Re: [RADIATOR] Question about TACACS group assignment based on AD groups

[Hartmaier Alexander]

Hi Daniel,

we generate the Client config blocks using ClientListSQL from our NMS
database. The identifier is the hostname and we use the
OSC-Group-Identifier set to the support group name for further
distinguishment in the handlers.

We also add other metadata like OSC-Customer-Identifier for logging this
way.

Best regards, Alex


On 2016-09-08 07:12, Hugh Irvine wrote:
> Hello Daniel -
>
> You can use Identifiers in your Client clauses to indicate what sort of 
> device they are, then use those identifiers in your Handlers.
>
> Something like this:
>
> ……
>
> 
>   Identifier Firewall
>   …..
> 
>
> 
>   Identifier Firewall
>   …..
> 
>
> 
>   Identifier Switch
>   …..
> 
>
> 
>   Identifier Switch
>   …..
> 
>
> …..
>
> 
>   AuthByPolicy ContinueUntilAccept
>   AuthBy CheckReadOnlyAccessForFirewall
>   AuthBy CheckFullAccessForFirewall
> 
>
> 
>   AuthByPolicy ContinueUntilAccept
>   AuthBy CheckReadOnlyAccessForSwitch
>   AuthBy CheckFullAccessForSwitch
> 
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
>
>> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote:
>>
>> Hi all,
>>
>> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, 
>> including command level authorization. Based on some posts on this list I 
>> got both the active directory and the TACACS server module up and running, 
>> but struggle with the configuration of both.
>>
>> If I understand correctly, the TACACS module simply converts the TACACS 
>> authentication requests to radius requests and passes them to Radiator for 
>> ordinary execution. Authorization requests are handled within the TACACS 
>> module.
>>
>> My configuration currently looks as follows:
>>
>> --- begin ---
>> 
>>  # Define DC to connect to
>>  Hostdc-b.ad.x.com
>>
>>  # Identifier to use this AuthBy Clause later
>>  Identifier AuthByAD
>>
>>  # Administrative user used to perform LDAP queries
>>  AuthDN  
>> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
>>  AuthPassword
>>
>>  # Where to search for users
>>  BaseDN  OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
>>  ServerChecksPassword
>>
>>  # Add Check for group membership
>>  AuthAttrDef memberOf, ADGroup, check
>>
>>  # Reply should include the group names for further processing
>>  AuthAttrDef memberOf, ADGroups, reply
>>
>>  # There will be no default User
>>  NoDefault
>>
>>  # LDAP attribute to check the UserName on
>>  UsernameAttrsAMAccountName
>> 
>>
>> 
>> Port 49
>> AddToRequest NAS-Identifier=TACACS
>> GroupMemberAttr tacacsgroup
>>
>> AuthorizeGroup network_ro deny service=shell cmd=show 
>> cmd-arh=tech-support
>> AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>> AuthorizeGroup network_ro deny .*
>>
>> # This is for authorized users for full access. Place in lvl 15 
>> immediately, no restrictions apply
>> AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>> AuthorizeGroup full_access permit .*
>>
>> # Default deny to prevent accidents when something is misconfigured
>> AuthorizeGroup DEFAULT deny .*
>>
>> 
>>
>> # Include client definition
>> include %D/radius-clients.cfg
>> # Include Active Directory AuthBy Handler
>> include %D/authby-ad.cfg
>> # Include configuration for the built-in TACACS server
>> include %D/tacacs.cfg
>>
>> # TACACS Handler
>> 
>> AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
>> AuthBy AuthByAD
>>
>> # Try read-only access
>> # AddToRequest 
>> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
>> # AuthBy AuthByAD
>> 
>> --- end ---
>>
>> My problem now is how to tie both clues together in the handler. Ideally I 
>> would also like to distinguish based on the TACACS client which is asking. 
>> If it is a firewall (IPs known), then use command sets full_access_fw and 
>> firewall_ro based on AD groups.
>>
>> Basically I need something like this:
>>
>> -Firewall is TACACS client, and the user is member of group 
>> netadmin-security, return request with tacacsgroup=full_access_fw
>> -Switch is TACACS client, and the user is member of group netadmin, 
>> return request with tacacsgroup=full_access
>> -Firewall is TACACS client, and the user is member of group 
>> netadmin-security-ro, return request with tacacsgroup=firewall_ro
>> -Switch is TACACS client, and the user is member of group netadmin-ro, 
>> return request with tacacsgroup=network_ro
>>
>> How would I do this mapping?
>>
>> Many thanks and best regards
>> Daniel
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.

