%m.%d DictionaryFile %D/dictionary SnmpgetProg /usr/bin/snmpget Client X.X.X.X Secret IgnoreAcctSignature /Client Realm DEFAULT AcctLogFileName %L/detail.%Y.%m.%d RejectHasReason AuthBy FILE Identifier Check-FILE Filename %D/users DefaultSimultaneousUse 1 /AuthBy AuthBy UNIX Identifier Check-UNIX Filename/etc/shadow DefaultSimultaneousUse 1 /AuthBy /Realm 'Tunde Ogedengbe ORIGINAL MESSAGE BELOW Hello Camilo, Hello 'Tunde - In general, problems with simultaneous use are usually due to dropped accounting packets (sometimes congested links, sometimes NAS bugs, sometimes configuration problems with Radiator). I am happy to assist with any problems, but I need to see what is going on. Please send me a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator showing the problem. It would also be helpful if you could provide some description of what you are trying to accomplish. thanks Hugh On Thursday 30 August 2001 01:04, Camilo Fernando Corena G. wrote: I have the same problem. Someone can help us??? 'Tunde Ogedengbe wrote: Hello: We are having problems with this attribute. In some of our installations, the attribute does not work at all and so no restriction is enforced. On another installation, it works but with severe problems. For instance customers with an attribute of 1 who previously connected to our system and later disconnected are having problems reconnecting. This has resulted in a serious problem in which a significant percentage of connection problems were related to the SimultaneousUse attribute. What we have done in the interim is to set the attribute to 3. How can we resolve this problem? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: lloyd [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 29, 2001 8:48 AM Subject: (RADIATOR) Re: two authby clauses Hello Lloyd - What exactly are you trying to do? thanks Hugh On Wednesday 29 August 2001 14:28, lloyd wrote: hi, how do i configure radiator in such a way that before it proxy's to another radius server, it checks for the Called-Station-Id in say a flat file or a database? will this work (file based with only one field: telephonenumbers). AuthBy FILE Identifier calledstationid FileName %d/Called-Station-ID /AuthBy AuthBy RADIUS Identifier radiusproxy Host ***.***.***.*** Secret ** AuthPort AcctPort /AuthBy Realm AuthByPolicy ContinueAlways AuthBy calledstationid AuthBy radiusproxy /Realm Lloyd Dagoc InterDotNet Philippines Inc. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe
(RADIATOR) Re: Radiatior and PAM authentication for Kerberos 5
I think I fixed the problem (wan't running radiator as root). I am interested if this is how are other are doing kerb. Thanks, Mike Forbes On Fri, 31 Aug 2001, Forbes Mike wrote: I am using Radiatior on Redhat 7.1 with PAM authentication. I have the radius.cfg as follows: Realm DEFAULT AuthBy PAM Service radiusd /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail /Realm Client x.x.x.x Secret mysecret NasType Cisco DupInterval 0 /Client more /etc/pam.d/radiusd auth required /lib/security/pam_krb5.so I get the following /var/messages Aug 31 21:10:54 radii perl: pam_krb5: authentication succeeds for forbeskm I get the following from radius logfile Fri Aug 31 21:10:54 2001: DEBUG: Handling request with Handler 'Realm=DEFAULT' Fri Aug 31 21:10:54 2001: DEBUG: Deleting session for forbeskm, x.x.x.x, 3 Fri Aug 31 21:10:54 2001: DEBUG: Handling with PAM service radiusd Fri Aug 31 21:10:54 2001: DEBUG: PAM is asking for 'Password' Fri Aug 31 21:10:54 2001: INFO: Access rejected for forbeskm: Authentication service cannot retrieve authentication info.: Fri Aug 31 21:10:54 2001: DEBUG: Packet dump: Why is this failing, is it my krb5.conf that may be misconfigured. I did not have any luck with getting more debug info from putting debug = true in the [pam] section. Anybody else doing kerb5 authentication with the radiator?? Thanks, Mike Forbes === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Fwd: Cisco-NAS-Port
Hello Andy - I have problem with identifing channel on BRI interface. If I set radius-server attribute nas-port format x, where x is a,b,c or d I get Cisco-NAS-Port in format BRI X/Y/Z, but I need channel info or some information to identify unique voice channel. Could you help me please? I would have thought that the combination of Cisco-NAS-Port and the Service-Type attribute would give you the information you need, however I am not an expert on Cisco voice features. I have posted this message to the Radiator mailing list, as someone else may have a better idea. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: two authby clauses
Hello Lloyd - What exactly are you trying to do? thanks Hugh On Wednesday 29 August 2001 14:28, lloyd wrote: hi, how do i configure radiator in such a way that before it proxy's to another radius server, it checks for the Called-Station-Id in say a flat file or a database? will this work (file based with only one field: telephonenumbers). AuthBy FILE Identifier calledstationid FileName %d/Called-Station-ID /AuthBy AuthBy RADIUS Identifier radiusproxy Host ***.***.***.*** Secret ** AuthPort AcctPort /AuthBy Realm AuthByPolicy ContinueAlways AuthBy calledstationid AuthBy radiusproxy /Realm Lloyd Dagoc InterDotNet Philippines Inc. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Using Alive Accounting packets to update Session DB
Hello Richard - AccountingAlivesOnly is supported in an AuthBy clause (its in the code and the manual will be fixed in the next release). And Alives are also handled automatically by the session database which performs an AddQuery for them. The other things that you mention can either be implemented as you point out by special Handler(s), or by custom hooks. BTW - you can also use an AuthBy SQL in the Handler as above, and just put one or more AcctSQLStatements in it to do whatever you need. Note that we have developed something similar for another customer on a contract basis and we could do the same for you if you are interested. regards Hugh On Wednesday 29 August 2001 21:12, Richard Lennerts wrote: Hi Mike/Hugh, I was going to send the message below to the mailing list, but I thought it might be more appropriate to send it you guys first. Please feel free to send it to the list if it would be better dealt with there. -- Hi, Just wondering whether anyone has managed to use Alive Accounting packets to update the records in an external Session DB. We would like to store in out octets in the session DB along with a timestamp of when the session was last updated. Then perhaps on a client (NAS) basis get Radiator to drop records in the Session database if it hasn't received an Alive packet within x minutes. Perhaps putting in a validity timestamp which would function similar to the Lease periods used with the AddressAllocater would be better, and then have a periodic task cleaning out invalid records in the SessionDatabase and optionally generating Radius stop packets. Is someone able to give me a few pointers on how this could be done perhaps with a Handler Acct-Status-Type = Alive block? Perhaps I could put in a feature request to: - Add a keyword AccountingAliveOnly to the AuthBy module This would enable special handling of Alive packets in an AuthBy clause that could also be used to update Accounting Logs. and/or - Add a keyword to the Handler module like UpdateSessDBWithAlive This would then flag Radiator to use Alive packets to update the Session DB. - Add a method UpdateQuery to the SessionDatabase module - Add a keyword SessionValidNoAlive xxx to the Client module This, if specified, would be added to the Timestamp of the Alive packet and entered as the ValidTo column of the Session DB. - Add a keyword GenerateStopForInvalidSessions in the SessionDatabase module Which would trigger some cleanup process to create an artificial stop packet when clearing invalid records from the Session DB. All these extra features combined should let Radiator cater for the above mentioned scenario. With more ISP's moving to a virtual port model where information to real-time statistics/monitoring is limited, this would be an effective way of ensuring that Session statistics remain relatively accurate and provides some protection on the loss of Alive/Stop packets. Maybe there is already a way to do this but I couldn't see how by scanning the reference manual. Hope you guys can help. Regards, --- | Richard Lennerts | p: +61 8 6211 5500 | | Technical Director | f: +61 8 9325 6855 | | Vianet Communications Pty. Ltd.| e: [EMAIL PROTECTED] | | Lvl 6, 200 Adelaide Tce East Perth WA 6004 | w: www.vianet.net.au | --- -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re:
Hello David - My Cisco won't send the Framed-IP-Address attribute when starting a session. I've seen you talk bout copying the attribute wiht a hook, but I can't find it and I can't figure out how to do that. Here's the log: Code: Accounting-Request Identifier: 23 Authentic: 164175192R16F#211167247137173131178y241 Attributes: NAS-IP-Address = 212.94.223.243 NAS-Port = 1 NAS-Port-Type = ISDN User-Name = david@hrnet2 Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 0008 Framed-Protocol = PPP Acct-Delay-Time = 0 Everything seems fine but this Framed-IP-Address attribute which is missing. Radiator sends it at the 'stop', but while the session in open I can't see IP address that has been assigned to the user. The other thing that's wrong id the Nas-Port-Type which is not ISDN but Virtual, this is no big deal though. I upgraded the IOS on the Cisco (to see if that could add my Framed-IP-Address attribute that's missing), and that's when I started getting ISDN instead of Virtual. If you are allocating the addresses from Radiator, you can make a copy in the Class attribute and use a hook to add the address from the Class attribute back into the packet. This will only work though if you are allocating the address in Radiator. If on the other hand it is the Cisco that is doing the address allocation, then the only thing you can do is complain to Cisco, and hope that they get around to fixing the problem (that has been there for a *long* time). If you need more help, please send me a copy of your configuration file (no secrets) together with a trace 4 debug showing a typical access request, access accept, accounting start and accounting stop. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: URGENT:AuthByPolicy problem!
