patch: Re: (RADIATOR) multiple cisco-avpair attributes
Hello
Thanks for the suggestions to my problem but here's the patch which
*really* solves it:
Symtom:
logfile: LDAP got radiuscisco-avpair: ip:idletime=89 ip:addr=1.2.3.4
output: cisco-avpair = "ip:idletime=89" (and no more)
Reason:
For some strange reason there's always only the first element of the
return array used.
Patch:
--- AuthLDAP2.pm.orig Mon May 29 16:17:16 2000
+++ AuthLDAP2.pmMon May 29 16:27:58 2000
@@ -408,7 +408,12 @@
}
else
{
- $user-get_reply-add_attr($attrib, $vals[0]);
+ # Sometimes we like to have more than one attribute
+with
+ # the same name.
+ my($value);
+ foreach $value (@vals) {
+ $user-get_reply-add_attr($attrib, $value);
+ }
}
}
}
(BTW: Mike, you're indent-style is horrible :-))
bye,
-christian-
--
Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
Hello On Fri, May 26, 2000 at 08:22:50AM +1000, Hugh Irvine wrote: you can set up DEFAULT/Auth-Type pairs to add the attributes that way. Perhaps if you describe your requirements in more detail I can assist in finding the best mechanism to use. Ok. We use LDAP to store our Radius data. A normal LDAP entry looks like: ... radiususername=8W9 radiususer-name=8W9 Long user description for the logfile radiuspassword=secret radiusprofile=westend-dynamic-dialup We have three profiles, used via replaceIfNotExisting: westend-dynamic-dialup for normal dialups westend-static-dialup with static IP addresses stored in LDAP westend-callback-dialup not yet implemented Now we want to offer our clients VPN support and therefore need to give the cisco some TACACS+ attributes. As we don't like to use a TACACS server next to the radius server (we bought for much money :-)) we have to use cisco-avpair Attributes to give all these parameters via radius. (Sadly as you know the LDAP function does not allow you to specify more than one radiuscisco-avpair="something" - see older mails from me) So now what. I tried to use the profiles, although that has the drawback that we have to create an unique profile for every VPN client, but this would be acceptable. But this didn't work, too. I tried to use \n seperated values but this lead to no success (see other mail). If you do not have a good idea I think I'll have to try to hack the LDAP function to store that attributes in arrays instead of hashes and therefore allow several attributes with the same name. Hugh bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
Hello As radiator is not able to fetch multiple attributes with the same name via ReplaceIfNotExistence I'm looking for another way to supply them. Does anybody know a strange mixture of any Reply mechanisms that would allow me to do what I want? Maybe using profiles, realms, default replies and LDAP fetched replies together etc? bye, -christian- [now we need some more tacacs attributes for VPNs, too and don't want to setup a tacacs server, too] cisco-avpair=ip:addr-pool=setup_pool cisco-avpair=ip:dns-servers=212.117.64.86 212.117.67.2 cisco-avpair=ip:idletime=89 Sadly radiator only takes one of them. -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
Hello Christian - On Thu, 25 May 2000, Christian Hammers wrote: Hello As radiator is not able to fetch multiple attributes with the same name via ReplaceIfNotExistence I'm looking for another way to supply them. Does anybody know a strange mixture of any Reply mechanisms that would allow me to do what I want? Maybe using profiles, realms, default replies and LDAP fetched replies together etc? bye, -christian- [now we need some more tacacs attributes for VPNs, too and don't want to setup a tacacs server, too] cisco-avpair=ip:addr-pool=setup_pool cisco-avpair=ip:dns-servers=212.117.64.86 212.117.67.2 cisco-avpair=ip:idletime=89 Sadly radiator only takes one of them. There are a number of ways to do this. You can simply use an AddToReply if the the attributes are always the same for a particular AuthBy, or you can define the relevant reply attributes as normal parts of individual user records, or you can set up DEFAULT/Auth-Type pairs to add the attributes that way. Perhaps if you describe your requirements in more detail I can assist in finding the best mechanism to use. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