Re: [RADIATOR] Question about TACACS group assignment based on AD groups

[Hugh Irvine]

Hello Daniel -

You can use Identifiers in your Client clauses to indicate what sort of device 
they are, then use those identifiers in your Handlers.

Something like this:

……


Identifier Firewall
…..



Identifier Firewall
…..



Identifier Switch
…..



Identifier Switch
…..


…..


AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForFirewall
AuthBy CheckFullAccessForFirewall



AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForSwitch
AuthBy CheckFullAccessForSwitch



hope that helps

regards

Hugh



> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote:
> 
> Hi all,
> 
> I want to use Radiator both for RADIUS and for TACACS for Cisco devices, 
> including command level authorization. Based on some posts on this list I got 
> both the active directory and the TACACS server module up and running, but 
> struggle with the configuration of both.
> 
> If I understand correctly, the TACACS module simply converts the TACACS 
> authentication requests to radius requests and passes them to Radiator for 
> ordinary execution. Authorization requests are handled within the TACACS 
> module.
> 
> My configuration currently looks as follows:
> 
> --- begin ---
> 
> # Define DC to connect to 
> Hostdc-b.ad.x.com
> 
> # Identifier to use this AuthBy Clause later
> Identifier AuthByAD
> 
> # Administrative user used to perform LDAP queries
> AuthDN  
> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
> AuthPassword
> 
> # Where to search for users
> BaseDN  OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
> ServerChecksPassword
> 
> # Add Check for group membership
> AuthAttrDef memberOf, ADGroup, check
> 
> # Reply should include the group names for further processing
> AuthAttrDef memberOf, ADGroups, reply
> 
> # There will be no default User
> NoDefault
> 
> # LDAP attribute to check the UserName on
> UsernameAttrsAMAccountName
> 
> 
> 
>Port 49
>AddToRequest NAS-Identifier=TACACS
>GroupMemberAttr tacacsgroup
> 
>AuthorizeGroup network_ro deny service=shell cmd=show 
> cmd-arh=tech-support
>AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>AuthorizeGroup network_ro deny .*
> 
># This is for authorized users for full access. Place in lvl 15 
> immediately, no restrictions apply
>AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>AuthorizeGroup full_access permit .*
> 
># Default deny to prevent accidents when something is misconfigured
>AuthorizeGroup DEFAULT deny .*
> 
> 
> 
> # Include client definition
> include %D/radius-clients.cfg
> # Include Active Directory AuthBy Handler
> include %D/authby-ad.cfg
> # Include configuration for the built-in TACACS server
> include %D/tacacs.cfg
> 
> # TACACS Handler
> 
>AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
>AuthBy AuthByAD
> 
># Try read-only access
># AddToRequest 
> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
># AuthBy AuthByAD
> 
> --- end ---
> 
> My problem now is how to tie both clues together in the handler. Ideally I 
> would also like to distinguish based on the TACACS client which is asking. If 
> it is a firewall (IPs known), then use command sets full_access_fw and 
> firewall_ro based on AD groups.
> 
> Basically I need something like this:
> 
> - Firewall is TACACS client, and the user is member of group 
> netadmin-security, return request with tacacsgroup=full_access_fw
> - Switch is TACACS client, and the user is member of group netadmin, 
> return request with tacacsgroup=full_access
> - Firewall is TACACS client, and the user is member of group 
> netadmin-security-ro, return request with tacacsgroup=firewall_ro
> - Switch is TACACS client, and the user is member of group netadmin-ro, 
> return request with tacacsgroup=network_ro
> 
> How would I do this mapping?
> 
> Many thanks and best regards
> Daniel
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.c

[RADIATOR] Question about TACACS group assignment based on AD groups

[daniel.herrmann]

Hi all,

I want to use Radiator both for RADIUS and for TACACS for Cisco devices, 
including command level authorization. Based on some posts on this list I got 
both the active directory and the TACACS server module up and running, but 
struggle with the configuration of both.