Hello Ganbold - As you have discovered, the AuthBy RADIUS clause behaves differently to other AuthBy clauses and cannot be used in the fashion that you show in your configuration file. This is because the AuthBy RADIUS clause returns immediately with Ignore and processes the proxied radius reply asynchronously. The usual way to deal with iPASS roaming is to put it in its own Handler, usually after dealing with your local requirements explicitly, so a typical configuration would look something like this: ... #define Hanlder for local processing Handler Realm = your.realm RejectHasReason AccountingHandled SessionDatabase SQL1 AuthByPolicy ContinueUntilAccept AuthBy AscendAuthOnly AuthBy CiscoAuthOnly AuthBy CheckMERIT PostAuthHook \ file:/root/radiator/Radiator-2.18.1/CheckBlockTimeLeft /Handler # define Handler for iPASS (everything else) Handler RejectHasReason SessionDatabase SQL1 AuthBy CheckIPASS /Handler hth Hugh On Saturday 18 August 2001 01:20, ganbold wrote: Hello, We are using Radiator-2.18.1 on FreeBSD-4.3-STABLE. It is working very well and good enough. I have using AuthBySQL for dial-up subscribers and AuthByRadius for iPass outbound authentication. Just yesterday I added another AuthByRadius for proxy authentication to our old Merit AAA-4.2.1E. After that Merit AAA-4.2.1E radius users can't to authenticate. They received, username/password wrong or invalid message from Radiator. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Link down Radiator at far end of the link showing user logged
Hello - You may want to consider enabling Radius Accounting Alives on your NAS equipment, and using the Alive packets for your biling purposes. There isn't anything that can be done in Radiator to verify NAS operation, and hence correct and/or collect billing information. regards Hugh On Thursday 09 August 2001 16:03, cistron wrote: Thanks Irvine, but if the NAS cannot be restarted due to some problems, then the Radiator will continously show that the users are logged on and they will be billed for those hours they have not used. Can you kindly suggest some solution. Thanks and Regards. Hugh Irvine wrote: Hello - On Wednesday 08 August 2001 21:42, cistron wrote: Dear friends, My Radiator Server and NAS client are at different location connected by lease line. In case the link goes down all those users who are connected from that link are shown as connected although they are not connected any more. Can Radiator do some polling to check whether the client is dead or alive. I am not sure what you are asking here. Normally, Radiator acts only as a server - it never checks whether a NAS is there or not. Just because the link between the Radiator host and the NAS goes down, it does not mean that users are disconnected from the NAS. If the NAS itself does go down, Radiator will receive a startup message from it when it restarts, and will clear the session database for the NAS automatically. If you want to do network health checks, you should probably look at some sort of network monitoring software (via SNMP or whatever). regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Configurations dudes...
Hello Cesar - You are really asking for consulting service here, so I have copied Joanne on this mail so she can send you the rates. I will try to answer your questions, but if you want design and implementation work done it will have to be subject to a consulting contract. On Thursday 09 August 2001 00:46, Cesar Garcia wrote: Hi Hugh. I am System Admin and a big proyect has been charged to me... We have 3 nodes interconecting with ATM. In any node, we have cisco as5300, cisco 7505 and access for ADSL, Modems and RDSI. Our cisco register connections as Virtual, Async and ISDN respectively. We want based our authentification system in LDAP for accounts information (Username,Password,Permissions...) and SQL for pool assignement and Session DATABASE. In a 2 month, i get that auth with LDAP, Pool with SQL and Accounting in SQL for this kind of acceses Async, ADSLs, and ISDN 1 channel. Good work. Now , i am probing with 2 channel ISDN(Multilink), but i can see, that any channel i up, assing 1 IP. An ISDN Multilink session should only use a single IP address. I suspect that you are not differentiating between the initial request and the subsequent request(s) and you are allocating an IP address each time. You should only allocate an IP address on the first request, and deallocate the address on the last channel disconnecting. You will have to look at a trace 4 debug from Radiator to see what information is present in the requests, and set up the configuration file accordingly. The NAS, use the second IP i up for virtual, and if i shutdown the second channel, he free the second IP, that really is in use. See above. I am tryng to configure Session SQL, but i dont know how, i configure SQL table how goodies define, but in the ref.pdf file, aren't examples. There is an example in the sample configuration file called radius.cfg in the Radiator distribution. Have a look at section 6.7 in the Radiator 2.18.2 manual. What problem are you having? We want that one radius in any node, use a local LDAP BD (that is replied) (this is OK). Use a central POOL BD with secondaries Mysqls BD for if principal BD fail.( i dont know how) Use session Database (i cant find information about it.) Multilink, (how can i solution the problem of ips? As mentioned above, if you would like me to help you with the design and implementation of your system, I am happy to do that, but you will have to contact Joanne for a consulting contract. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Only one Vendor attribute logged?