Christian, cisco avpairs can be issued multiple tomes from radiator..we are doing it here. The only restriction we found is that you can only issue one avpair of one type...eg. AddToReply cisco-avpair="ip:addr-pool=setup_pool\ndns-servers=212.117.64.86 212.117.67.2\nidletime=89" , Note the \n telling the router the end of the command. I am not sure if this works for IP but it certainly does work for any interface-config options, \ eg cisco-avpair = "lcp:interface-config=ip policy route-map Route\nip access-group 100 in\nip access-group 101 out", \ This will allow you to define per-user configs via radius of different types. Hope this helps Regards, Matt At 08:22 AM 26/05/2000 +1000, you wrote: Hello Christian - On Thu, 25 May 2000, Christian Hammers wrote: Hello As radiator is not able to fetch multiple attributes with the same name via ReplaceIfNotExistence I'm looking for another way to supply them. Does anybody know a strange mixture of any Reply mechanisms that would allow me to do what I want? Maybe using profiles, realms, default replies and LDAP fetched replies together etc? bye, -christian- [now we need some more tacacs attributes for VPNs, too and don't want to setup a tacacs server, too] cisco-avpair=ip:addr-pool=setup_pool cisco-avpair=ip:dns-servers=212.117.64.86 212.117.67.2 cisco-avpair=ip:idletime=89 Sadly radiator only takes one of them. There are a number of ways to do this. You can simply use an AddToReply if the the attributes are always the same for a particular AuthBy, or you can define the relevant reply attributes as normal parts of individual user records, or you can set up DEFAULT/Auth-Type pairs to add the attributes that way. Perhaps if you describe your requirements in more detail I can assist in finding the best mechanism to use. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. --- Matthew Nichols - Network/Systems Engineer CCNA HunterLink Pty Ltd Newcastle NSW Australia Phone: +61 2 4969 0122 Fax: +61 2 4969 0133 PGP Public Key: http://moonah.hunterlink.net.au/~matt/pgp/pgpkey.html HunterLink Web Site: http://www.hunterlink.net.au === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
On Fri, 26 May 2000, Matthew Nichols wrote: cisco avpairs can be issued multiple tomes from radiator..we are doing it here. The only restriction we found is that you can only issue one avpair of one type...eg. AddToReply cisco-avpair="ip:addr-pool=setup_pool\ndns-servers=212.117.64.86 212.117.67.2\nidletime=89" , I've been using per-user dynamic ACLs at a client site for a year or so just by numbering the ACLs: AddToReply Service-Type=Framed-User,\ Framed-Protocol=PPP,\ Framed-IP-Netmask=255.255.255.255,\ Framed-Routing=None,Framed-MTU=1500,\ Framed-Compression=Van-Jacobsen-TCP-IP,\ cisco-avpair="ip:inacl#3=permit tcp any x.x.x.x 0.0.0.0 eq 80",\ cisco-avpair="ip:inacl#4=permit tcp any x.x.x.x 0.0.0.0 eq 443",\ cisco-avpair="ip:inacl#5=permit tcp any x.x.x.x 0.0.0.0 eq 1",\ cisco-avpair="ip:inacl#6=permit udp any x.x.x.x 0.0.0.0 eq domain",\ cisco-avpair="ip:inacl#7=deny icmp any any administratively-prohibited",\ cisco-avpair="ip:inacl#8=deny ip any any",\ Reply-Message=THIS IS A RESTRICTED ACCESS SYSTEM. UNAUTHORISED ACCESS PROHIBITED. This might work for you as well. At the time I could only find sketchy docs on how this worked for TACACS+, and had to make an educated guess for RADIUS. -- ++ / James Pickering, Managing Director / / Australian Integration Consultants Pty Ltd / / Email: [EMAIL PROTECTED] / ++ === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
Hello I've downloaded 2.15 but still have problems with multiple attributes with the same name stored in LDAP and fetched via replaceIfNotExistProfiles: ... DEBUG: LDAP got radiuscisco-avpair: ip:dns-servers=212.117.64.86 \ 212.117.67.2 ip:addr-pool=setup_pool ... DEBUG: Access accepted for 8W13000a ... DEBUG: Packet dump: *** Sending to 127.0.0.1 port 2132 Code: Access-Accept Identifier: 62 Authentic: 1234567890123456 Attributes: User-Name = "8W13000a TEST dynamisch" Framed-Protocol = PPP Framed-Routing = None Service-Type = Framed-User cisco-avpair = "ip:dns-servers=212.117.64.86 212.117.67.2" There's still missing the second cisco-avpair with the ip-pool, although it is fetched as you can see in the first line. Any hints? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) multiple cisco-avpair attributes
Hello I've got a big problem. We want to use the following attributes in some of our user profiles we fetch via replaceIfNotExistProfiles hook and LDAP: cisco-avpair=ip:addr-pool=setup_pool cisco-avpair=ip:dns-servers=212.117.64.86 212.117.67.2 cisco-avpair=ip:idletime=89 Sadly radiator only takes one of them. Any hints? bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) multiple cisco-avpair attributes
Hello Christian - On Thu, 11 May 2000, Christian Hammers wrote: Hello I've got a big problem. We want to use the following attributes in some of our user profiles we fetch via replaceIfNotExistProfiles hook and LDAP: cisco-avpair=ip:addr-pool=setup_pool cisco-avpair=ip:dns-servers=212.117.64.86 212.117.67.2 cisco-avpair=ip:idletime=89 Sadly radiator only takes one of them. Any hints? Yes, this was a problem with the earlier code and has been fixed in a patch to Radiator 2.15: http://www.open.com.au/radiator/downloads/patches-2.15/patches.README 2/3/00 Fixed a bug in AttrVal.pm: AddToReplyIfNotExist parameter with multiple attr=val, and with white space before the attribute namew would not be parsed properly, resulting in a "Bad attribute=value pair:" error message. Download a new AttrVal.pm from here. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