If I understand correctly, the TACACS module simply converts the TACACS 
authentication requests to radius requests and passes them to Radiator for 
ordinary execution. Authorization requests are handled within the TACACS module.

My configuration currently looks as follows:

--- begin ---

 # Define DC to connect to 
 Hostdc-b.ad.x.com

 # Identifier to use this AuthBy Clause later
 Identifier AuthByAD

 # Administrative user used to perform LDAP queries
 AuthDN  
cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
 AuthPassword

 # Where to search for users
 BaseDN  OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
 ServerChecksPassword

 # Add Check for group membership
 AuthAttrDef memberOf, ADGroup, check

 # Reply should include the group names for further processing
 AuthAttrDef memberOf, ADGroups, reply

 # There will be no default User
 NoDefault

 # LDAP attribute to check the UserName on
 UsernameAttrsAMAccountName



Port 49
AddToRequest NAS-Identifier=TACACS
GroupMemberAttr tacacsgroup

AuthorizeGroup network_ro deny service=shell cmd=show 
cmd-arh=tech-support
AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
AuthorizeGroup network_ro deny .*

# This is for authorized users for full access. Place in lvl 15 
immediately, no restrictions apply
AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
AuthorizeGroup full_access permit .*

# Default deny to prevent accidents when something is misconfigured
AuthorizeGroup DEFAULT deny .*



# Include client definition
include %D/radius-clients.cfg
# Include Active Directory AuthBy Handler
include %D/authby-ad.cfg
# Include configuration for the built-in TACACS server
include %D/tacacs.cfg

# TACACS Handler

AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
AuthBy AuthByAD

# Try read-only access
# AddToRequest 
ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
# AuthBy AuthByAD

--- end ---

My problem now is how to tie both clues together in the handler. Ideally I 
would also like to distinguish based on the TACACS client which is asking. If 
it is a firewall (IPs known), then use command sets full_access_fw and 
firewall_ro based on AD groups.

Basically I need something like this:

-   Firewall is TACACS client, and the user is member of group 
netadmin-security, return request with tacacsgroup=full_access_fw
-   Switch is TACACS client, and the user is member of group netadmin, 
return request with tacacsgroup=full_access
-   Firewall is TACACS client, and the user is member of group 
netadmin-security-ro, return request with tacacsgroup=firewall_ro
-   Switch is TACACS client, and the user is member of group netadmin-ro, 
return request with tacacsgroup=network_ro

How would I do this mapping?

Many thanks and best regards
Daniel


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about regex matching realm in handlers

[David Rose]

Heikki,

Now that you assembled the pieces for me, it makes perfect sense. I
figured I had to be missing something.

Thank you!