Hi! On Tue, 31 Jul 2001, I wrote: I have an ugly problem with Radiator (currently 2.18.2): It only writes the first (of 7) vendor attributes and their values to the log file. Okay after searching in the code (Radiator.pm) I found the problem documented in sub unpack: # Other vendor-specific # REVISIT: RFC 2865 permits multiple attributes # in a single vendor-specific attribute $value = substr($attrdat, 8, $vlength - 2); But it seems, that nobody revisited the code :-( Did someone write a parser for multiple vendor attributes, that corrects this problem, or do I have to write it myself? Tscho Roland === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Radiator using SQL
Hello 'Tunde - On Thursday 26 July 2001 05:53, 'Tunde Ogedengbe wrote: I am reconfiguring Radiator to use an SQL database. Connection is to be made via ODBC. 1.How do I define the data structure in the database to accomodate all Radius attributes ? 2.How do I setup Radiator to query the database and return relevant attributes associated with the record. eg. Simultaneous-use, filter-id, etc. There is an example SQL configuration file in goodies/sql.cfg and there is an example SQL database definition in the file goodies/sybaseCreate.sql. Also have a look at section 6.26 in the Radiator reference manual. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: HOW TO RESTRICT A ISDN LINE´S CONNECTIONS WHIT RADIUS??
Hello Camilo - Could you please explain in more detail what you are trying to do? What do you need to restrict? thanks Hugh On Thursday 26 July 2001 02:40, Camilo Fernando Corena G wrote: Hi, I need to restrict the users that connect using ISDN Bri Lines. I have a Cisco AS5300 and I´m using ISDN Pri Lines. Someone can help me??? Thanks, Camilo C. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Using client list identifiers in handler
Hello Griff - If you just add the IDENTIFIER field to the list of fields in the select (at the end of the list), it will work (in Radiator 2.18.2): select NASIDENTIFIER,SECRET,IGNOREACCTSIGNATURE,DUPINTERVAL, \ DEFAULTREALM,NASTYPE,SNMPCOMMUNITY,LIVINGSTONOFFS, \ LIVINGSTONHOLE,FRAMEDGROUPBASEADDRESS, \ FRAMEDGROUPMAXPORTSPERCLASSC,REWRITEUSERNAME, \ NOIGNOREDUPLICATES,PREHANDLERHOOK, IDENTIFIER from \ RADCLIENTLIST Then you can use the following for a Handler: Handler Client-Identifier = myradclient . /Handler hth Hugh At 15:16 -0700 01/7/9, Griff Hamlin wrote: Hello, Is it possible to have a handler that uses an 'identifier' from and SQL client list? In the docs, it says that the following sql statement is the default, and that the fields must come in this order. However, I don't see 'identifier' or any such device listed unless NASIDENTIFIER is an identifier that I can make up, similar to the regular client list, instead of the nas IP address as I'm guessing. select NASIDENTIFIER,SECRET,IGNOREACCTSIGNATURE,DUPINTERVAL, DEFAULTREALM,NASTYPE,SNMPCOMMUNITY,LIVINGSTONOFFS, LIVINGSTONHOLE,FRAMEDGROUPBASEADDRESS, FRAMEDGROUPMAXPORTSPERCLASSC,REWRITEUSERNAME, NOIGNOREDUPLICATES,PREHANDLERHOOK from RADCLIENTLIST Furthermore, assuming that I have an identifier in a client block (not in sql format, though I'd prefer that if I can): Client 192.168.25.6)#the ip address is irrelevant secret mysecret identifier myradclient /Client can I then do Handler identifier = myradclient #stuff /Handler If this is not possible, is it possible to make a handler that utilizes the ip address of the actual radius client instead of the NAS ip address in case they are different which sometimes happens from some of our clients? Griff Hamlin, III -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Nasidentifier format
Hello Tuncay - What AuthBy clause are you using? and are you using a detail file or an SQL database or what? As usual, a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator will help a lot. regards Hugh At 10:54 AM +0300 6/27/01, Tuncay MARGILIC wrote: Hello, I am having problem on getting the Nas-Identifier in the correct format for accounting. I have 2 Nas-Identifier attributes in my dictionary; 4 Nas-Idenfieripaddr 32 Nas-Identifier strig All the logs show that the Nas-Identifier is string (NAS-Identifier = aaa.bbb.ccc.ddd). When I change string to ipaddr for attr 32 it becomes (NAS-Identifier = faa/fooo/doo). The signs disappear but the ip is invalid to use in a billing system. I want all the accounting records Nas-Identifier without the sign. Eg: Nas-Identifier = aaa.bbb.ccc.ddd Tuncay Margilic -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Problem about Time check item
Hi Hugh, I have done following your suggestion and I found that I can control Times of Day which user is allowed to log on. But I 've got a problem about RADUSERS and RADUSAGE Table. In log file you can see that after user test2@qnetadsl log out , Radiator then din't do query update RADUSERS Table ( e.g. TIMELEFT ) and didn't do query insert into RADUSAGE Table also. How can I fix it? Thanks, Chairath Hugh Irvine wrote: Hello Chairarth - You cannot configure Radiator as you have shown below - you will need to use cascaded AuthBy clauses, something like this: # define AuthBy FILE AuthBy FILE>Identifier CheckUsersFilename %D/adsl.users/AuthBy> # define Realms Realm qnetadsl>AuthBy CheckUsers/Realm> Then in the file "adsl.users", something like this: # define DEFAULT users DEFAULT Prefix = S, Time = "SaSu-2359", Auth-Type RADMINAUTH DEFAULT Prefix = P, Time = "Wk2200-", Auth-Type RADMINAUTH hth Hugh At 5:16 PM +0700 6/21/01, chairarth wrote: Hi Hugh, Our concept is customer who login with username Sxxx@qnetadsl will be allowed to log on only on Saturday-Sunday , and only on Monday - Friday from 22:00 - 00:00 for username Pxxx@qnetadsl So I try to use Time and Prefix check item but it show error like these ERR : Unknow keyword 'DEFAULT' ERR : Unknow keyword 'Time' How can I fix it ? Thanks in advance, Chairath P.S. Now I'm implement RADIATOR version 2.18.2 and RADMIN version 1.4 based on Windows NT attach.zip
(RADIATOR) Re: Problem about Time check item
Title: Re: Problem about Time check item Hello Chairarth - Quite right - my fault, I'm sorry. Try setting up your Handlers like this (no Realms): # handle accounting requests seperately Handler Request-Type = Accounting-Request AuthBy RADMINAUTH /Handler Handler Realm = qnetadsl AuthBy CheckUsers /Handler Handler AuthBy RADMINAUTH /Handler regards Hugh At 2:49 PM +0700 6/22/01, chairarth wrote: Hi Hugh, I have done following your suggestion and I found that I can control Times of Day which user is allowed to log on. But I 've got a problem about RADUSERS and RADUSAGE Table. In log file you can see that after user test2@qnetadsl log out , Radiator then din't do query update RADUSERS Table ( e.g. TIMELEFT ) and didn't do query insert into RADUSAGE Table also. How can I fix it? Thanks, Chairath Hugh Irvine wrote: Hello Chairarth - You cannot configure Radiator as you have shown below - you will need to use cascaded AuthBy clauses, something like this: # define AuthBy FILE AuthBy FILE Identifier CheckUsers Filename %D/adsl.users/AuthBy # define Realms Realm qnetadsl AuthBy CheckUsers/Realm Then in the file adsl.users, something like this: # define DEFAULT users DEFAULT Prefix = S, Time = SaSu-2359, Auth-Type RADMINAUTH DEFAULT Prefix = P, Time = Wk2200-, Auth-Type RADMINAUTH hth Hugh At 5:16 PM +0700 6/21/01, chairarth wrote: Hi Hugh, Our concept is customer who login with username Sxxx@qnetadsl will be allowed to log on only on Saturday-Sunday , and only on Monday - Friday from 22:00 - 00:00 for username Pxxx@qnetadsl So I try to use Time and Prefix check item but it show error like these ERR : Unknow keyword 'DEFAULT' ERR : Unknow keyword 'Time' How can I fix it ? Thanks in advance, Chairath P.S. Now I'm implement RADIATOR version 2.18.2 and RADMIN version 1.4 based on Windows NT Attachment converted: Macintosh HD:attach.zip 1 (pZIP/pZIP) (0001C67D) -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