David

On 2/11/2016 5:17 AM, Heikki Vatiainen wrote:
> On 10.2.2016 23.31, David Rose wrote:
>
>> However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
>> and associated statements (i.e. no other changes to client config or
>> anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches
>> the regex and the inner request is then caught by "NO_REALM". Here is
>> the debug from a request where things stop working as expected (I think
>> the key is that in the packet dump, the username is in the "EAP-Message"
>> field and not the "User-Name" field):
> Yes, you are correct. The key is the empty User-Name in the tunnelled 
> request. Here's the tunnelled request:
>
>> Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
>> Code:   Access-Request
>> Identifier: UNDEF
>> Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
>> Attributes:
>>  EAP-Message = <2><0><0><18><1>tu...@iit.edu
>>  Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>  User-Name = ""
>>
>> Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
>> 'Realm=/^$/', Identifier 'NO_REALM'
> This is what happens: Your outer Handler's AuthBy has 'EAPAnonymous %0'. 
> This tells Radiator to add User-Name in the inner request with the value 
> that is the inner EAP identity.
>
> When the inner EAP starts, the first request is the EAP Identity 
> response shown above. The identity (the username) is then extracted by 
> the AuthBy within the Handler that matches the inner request.
>
> Because the innner request becomes known only after the first tunnelled 
> request has been processed, it's not available when the first tunnelled 
> request is dispatched to the Handlers. In other words, we have a chicken 
> and egg situation: the inner identity is needed before the request that 
> carries it is processed.
>
> You could consider this:
>
>
> This should match usern...@iit.edu, username@, username and empty 
> username. Or then you could use simply just 
>
> Since the outer username is used to route the RADIUS request to the 
> correct home organisation, for example with eduroam, what matters is 
> that the RADIUS request has the correct realm. The inner request's realm 
> can have the home realm but it could as well be empty since the inner 
> username is not used for RADIUS request routing.
>
> If you want to force the inner realm to always be @iit.edu, you could do 
> this:
>
> 
>  Identifier PEAP_INNER_IITdEDU
>  AuthBy NTLM_MSCHAP_NoRealm
> 
> 
>  Identifier PEAP_INNER_No_Realm
>  
>  Filename /dev/null
>  EAPType EAP-MSCHAP-V2
>  
> 
>
> Even if the first request with the empty User-Name always matches the 
> second Handler, it will just extract the identity and challenge the 
> client to start EAP-MSCHAP-V2. The next request from the client will 
> match the correct Handler unless their identity (username) does not end 
> with @iit.edu. If this happens, they will fail the authentication. 
> However, it might be a good idea to allow the inner username to be 
> realmless and use Realm=/(^iit\.edu$|^$)/i with the first Handler.
>
> You could think the second Handler as an anchor that bootstraps 
> EAP-MSCHAP-V2 and handles unknown realms.
>
> We have planned solving the chicken egg problem by taking a look at the 
> inner request when the inner identity is not known yet. If the inner 
> EAP-Message contains the identity, then it could be used for the first 
> message when EAPAnonymous %0 is configured. However, this is not in 
> Radiator or Radiator patches yet.
>
> I hope the above clarifies how EAPAnonymous %0 works currently and why 
> you will see empty User-Name with it.
>
> Thanks,
> Heikki
>

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about regex matching realm in handlers

[Heikki Vatiainen]

On 10.2.2016 23.31, David Rose wrote:

> However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
> and associated statements (i.e. no other changes to client config or
> anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches
> the regex and the inner request is then caught by "NO_REALM". Here is
> the debug from a request where things stop working as expected (I think
> the key is that in the packet dump, the username is in the "EAP-Message"
> field and not the "User-Name" field):

Yes, you are correct. The key is the empty User-Name in the tunnelled 
request. Here's the tunnelled request:

> Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
> Attributes:
>  EAP-Message = <2><0><0><18><1>tu...@iit.edu
>  Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>  User-Name = ""
>
> Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
> 'Realm=/^$/', Identifier 'NO_REALM'

This is what happens: Your outer Handler's AuthBy has 'EAPAnonymous %0'. 
This tells Radiator to add User-Name in the inner request with the value 
that is the inner EAP identity.

When the inner EAP starts, the first request is the EAP Identity 
response shown above. The identity (the username) is then extracted by 
the AuthBy within the Handler that matches the inner request.

Because the innner request becomes known only after the first tunnelled 
request has been processed, it's not available when the first tunnelled 
request is dispatched to the Handlers. In other words, we have a chicken 
and egg situation: the inner identity is needed before the request that 
carries it is processed.

You could consider this:
   

This should match usern...@iit.edu, username@, username and empty 
username. Or then you could use simply just 

Since the outer username is used to route the RADIUS request to the 
correct home organisation, for example with eduroam, what matters is 
that the RADIUS request has the correct realm. The inner request's realm 
can have the home realm but it could as well be empty since the inner 
username is not used for RADIUS request routing.

If you want to force the inner realm to always be @iit.edu, you could do 
this:


 Identifier PEAP_INNER_IITdEDU
 AuthBy NTLM_MSCHAP_NoRealm


 Identifier PEAP_INNER_No_Realm
 
 Filename /dev/null
 EAPType EAP-MSCHAP-V2
 


Even if the first request with the empty User-Name always matches the 
second Handler, it will just extract the identity and challenge the 
client to start EAP-MSCHAP-V2. The next request from the client will 
match the correct Handler unless their identity (username) does not end 
with @iit.edu. If this happens, they will fail the authentication. 
However, it might be a good idea to allow the inner username to be 
realmless and use Realm=/(^iit\.edu$|^$)/i with the first Handler.

You could think the second Handler as an anchor that bootstraps 
EAP-MSCHAP-V2 and handles unknown realms.

We have planned solving the chicken egg problem by taking a look at the 
inner request when the inner identity is not known yet. If the inner 
EAP-Message contains the identity, then it could be used for the first 
message when EAPAnonymous %0 is configured. However, this is not in 
Radiator or Radiator patches yet.

I hope the above clarifies how EAPAnonymous %0 works currently and why 
you will see empty User-Name with it.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Question about regex matching realm in handlers

[David Rose]

Not sure if this is normal behavior or not as I am a bit new to
Radiator, however it seems odd to me. Maybe someone can explain it or
point out what I might be doing wrong?

Configuring a Radiator server (tried with both 4.15 & 4.16) to provide
authentication for wireless, and most things have gone well. However I
have come across something that doesn't seem quite right. If I only have
handlers for the inner authentication that have a regex to match realms,
Radiator doesn't seem to parse the request packet properly.

If I include "generic" inner authentication handlers (which don't get
used), then the handlers with the regex work just fine.

Here is my working configuration:

Foreground
LogStdout
DbDir   /etc/radiator
LogDir  .
DictionaryFile  %D/dictionary
Trace   4
AuthPort 1812
AcctPort 1813
include %D/clients.cfg
DisabledRuntimeChecks CVE-2014-0160

Identifier NTLM_MSCHAP_NoRealm
UsernameMatchesWithoutRealm
EAPType MSCHAP-V2


Identifier FILE_OuterRequests
Filename %D/dot1x_anon
EAPType TTLS PEAP
EAPAnonymous %0
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_PEAPVersion 0
EAPTTLS_NoAckRequired
AutoMPPEKeys
EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4


Identifier TTLS_INNER_IITdEDU
AuthBy NTLM_MSCHAP_NoRealm


Identifier PEAP_INNER_IITdEDU
AuthBy NTLM_MSCHAP_NoRealm


Identifier TTLS_INNER_GENERIC
AuthBy NTLM_MSCHAP_NoRealm


Identifier PEAP_INNER_GENERIC
AuthBy NTLM_MSCHAP_NoRealm


Identifier NO_REALM
AccountingHandled
StripFromReply Reply-Message
AddToReply Reply-Message="Misconfigured client: empty realm!"


Identifier EAP_OUTER_IITdEDU
AuthBy FILE_OuterRequests




This works as expected for "tu...@iit.edu" with the outer authentication
being handled by the "EAP_OUTER_IITdEDU" and the inner authentication
using "[TTLS|PEAP]_INNER_IITdEDU" correctly depending on client
configuration.

However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
and associated statements (i.e. no other changes to client config or
anywhere else) and restart Radiator, "tu...@iit.edu" no longer matches
the regex and the inner request is then caught by "NO_REALM". Here is
the debug from a request where things stop working as expected (I think
the key is that in the packet dump, the username is in the "EAP-Message"
field and not the "User-Name" field):

Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/iit\.edu$/i', Identifier 'EAP_OUTER_IITdEDU'
Tue Feb  9 23:21:42 2016: DEBUG:  Deleting session for
anonym...@iit.edu, 192.168.50.70, 14337
Tue Feb  9 23:21:42 2016: DEBUG: Handling with Radius::AuthFILE:
FILE_OuterRequests
Tue Feb  9 23:21:42 2016: DEBUG: Handling with EAP: code 2, 5, 63, 21
Tue Feb  9 23:21:42 2016: DEBUG: Response type 21
Tue Feb  9 23:21:42 2016: DEBUG: EAP TTLS data, 3, 5, 4
Tue Feb  9 23:21:42 2016: DEBUG: EAP TTLS inner authentication request for
Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:   Access-Request
Identifier: UNDEF
Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
EAP-Message = <2><0><0><18><1>tu...@iit.edu
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = ""

Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/^$/', Identifier 'NO_REALM'
Tue Feb  9 23:21:42 2016: DEBUG:  Deleting session for , 192.168.50.70,
Tue Feb  9 23:21:42 2016: INFO: Access rejected for : No AuthBy found
Tue Feb  9 23:21:42 2016: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:   Access-Reject
Identifier: UNDEF
Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
Reply-Message = "Misconfigured client: empty realm!"

Tue Feb  9 23:21:42 2016: DEBUG: EAP Failure, elapsed time 0.135382
Tue Feb  9 23:21:42 2016: DEBUG: EAP result: 1, EAP TTLS inner
authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
inner authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: INFO: Access rejected for anonym...@iit.edu:
EAP TTLS inner authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: DEBUG: Packet dump:
*** Sending to 192.168.50.70 port 38670 
Code:   Access-Reject
Identifier: 48
Authentic:  <199><166><198><217>p55<139>9?<235>9<167><127><2><147>
Attributes:
EAP-Message = <4><5><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"



Any help or insight would be appreciated.

-- 
David Rose
S

Re: [RADIATOR] Question about AuthByPolicy anything else and AuthBy SQL

[Ricardo Martinez]

Hello Heikki
Thanks for your answer, indeed that was the problem!.  Now I can insert in
both databases perfect!
We're in the middle of the process to upgrade to Radiator 4.9!

Thanks for your support!
Regards,
Ricardo.-

-Mensaje original-
De: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] En
nombre de Heikki Vatiainen
Enviado el: miércoles, 27 de junio de 2012 17:35
Para: radiator@open.com.au
Asunto: Re: [RADIATOR] Question about AuthByPolicy anything else and
AuthBy SQL

On 06/27/2012 11:23 PM, Ricardo Martinez wrote:

> I’m using Radiator 3.1.13

Version 3.x is quite old, so you could consider upgrading in case they are
more problems.

> I have this configuration file :

I think the main problem is this:

   DBusername  user

The option is slightly incorrect. You should have:

   DBUsername  user

Notice the capital U. Radiator should log an error about this when it
starts up.

Since the parameters are incorrect, it can not initialise DBD::Oracle and
Oracle specific string value quoting will fail. This is why you see
blanks.

Also note that the AcctColumnDefs are not equal in both AuthBys. For
example Acct-Input-Octets has 'integer' type in one AuthBy but not in the
other.