(RADIATOR) Re:
Hello Asi - hello I buy the radiator in 20.06.2001 I need to know if I can put the = radiator as a service in the server and how I can do so I need to put the radiator as a service Please have a look at section 16 (16.4 for NT) in the Radiator 2.18.2 reference manual (doc/ref.html in the distribution). hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Cybersurf
Hello Scott - On Tuesday 15 May 2001 07:43, Scott Robinson wrote: I have a question regarding the DupInterval setting in the radiator configuration file. We will be deploying our Radiator servers with Cisco 5800 and 5400 VPOP NAS's. These clients contain between 500 and 600 dialup lines per box. Will leaving DupInterval as default mean that any given NAS can only authenticate one user at a time every two seconds? No. The DupInterval setting (defaults to 2 seconds) defines a sliding window in time during which Radiator will automatically discard duplicate requests (usually due to network problems). If you have good connectivity and good bandwidth this should never be a problem and the default setting is fine. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re:
Hello Viraj - H - good point - you are probably right, but try it and see. regards Hugh On Tuesday 01 May 2001 23:52, Viraj Alankar wrote: Hello, I have a quick question on the regular expression parsing in radiator. Say I have something like this: Handler NAS-IP-Address=/XXX.XXX.XXX.XXX|yyy.yyy.yyy.yyy|zzz.zzz.zzz.zzz/ Is it correct that the . needs to be escaped (\.) to correctly match the IP? Viraj. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: posthook
Hello Joy - On Wednesday 25 April 2001 18:05, [EMAIL PROTECTED] wrote: Hi Hugh, i want to write a hook to find out if the user is already in the RADUSAGE table or not. if not the username will be added to the USEDCARDS table. Can you give me a hint or can say me what i must write to the config file? Basically, you will need to reference the SQL session database object and an AuthBy SQL object that references the USEDCARDS table in your hook. Then you can use the low-level routines inside Radiator to do the neccessary queries. There are some example hooks in the file goodies/hooks.txt that will give you the basics and you will need to read the Radiator source to find out how to buiild and issue the SQL queries. Which hook to use will depend on when during packet processing you want the hook to be called. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Hook ?
Hello Dave - I approach this problem in a slightly different way, by using an Identifier in the Realm or Handler, and checking for it in the hook itself. That way I can call the same hook from different places and have it do "the right thing". Have a look at the examples in "goodies/hooks.txt" to see how its done. BTW - I always use the "file:..." construct as I can then keep my hooks in RCS as seperate items. thanks Hugh On Saturday 21 April 2001 07:54, Kitabjian, Dave wrote: Hey, here's an idea. I have a PreProcessingHook that I'm calling from a bunch of handlers. So in order to avoid duplicating code, I used the "file:..." trick. But, if Radiator had a Hook Identifier HOOK_SPLIT_OFF_REALM sub { \ ... } /Hook clause, then I could call this code right from within my config file as PreProcessingHook HOOK_SPLIT_OFF_REALM Pretty slick, eh? Dave :) -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Returning avpairs with a an Access-Reject?
To follow up my own posting... I found one way that works, a PostAuthHook: # drop an h323 return code of 1 (auth failed) into the reply if it is # an access reject or reject_immediate - SWH hack for debitcard script PostAuthHook sub { ${$_[1]}-add_attr('cisco-h323-return-code', \ 'h323-return-code=1') \ if (${$_[2]} == $main::REJECT) \ || (${$_[2]} == $main::REJECT_IMMEDIATE)} Which gets the job done, but I don't see why attributes generated as part of a reject shouldn't wind up in the return packet. Maybe it's how I'm rejecting the user (a DEFAULT entry in a users file which says 'Auth-Type = Reject')? Also, as a comment about the docs (Hi Mike), the example PostAuthHook in the manual (which the above is a shameless copy/adaptation of) doesn't mention that the REJECT code might be REJECT_IMMEDIATE, not just plain old REJECT. That had me fooled for a while! :) Perhaps the docs could make a reference in that section to a complete list of possible values of x for $main::x ... Cheers, Simon --- Simon Hackett, Technical Director, Internode Systems Pty Ltd 31 York St [PO Box 284, Rundle Mall], Adelaide, SA 5000 Australia Email: [EMAIL PROTECTED] Web: http://www.on.net Phone: +61-8-8223-2999 Fax: +61-8-8223-1777 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Re: Returning avpairs with a an Access-Reject?
Actually, I'd love to see the whole(?) API which is available to us in Hooks documented in an appendix to the venerable "manual" :) A few are mentioned throughout already, like get_attr(). But for most you have to look through the source. Dave :O -Original Message- From: Simon Hackett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 18, 2001 11:12 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) Re: Returning avpairs with a an Access-Reject? To follow up my own posting... I found one way that works, a PostAuthHook: # drop an h323 return code of 1 (auth failed) into the reply if it is # an access reject or reject_immediate - SWH hack for debitcard script PostAuthHook sub { ${$_[1]}-add_attr('cisco-h323-return-code', \ 'h323-return-code=1') \ if (${$_[2]} == $main::REJECT) \ || (${$_[2]} == $main::REJECT_IMMEDIATE)} Which gets the job done, but I don't see why attributes generated as part of a reject shouldn't wind up in the return packet. Maybe it's how I'm rejecting the user (a DEFAULT entry in a users file which says 'Auth-Type = Reject')? Also, as a comment about the docs (Hi Mike), the example PostAuthHook in the manual (which the above is a shameless copy/adaptation of) doesn't mention that the REJECT code might be REJECT_IMMEDIATE, not just plain old REJECT. That had me fooled for a while! :) Perhaps the docs could make a reference in that section to a complete list of possible values of x for $main::x ... Cheers, Simon --- Simon Hackett, Technical Director, Internode Systems Pty Ltd 31 York St [PO Box 284, Rundle Mall], Adelaide, SA 5000 Australia Email: [EMAIL PROTECTED] Web: http://www.on.net Phone: +61-8-8223-2999 Fax: +61-8-8223-1777 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: Returning avpairs with a an Access-Reject?