Please let us know if this solves the problem, Heikki



> 
>
> 
>
> AuthByPolicy anything else
>
> 
>
> DBSourcedbi:Oracle:DEV
>
> DBusername  user
>
> DBAuth  pass
>
> FailureBackoffTime  60
>
>
>
> AccountingTable VOIPACCOUNTING2
>
> AcctColumnDef
> LOGGEDAT,%{GlobalVar:DBsysdate},literal
>
> AcctColumnDef
CALL_LEG_SETUP_TIME,h323-setup-time
>
> AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id
>
> AcctColumnDef   CONNECTION_ID,h323-conf-id
>
> AcctColumnDef
CALL_LEG_DIRECTION,h323-call-origin
>
> AcctColumnDef   CALL_LEG_TYPE,h323-call-type
>
> AcctColumnDef
> CALL_LEG_CONNECT_TIME,h323-connect-time
>
> AcctColumnDef
> CALL_LEG_DISCONNECT_TIME,h323-disconnect-time
>
> AcctColumnDef
> CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause
>
> AcctColumnDef
> REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address
>
> AcctColumnDef   VOICE_QUALITY,h323-voice-quality
>
> AcctColumnDef   USER_NAME,User-Name
>
> AcctColumnDef
CALLED_STATION_ID,Called-Station-Id
>
> AcctColumnDef
> CALLING_STATION_ID,Calling-Station-Id
>
> AcctColumnDef
> ACCT_STATUS_TYPE,Acct-Status-Type,integer
>
> AcctColumnDef
> ACCT_DELAY_TIME,Acct-Delay-Time,integer
>
> AcctColumnDef
> ACCT_INPUT_OCTETS,Acct-Input-Octets,integer
>
> AcctColumnDef
> ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer
>
> AcctColumnDef   ACCT_SESSION_ID,Acct-Session-Id
>
> AcctColumnDef
> ACCT_SESSION_TIME,Acct-Session-Time,integer
>
> AcctColumnDef
> ACCT_INPUT_PACKETS,Acct-Input-Packets,integer
>
> AcctColumnDef
> ACCT_OUTPUT_PACKETS,Acct-Output-Packets,integer
>
> AcctColumnDef
NAS_PORT_TYPE,NAS-Port-Type,integer
>
> AcctColumnDef   ACCESS_DEVICE,h323-gw-id
>
> AcctColumnDef
> NETWORK_DEVICE_GROUP,Acct-Status-Type,intege
>
> 
>
> 
>
> DBSourcedbi:Oracle:SID1
>
> DBUsername  user
>
> DBAuthpass
>
> FailureBackoffTime  60
>
>
>
> AccountingTable VOIPACCOUNTING2
>
> AcctColumnDef
> LOGGEDAT,%{GlobalVar:DBsysdate},literal
>
> AcctColumnDef
CALL_LEG_SETUP_TIME,h323-setup-time
>
> AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id
>
> AcctColumnDef   CONNECTION_ID,h323-conf-id
>
> AcctColumnDef
CALL_LEG_DIRECTION,h323-call-origin
>
> AcctColumnDef   CALL_LEG_TYPE,h323-call-type
>
> AcctColumnDef
> CALL_LEG_CONNECT_TIME,

Re: [RADIATOR] Question about AuthByPolicy anything else and AuthBy SQL

[Heikki Vatiainen]

On 06/27/2012 11:23 PM, Ricardo Martinez wrote:

> I’m using Radiator 3.1.13

Version 3.x is quite old, so you could consider upgrading in case they
are more problems.

> I have this configuration file :

I think the main problem is this:

   DBusername  user

The option is slightly incorrect. You should have:

   DBUsername  user

Notice the capital U. Radiator should log an error about this when it
starts up.

Since the parameters are incorrect, it can not initialise DBD::Oracle
and Oracle specific string value quoting will fail. This is why you see
blanks.

Also note that the AcctColumnDefs are not equal in both AuthBys. For
example Acct-Input-Octets has 'integer' type in one AuthBy but not in
the other.