Hello Dave, Hello Simon - I have copied this to Mike for his comments, however from my own experience you are far better off reading the source in any case. Mike's programming style and copious comments make this a real pleasure. Simon - My suggestion would also be to use a PostAuthHook, and I see you have done that. I put together some sample hooks that illustrate some of the things you can do in hooks in the file "goodies/hooks.txt" in the distribution. Note that there have been some additional hooks added recently in Radiator 2.18 (and also a couple in the patches). BTW - AddToReply will add attributes to a reject in an AuthBy clause. May the source be with you! regards Hugh On Thursday 19 April 2001 02:20, Kitabjian, Dave wrote: Actually, I'd love to see the whole(?) API which is available to us in Hooks documented in an appendix to the venerable "manual" :) A few are mentioned throughout already, like get_attr(). But for most you have to look through the source. Dave :O : -Original Message- From: Simon Hackett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 18, 2001 11:12 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) Re: Returning avpairs with a an Access-Reject? To follow up my own posting... I found one way that works, a PostAuthHook: # drop an h323 return code of 1 (auth failed) into the reply if it is # an access reject or reject_immediate - SWH hack for debitcard script PostAuthHook sub { ${$_[1]}-add_attr('cisco-h323-return-code', \ 'h323-return-code=1') \ if (${$_[2]} == $main::REJECT) \ || (${$_[2]} == $main::REJECT_IMMEDIATE)} Which gets the job done, but I don't see why attributes generated as part of a reject shouldn't wind up in the return packet. Maybe it's how I'm rejecting the user (a DEFAULT entry in a users file which says 'Auth-Type = Reject')? Also, as a comment about the docs (Hi Mike), the example PostAuthHook in the manual (which the above is a shameless copy/adaptation of) doesn't mention that the REJECT code might be REJECT_IMMEDIATE, not just plain old REJECT. That had me fooled for a while! :) Perhaps the docs could make a reference in that section to a complete list of possible values of x for $main::x ... Cheers, Simon --- Simon Hackett, Technical Director, Internode Systems Pty Ltd 31 York St [PO Box 284, Rundle Mall], Adelaide, SA 5000 Australia Email: [EMAIL PROTECTED] Web: http://www.on.net Phone: +61-8-8223-2999 Fax: +61-8-8223-1777 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Re: Returning avpairs with a an Access-Reject?
Yeah, an "API" reference would make hook writing a lot easier. Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kitabjian, Dave Sent: Thursday, 19 April 2001 2:20 AM To: 'Simon Hackett'; [EMAIL PROTECTED] Subject: RE: (RADIATOR) Re: Returning avpairs with a an Access-Reject? Actually, I'd love to see the whole(?) API which is available to us in Hooks documented in an appendix to the venerable "manual" :) A few are mentioned throughout already, like get_attr(). But for most you have to look through the source. Dave :O -Original Message- From: Simon Hackett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 18, 2001 11:12 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) Re: Returning avpairs with a an Access-Reject? To follow up my own posting... I found one way that works, a PostAuthHook: # drop an h323 return code of 1 (auth failed) into the reply if it is # an access reject or reject_immediate - SWH hack for debitcard script PostAuthHook sub { ${$_[1]}-add_attr('cisco-h323-return-code', \ 'h323-return-code=1') \ if (${$_[2]} == $main::REJECT) \ || (${$_[2]} == $main::REJECT_IMMEDIATE)} Which gets the job done, but I don't see why attributes generated as part of a reject shouldn't wind up in the return packet. Maybe it's how I'm rejecting the user (a DEFAULT entry in a users file which says 'Auth-Type = Reject')? Also, as a comment about the docs (Hi Mike), the example PostAuthHook in the manual (which the above is a shameless copy/adaptation of) doesn't mention that the REJECT code might be REJECT_IMMEDIATE, not just plain old REJECT. That had me fooled for a while! :) Perhaps the docs could make a reference in that section to a complete list of possible values of x for $main::x ... Cheers, Simon --- Simon Hackett, Technical Director, Internode Systems Pty Ltd 31 York St [PO Box 284, Rundle Mall], Adelaide, SA 5000 Australia Email: [EMAIL PROTECTED] Web: http://www.on.net Phone: +61-8-8223-2999 Fax: +61-8-8223-1777 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Correct IP Address Assignement problem
Hello Arslan - The problem you have is due to your configuration file and the use of "FramedGroup" and "FramedGroupBaseAddress" - this is because the port number that is reported by the NAS is used to generate the address. As you are already using SQL, I would instead strongly encourage you to use "AddressAllocatorSQL" together with an "AuthBy DYNADDRESS", which will work much better for you. There are examples in the file "goodies/addressallocator.cfg" and also have a look at sections 6.40 and 6.45 in the Radiator 2.18 reference manual. hth Hugh Hi hugh, We are facing a strange problem. We have two NAS's (Cisco as5300 and Lucent Max TNT) operating at the moment with raiator (2.18). We have defined IP address pools in radiator , one for each NAS's. Now Radiator is sometimes doing real strange things with MAX TNT (its configured to use radiator assigned ip's). Instead of assigning IPs from the specified pools its assigning IP's out of the pool. For exmample we have defined ip range 216.252.185.187 with maxportsperclassc to 60. Now radiator sometimes picks 216.252.186.xxx addresses (instead of picking from 216.252.185.xxx) and assigns it to clients. I am sending you radius config file and trace 4 debug. Please have a look and suggest some solution. #Radiator configuration file for ISP Billing System # # Example Radiator configuration file that allows you to # authenticate from an SQL database. # With Radiator you can interface with almost any databse schema, # and there are many more configurable parameters that allow you # to control database fallback, select statements, column names # and arrangements etc etc etc. # See the reference manual for more details. =20 Foreground LogStdout AuthPort 1645 AcctPort 1646 LogDir . DbDir . =20 #Optional Parameters used from default =20 FingerProg /usr/bin/finger SnmpgetProg /usr/bin/snmpget =20 =20 =20 # You will probably want to change this to suit your site. =20 Client 203.135.41.131 Secret xx DupInterval 3 # DefaultRealmAdvISP IgnoreAcctSignature NasType Cisco SNMPCommunity FramedGroupBaseAddress 216.252.185.64 FramedGroupMaxPortsPerClassC 120 /Client =20 Client 203.135.41.138 Secret xxx DupInterval 3 # DefaultRealmAdvISP IgnoreAcctSignature NasType Ascend SNMPCommunity FramedGroupBaseAddress 216.252.185.187 FramedGroupMaxPortsPerClassC60 /Client =20 #Client DEFAULT # Secret mysecret # DupInterval 0 #/Client =20 # You can put client details in a database table # and get their details from there with something like this: #ClientListSQL # DBSourcexxx # DBUsername xxx # DBAuth xxx #/ClientListSQL =20 # This will authenticate users from table SUBSCRIBERS Realm DEFAULT RewriteUsername s/^([^@]+).*/$1/ RejectHasReason AuthBy SQL =20 # FramedGroup 0 =20 # Adjust DBSource, DBUsername, DBAuth to suit your DB DBSourcexx DBUsername xxx DBAuth =20 # For Authenication from Solaris encrypted password # AuthByPolicy ContinueWhileAccept AuthSelect select = PASSWORD,CallingStationId,ServiceType,FramedProtocol,F ramedIPNetmask,NASPortType,SimultaneousUse,FramedIPAddress,SessionTimeout= ,TimeDu ration from SUBSCRIBERS where Active=3D1 and USERNAME=3D'%n' AuthColumnDef 0, Encrypted-Password, check AuthColumnDef 1, GENERIC, check AuthColumnDef 2, Service-Type, check AuthColumnDef 3, Framed-Protocol, reply AuthColumnDef 4, Framed-IP-Netmask, reply AuthColumnDef 5, NAS-Port-Type, check AuthColumnDef 6, Simultaneous-Use, check AuthColumnDef 7, GENERIC, reply AuthColumnDef 8, GENERIC, reply AuthColumnDef 9, GENERIC, check AuthColumnDef 10, GENERIC, check =20 # You may want to tailor these for your ACCOUNTING table AccountingTable TblTransaction AccountingStopsOnly AcctColumnDef LoginName,User-Name AcctColumnDef TimeClose,Timestamp,formatted-date,'%Y-%m-%d = %H:%M:%S' AcctColumnDef RecordType,Acct-Status-Type #AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef BytesIn,Acct-Input-Octets,integer AcctColumnDef BytesOut,Acct-Output-Octets,integer AcctColumnDef SessionId,Acct-Session-Id AcctColumnDef Duration,Acct-Session-Time,integer AcctColumnDef
(RADIATOR) Re:
Hello David - Could you please send me the name of the registered owner of the company that purchased this copy of Radiator? thanks very much regards Hugh At 2:39 + 01/4/9, [EMAIL PROTECTED] wrote: Hello, I tried to setup radius proxing by setting Radiator as forwarding radius and destination is Shiva Access Manager. So far, Radiator and Shiva Access Manager can talk to each other (I saw from log file of both). But Shiva Access Manager always shows that Radiator's password is wrong and does not authenticate. I check many times but it is still not working. I suspect password encrytion between Radiator and Shiva Access Manager is different. Do any one have any idea about this, please help me to fix this. Thank you very much. David Dissayanun Thailand - Get the Koolest Thai email at http://www.i-kool.com Multiple Skins, Easy to use, and Fully featured - === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re:
Check your radius KEY. the key is used for the encryption and decrypt of the pw between Radiator and SAM -Michael Audet Network Services Chubb Son [EMAIL PROTECTED] - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 08, 2001 10:39 PM Hello, I tried to setup radius proxing by setting Radiator as forwarding radius and destination is Shiva Access Manager. So far, Radiator and Shiva Access Manager can talk to each other (I saw from log file of both). But Shiva Access Manager always shows that Radiator's password is wrong and does not authenticate. I check many times but it is still not working. I suspect password encrytion between Radiator and Shiva Access Manager is different. Do any one have any idea about this, please help me to fix this. Thank you very much. David Dissayanun Thailand - Get the Koolest Thai email at http://www.i-kool.com Multiple Skins, Easy to use, and Fully featured - === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: configuring dial back service on cisco AS5300 using radiusserver
Title: Re: configuring dial back service on cisco AS5300 usin Hello Kamalsiri - At 17:12 +0600 01/3/29, kamalsirid wrote: Dear sir I am Kamalsiri, Systems Engineer,working in Suntel ltd. Srilanka We need to configure dial back feature to certain users Our radius server is taking user details from netscape LDAP server We use cisco AS5300 RAS I can configure dial back service to local users of AS 5300 would you kindly advice me what parameters do I have to pass to AS 5300 The standard Radius attributes are Callback-Number and Callback-Id, however I do not know whether Cisco supports them directly. It may be that you need to use particular cisco-avpairs, but you will need to check with Cisco (or do a search on the Cisco web site). I have copied this message to the Radiator mailing list as there may be someone who has already done this successfully. You should always ask questions like this on the list and you should also check the archive site (http://www.starport.net/~radiator). hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
(RADIATOR) Re: Radiator 2.18 issue.
Hi Chris, Yes quite right. We have now fixed this and posted a patch for Log.pm to the Radiator patches area, and also attached the new Log.pm We apologise for this problem. Thank you for reporting it. Cheers. On Mar 27, 11:14am, Chris Myers wrote: Subject: Radiator 2.18 issue. Hi Mike, I've noticed that after a SIGHUP to the Radius server it won't write to the logfile. It will however keep writing to the detailed log and will keep handling requests. I upgraded to 2.18 this morning from 2.16.3 which did not have this issue. We are running it on a: Machine: Sun Enterprise 1 OS: Solaris 2.8 Perl: 5.005_03 Cheers, Chris Myers -- +Chris Myers ~ [EMAIL PROTECTED] . Information Technology Services - Software Infrastructure . Ph: +61 7 3365 4017 - Mobile: 0413-009-482 - Room: 42-408 . The Prentice Building - The University of Queensland 4072 + PGP Public key available @ http://www.uq.edu.au/~uqcmyers -- End of excerpt from Chris Myers -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X Data
(RADIATOR) Re: Problems with SQL (postgresql) loggng ... still some errors ..
Hello Dave - On Sunday 18 March 2001 06:08, Dave Price wrote: Thanks for the fix ... turned out to be 'conflicting' version of Pg.pm on the system ... I still get a couple of 'log errors' occasionally: Sat Mar 17 11:10:38 2001: ERR: There is no value named Van-Jacobson-TCP-IP Session-Timeout = 10800 Idle-Timeout = 900 for attribute Framed-Compression. Using 0. Any idea where this comes from? I suspect that one of your user definitions is missing the comma's (",") between the attribute definitions. Ie. it should be Framed-Compression = Van-Jacobson-TCP-IP, Session-Timeout = 10800, Idle-Timeout = 900 hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Problems with SQL (postgresql) loggng ... still some errors ..
Thanks for the fix ... turned out to be 'conflicting' version of Pg.pm on the system ... I still get a couple of 'log errors' occasionally: Sat Mar 17 11:10:38 2001: ERR: There is no value named Van-Jacobson-TCP-IP Session-Timeout = 10800 Idle-Timeout = 900 for attribute Framed-Compression. Using 0. Any idea where this comes from? aloha, dave At 10:23 AM 03/15/2001 +1100, you wrote: Hello Dave - On Thursday 15 March 2001 01:04, Dave Price wrote: This used to work ... we upgraded both perl and radiator, now the logging to postgres failed ... here are the log entries i see: Sun Mar 4 11:20:01 2001: ERR: Could not connect to SQL database with DBI-conne ct dbi:Pg:dbname=radius, , : Undefined subroutine DBD::Pg::db::_login called at /usr/local/lib/site_perl/DBD/Pg.pm line 89. Any ideas or pointers? This looks like a problem with the DBD-Pg module. Have you installed it in the new version of Perl? In any case, you should check CPAN for a more recent version (or possibly an older an more stable version). Also, is there an easy way to temporarily turn on flat file connection logging until i get postgres working? Just add an AcctLogFileName to your Realm or Handler (section 6.15.4 in the Radiator 2.18 manual). hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: HydraRADIUS / Radiator
Hello Hylke - On Friday 16 March 2001 02:19, Zuidema, H. wrote: L.S. We are in the process of replacing our current Radius proxy by the Radiator product in the KPN Mxstream ADSL network after carefull and evaluation and testing. I am pleased you have selected Radiator. We are looking for further improvement of reliability and scalability. One of the products that could be used is HydraRADIUS of HydraWEB Technologies. A combined HydraWEB / Radiator white paper explains the advantages. Yes. Mike has written an interface module for HydraWEB ("goodies/hydrarad"). Do you have any additional comment on the HydraRADIUS / Radiator combination (experiences, test results)? Do you have references of customers using the HydraRADIUS / Radiator combination? I have copied this mail to the Radiator mailing list in the expectation that any customers with this experience will comment. You may also be interested to know that the latest release of Radiator now includes three types of Radius proxy load balancing: ROUNDROBIN - simple round robin amongst multiple targets VOLUMEBALANCE - proportional distribution accoding to a "BogoMips" value LOADBALANCE - similar to the above but also with RTT correction All three of the above will detect a target that is not responding and take it out of service, and automatically re-include it when available. If you have any other questions please don't hesitate to ask. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Usefull radiator Patches
Hello Valentin, Thanks very much for the code, which we have rolled in for the next release. We really appreciate it when people send us such useful code. The 'request' type has also been added to all the LDAP modules, and also to the AuthColumnDef parameter in AuthBy SQL. Cheers. On Mar 7, 9:05pm, Valentin Tumarkin wrote: Subject: Usefull radiator Patches Hi, Our company's latest Radiator project involved adding support for LDAP based group lookups, PORTLIMIT for groups (defined in LDAP) and dynamic address allocation (with AuthDYNADDRESS) based on user-type+nas matrix. Below are two patches to radiator that i wrote to acomplish the above listed features, that i think, you may find usefull. AuthPORTLIMITCHECK Adds special formatting to the SessionLimit parameter (usefull if you want to keep SessionLimit in an LDAP or SQL attribute ) AuthLDAPSDK Ability to push values from LDAP attributes into the request. Very usefull for chaining LDAPSDK lookups (first lookup user, push group attribute into the request, then lookup the group. Works wonders when combined with 'Auth-Type'). Example: # Put poolhint attribute into the request: AuthAttrDef radiusUserPoolHint, X-userPoolHint, request # Put Group Name attirbute into the Request: AuthAttrDef radiusSimultaneousUseGroupName,X-GroupName, request == Addition to AuthPORTLIMITCHECK, at line 136. ## my $sesslimit = $self-{SessionLimit}; my $sesslimit = Radius::Util::format_special($self-{SessionLimit}, $p); == Addition to AuthLDAPSDK, at fundUser sub, after 'check' and 'reply' if's elsif ($type eq 'request') { if ($attrib eq 'GENERIC') { $p-parse(join ',', @vals); } else { $p-add_attr($attrib, $vals[0]); } } = Valentin + | Valentin Tumarkin | Xpert Trusted Systems Ltd. | E-Mail: [EMAIL PROTECTED] | Office: +972-9-9522380 | Mobile: +972-53-544887 + -- End of excerpt from Valentin Tumarkin -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Off-base wish... ;-)
Hello Mariano - I think I may have mentioned in my previous message that we implemented something like this some time ago for one of our customers who is using SQL. We are always available to do custom development work on a contract basis, so if you would like to pursue this idea please contact Joanne for details. The reason something like this is not in the distribution is because each case is so different, and we have not been able to design a "generic" solution. We will need a detailed specification so we can prepare an estimate if you do decide to have us do this work. regards Hugh On Wednesday 07 March 2001 04:17, Mariano Absatz wrote: Hi, I know this is not your average user request but... We are configuring the scenario described in the attached message that I sent to the list about a month ago... I am implementing most of Hugh's suggestions to that message. I have an LDAP structure like this: o=our organization +--ou=radiusWholesale | +--o=customer1 (customer1 data, including radius servers and secrets) | | | +--uid=profile1 (customer1, profile1 data, including port limits) | | | | +--uid=profile2 (customer1, profile2 data, including port limits) | | +--o=customer2 (customer2 data, including radius servers and secrets) | | | +--uid=profile1 (customer2, profile1 data, including port limits) | | | | +--uid=profile2 (customer2, profile2 data, including port limits) | | | | +--uid=profile3 (customer2, profile3 data, including port limits) ... | +--o=customerN (customerN data, including radius servers and secrets) | | +--uid=profile1 (customerN, profile1 data, including port limits) | | +--uid=profile2 (customerN, profile2 data, including port limits) +--ou=otherStuffNonRelatedToThis... For now on, I have a few "radius wholesale" customers, so I am configuring the handlers by hand. I decide who is the wholesale customer based on the realm of the request. This realm is part of the CustomerX data entry in the LDAP tree. It would be nice to be able to define the Handler's dinamically from the LDAP tree, so, adding a new customer is as simple as adding the corresponding subtree to the LDAP including the realm... I wouldn't care reloading Radiator in order to do this ;-), but it would be great not having to [copy, paste, edit] an old Handler and then reloading. What about something like this maybe for Radiator 3.0? (or 9.3?) :-) -- Mariano Absatz El Baby Content-Type: Message/RFC822; charset="US-ASCII"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RE: DB Failover
Hi again, I just wanted to add that I added root to pg_shadow(access list) and it works. What I don't understand is that this was not necessary for a normal connect but only in case of a switch over - what's the difference? Thanks again, Lisa --- Original posting --- Hi all, I'm testing db(postgres) failover with the radiator. The radiator is able to connect to each of the databases individually. But when it tries to switch over to the 2nd db when the first db is down, I get the following situation: Cannot connect to old db - OK because db is down: Mon Mar 5 17:48:17 2001: ERR: Could not connect to SQL database with DBI-connect dbi:Pg:dbname=radmin;host=xxx.xxx.xxx.xxx, radmin, : PQconnectPoll() -- connect() failed: Connection refused Is the postmaster running (with -i) at 'xxx.xxx.xxx.xxx' and accepting connections on TCP/IP port '5432'? Cannot connect to the second DB: Mon Mar 5 17:48:17 2001: ERR: Could not connect to SQL database with DBI-connect dbi:Pg:dbname=radmin;host=yyy.yyy.yyy.yyy, , : FATAL 1: SetUserId: user 'root' is not in 'pg_shadow' I appreciate any help. Regards, Lisa === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Tunnel set up with Nortel CVX 1800
Hello Lisa, Looks to me like you are getting the 307 versions of some of the IETF tunnelling attributes. Prob they are coming from these lines in your dictionary: VENDORATTR 307 Tunnel-Type 64 integer VENDORATTR 307 Tunnel-Medium-Type 65 integer VENDORATTR 307 Tunnel-Server-Endpoint 67 string VENDORATTR 307 Tunnel-Password 69 string I suggest you comment those out of your dictionary and restart your Radiator. Let us know how you go. It might be best for us to lkeave them out of the dict permanently. Cheers. On Feb 28, 10:43am, Lisa Goulet wrote: Subject: Tunnel set up with Nortel CVX 1800 Hi, I'm having difficulty with setting up a tunnel with Nortel CVX: Here's the tunnel part of my config file: AddToReply Tunnel-Type = 3,\ Tunnel-Medium-Type = 1, \ Tunnel-ID = lns,\ Tunnel-Password = lns,\ Tunnel-Client-Endpoint = lns, \ Tunnel-Server-Endpoint = "\00062.58.88.46 ppp" Here's a trace of tunnel parameters being sent out by the radiator: *** Sending to xxx.xxx.xxx.xxx port 2048 Code: Access-Accept Identifier: 105 Authentic: K3:hb27?198=192021e1c Attributes: CVX-VPOP-ID = 30 Tunnel-Type = 3 Tunnel-Medium-Type = 1 Tunnel-ID = "lns" Tunnel-Password = "0213154F~235]191151.Mm7146151240220R247" Tunnel-Client-Endpoint = "lns" Tunnel-Server-Endpoint = "062.58.88.46 ppp" Here's a trace on the CVX side, note that Tunnel-Type is being interpreted as Vendor-Specific 26: radius: Access-Accept (2) from server 62.58.62.132, id 106, length 112, time 64 ms radius: auth c9 c7 ca 9e ef 89 a6 47 radius: 0c cd b4 04 04 ae c1 9f Vendor-Specific [26, len 10] = 2637 CVX-VPOP-Id [2, len 4] = 30 Vendor-Specific [26, len 10] = 307 unknown [64, len 4] = 00 00 00 03 Vendor-Specific [26, len 10] = 307 unknown [65, len 4] = 00 00 00 01 Tunnel-Id [68, len 3] = lns Vendor-Specific [26, len 25] = 307 unknown [69, len 19] = 00 b9 32 a4 67 11 76 b7 ... Tunnel-Client-Endpoint [66, len 3] = lns Vendor-Specific [26, len 17] = 307 unknown [67, len 11] = 36 32 2e 35 38 2e 38 38 ... I appreciate any help, Lisa -- End of excerpt from Lisa Goulet -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Tunnel set up with Nortel CVX 1800
Hello Lisa - What dictionary file are you using? Here is an extract from the standard dictionary file: # # IETF Tunneling Attributes # Values for string attributes other than Tunnel-Password # must _always_ have a 0 octet at the beginning, eg: # Tunnel-Server-Endpoint "\000203.63.154.22 fr:20" I notice that you are not doing this. BTW - where is the CVX-VPOP-ID attribute coming from? hth Hugh On Wednesday 28 February 2001 20:43, Lisa Goulet wrote: Hi, I'm having difficulty with setting up a tunnel with Nortel CVX: Here's the tunnel part of my config file: AddToReply Tunnel-Type = 3,\ Tunnel-Medium-Type = 1, \ Tunnel-ID = lns,\ Tunnel-Password = lns,\ Tunnel-Client-Endpoint = lns, \ Tunnel-Server-Endpoint = "\00062.58.88.46 ppp" Here's a trace of tunnel parameters being sent out by the radiator: *** Sending to xxx.xxx.xxx.xxx port 2048 Code: Access-Accept Identifier: 105 Authentic: K3:hb27?198=192021e1c Attributes: CVX-VPOP-ID = 30 Tunnel-Type = 3 Tunnel-Medium-Type = 1 Tunnel-ID = "lns" Tunnel-Password = "0213154F~235]191151.Mm7146151240220R247" Tunnel-Client-Endpoint = "lns" Tunnel-Server-Endpoint = "062.58.88.46 ppp" Here's a trace on the CVX side, note that Tunnel-Type is being interpreted as Vendor-Specific 26: radius: Access-Accept (2) from server 62.58.62.132, id 106, length 112, time 64 ms radius: auth c9 c7 ca 9e ef 89 a6 47 radius: 0c cd b4 04 04 ae c1 9f Vendor-Specific [26, len 10] = 2637 CVX-VPOP-Id [2, len 4] = 30 Vendor-Specific [26, len 10] = 307 unknown [64, len 4] = 00 00 00 03 Vendor-Specific [26, len 10] = 307 unknown [65, len 4] = 00 00 00 01 Tunnel-Id [68, len 3] = lns Vendor-Specific [26, len 25] = 307 unknown [69, len 19] = 00 b9 32 a4 67 11 76 b7 ... Tunnel-Client-Endpoint [66, len 3] = lns Vendor-Specific [26, len 17] = 307 unknown [67, len 11] = 36 32 2e 35 38 2e 38 38 ... I appreciate any help, Lisa -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Optigold Billing System
Hugh: Thanks. Can you pls explain how the MacRadius works with Radiator Optigold. 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: "'Tunde Ogedengbe" [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 4:05 AM Subject: Re: Optigold Billing System Hello 'Tunde - Radiator does not integrate directly with Optigold at this time, however with the use of MacRADIUS, you can proxy from Radiator to Optigold very easily. We have tried to contact Optigold several times to integrate Radiator directly, however we have never had a response from them. regards Hugh On Tuesday 27 February 2001 03:14, 'Tunde Ogedengbe wrote: We are evaluating Optigold Billing software. Does Radiator integrate with Optigold? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, February 14, 2001 1:26 AM Subject: Re: (RADIATOR) Cisco AS5300 VoIP / Radiator Hello Jeremy - At 17:54 -0500 01/2/13, List Account wrote: Hi, We're trying to setup Radiator to work with our Cisco AS5300 to do Voice over IP. We have things (basically) working, it will authenticate off of caller ID, etc. But, there are a few extras we'd like to do and need some advice on. First, has anyone used Simultaneous-Use with the AS5300 using account numbers and PINs? For example, Joe User dials in, enters an account number, a PIN, and makes a call. Let's say his wife picks up the phone at some other location, dials in, and enters the same account number and PIN. It shouldn't let her use it if he's already on. One interesting thing to note is that the AS5300 seems to be sending a null User-Name ("") when they use account/PIN. Second, whenever multiple users are dialed into the unit, only one user is showing up in the online user database. I have the radwho.cgi setup to work with it, and it only shows one entry in the database. We are just using a standard DBM database file for now, until we get things working, at which point we'll migrate it to something better. If anyone has any ideas that may help, it would be appreciated. Thanks. :) If you use a SessionDatabase SQL, you can provide your own queries to tailor the simultaneous use behaviour to your own requirements. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: hp-it
Hello Domenico - I can see that the cisco-avpair is being returned correctly, but I suspect there may be some additional configuration on the Cisco required. I have copied this mail to the radiator mailing list in the hopes that someone on the list has already got this sort of thing working and is willing to share the Cisco configuration. There is some mention of virtual profiles on the archive site, so you may also want to check and do a search: http://www.starport.net/~radiator Here is a direct reference that may help: http://www.starport.net/~radiator/2000-01/msg00168.html regards Hugh Hello, i have some problem with radiator. Actually i was able to install it under an nt eviroment with active perl5.6 and it actually autenticate with Authby NT. My problem is this i have a cisco 5300 as NAS i autenticate with radiator using nt accounts i have added a authby file to check the NT group and to give different pool address considring the NT Group. Th e problem is that even is reading the log radius is doing is job cisco accept the first authentication and starts ppp with the first address-pool specificated in the conf file. So then radius pass the Attriibutes cisco-avpair = "ip:addr-pool=WHATEVER",PPP is just up and running. How could i correct this? Thank in advance for your help Please find attached radius.cgf,dictionary file, user file (Heiweb),log file and cisco config file. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Optigold Billing System
Hello 'Tunde - Radiator does not integrate directly with Optigold at this time, however with the use of MacRADIUS, you can proxy from Radiator to Optigold very easily. We have tried to contact Optigold several times to integrate Radiator directly, however we have never had a response from them. regards Hugh On Tuesday 27 February 2001 03:14, 'Tunde Ogedengbe wrote: We are evaluating Optigold Billing software. Does Radiator integrate with Optigold? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net - Original Message - From: "Hugh Irvine" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, February 14, 2001 1:26 AM Subject: Re: (RADIATOR) Cisco AS5300 VoIP / Radiator Hello Jeremy - At 17:54 -0500 01/2/13, List Account wrote: Hi, We're trying to setup Radiator to work with our Cisco AS5300 to do Voice over IP. We have things (basically) working, it will authenticate off of caller ID, etc. But, there are a few extras we'd like to do and need some advice on. First, has anyone used Simultaneous-Use with the AS5300 using account numbers and PINs? For example, Joe User dials in, enters an account number, a PIN, and makes a call. Let's say his wife picks up the phone at some other location, dials in, and enters the same account number and PIN. It shouldn't let her use it if he's already on. One interesting thing to note is that the AS5300 seems to be sending a null User-Name ("") when they use account/PIN. Second, whenever multiple users are dialed into the unit, only one user is showing up in the online user database. I have the radwho.cgi setup to work with it, and it only shows one entry in the database. We are just using a standard DBM database file for now, until we get things working, at which point we'll migrate it to something better. If anyone has any ideas that may help, it would be appreciated. Thanks. :) If you use a SessionDatabase SQL, you can provide your own queries to tailor the simultaneous use behaviour to your own requirements. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.