Please let us know if this solves the problem,
Heikki



> 
> 
> 
> 
> AuthByPolicy anything else
> 
> 
> 
> DBSourcedbi:Oracle:DEV
> 
> DBusername  user
> 
> DBAuth  pass
> 
> FailureBackoffTime  60
> 
>  
> 
> AccountingTable VOIPACCOUNTING2
> 
> AcctColumnDef  
> LOGGEDAT,%{GlobalVar:DBsysdate},literal
> 
> AcctColumnDef   CALL_LEG_SETUP_TIME,h323-setup-time
> 
> AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id
> 
> AcctColumnDef   CONNECTION_ID,h323-conf-id
> 
> AcctColumnDef   CALL_LEG_DIRECTION,h323-call-origin
> 
> AcctColumnDef   CALL_LEG_TYPE,h323-call-type
> 
> AcctColumnDef  
> CALL_LEG_CONNECT_TIME,h323-connect-time
> 
> AcctColumnDef  
> CALL_LEG_DISCONNECT_TIME,h323-disconnect-time
> 
> AcctColumnDef  
> CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause
> 
> AcctColumnDef  
> REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address
> 
> AcctColumnDef   VOICE_QUALITY,h323-voice-quality
> 
> AcctColumnDef   USER_NAME,User-Name
> 
> AcctColumnDef   CALLED_STATION_ID,Called-Station-Id
> 
> AcctColumnDef  
> CALLING_STATION_ID,Calling-Station-Id
> 
> AcctColumnDef  
> ACCT_STATUS_TYPE,Acct-Status-Type,integer
> 
> AcctColumnDef  
> ACCT_DELAY_TIME,Acct-Delay-Time,integer
> 
> AcctColumnDef  
> ACCT_INPUT_OCTETS,Acct-Input-Octets,integer
> 
> AcctColumnDef  
> ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer
> 
> AcctColumnDef   ACCT_SESSION_ID,Acct-Session-Id
> 
> AcctColumnDef  
> ACCT_SESSION_TIME,Acct-Session-Time,integer
> 
> AcctColumnDef  
> ACCT_INPUT_PACKETS,Acct-Input-Packets,integer
> 
> AcctColumnDef  
> ACCT_OUTPUT_PACKETS,Acct-Output-Packets,integer
> 
> AcctColumnDef   NAS_PORT_TYPE,NAS-Port-Type,integer
> 
> AcctColumnDef   ACCESS_DEVICE,h323-gw-id
> 
> AcctColumnDef  
> NETWORK_DEVICE_GROUP,Acct-Status-Type,intege
> 
> 
> 
> 
> 
> DBSourcedbi:Oracle:SID1
> 
> DBUsername  user
> 
> DBAuthpass
> 
> FailureBackoffTime  60
> 
>  
> 
> AccountingTable VOIPACCOUNTING2
> 
> AcctColumnDef  
> LOGGEDAT,%{GlobalVar:DBsysdate},literal
> 
> AcctColumnDef   CALL_LEG_SETUP_TIME,h323-setup-time
> 
> AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id
> 
> AcctColumnDef   CONNECTION_ID,h323-conf-id
> 
> AcctColumnDef   CALL_LEG_DIRECTION,h323-call-origin
> 
> AcctColumnDef   CALL_LEG_TYPE,h323-call-type
> 
> AcctColumnDef  
> CALL_LEG_CONNECT_TIME,h323-connect-time
> 
> AcctColumnDef  
> CALL_LEG_DISCONNECT_TIME,h323-disconnect-time
> 
> AcctColumnDef  
> CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause
> 
> AcctColumnDef  
> REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address
> 
> AcctColumnDef   VOICE_QUALITY,h323-voice-quality
> 
> AcctColumnDef   USER_NAME,User-Name
> 
> AcctColumnDef   CALLED_STATION_ID,Called-Station-Id
> 
> AcctColumnDef  
> CALLING_STATION_ID,Calling-Station-Id
> 
> AcctColumnDef  
> ACCT_STATUS_TYPE,Acct-Status-Type,integer
> 
> AcctColumnDef   ACCT_DELAY_TIME,Acct-Delay-Time
> 
>   

[RADIATOR] Question about AuthByPolicy anything else and AuthBy SQL

[Ricardo Martinez]

Hello.

I’m using Radiator 3.1.13



I have this configuration file :







AuthByPolicy anything else



DBSourcedbi:Oracle:DEV

DBusername  user

DBAuth  pass

FailureBackoffTime  60



AccountingTable VOIPACCOUNTING2

AcctColumnDef
LOGGEDAT,%{GlobalVar:DBsysdate},literal

AcctColumnDef   CALL_LEG_SETUP_TIME,h323-setup-time

AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id

AcctColumnDef   CONNECTION_ID,h323-conf-id

AcctColumnDef   CALL_LEG_DIRECTION,h323-call-origin

AcctColumnDef   CALL_LEG_TYPE,h323-call-type

AcctColumnDef
CALL_LEG_CONNECT_TIME,h323-connect-time

AcctColumnDef
CALL_LEG_DISCONNECT_TIME,h323-disconnect-time

AcctColumnDef
CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause

AcctColumnDef
REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address

AcctColumnDef   VOICE_QUALITY,h323-voice-quality

AcctColumnDef   USER_NAME,User-Name

AcctColumnDef   CALLED_STATION_ID,Called-Station-Id

AcctColumnDef
CALLING_STATION_ID,Calling-Station-Id

AcctColumnDef
ACCT_STATUS_TYPE,Acct-Status-Type,integer

AcctColumnDef
ACCT_DELAY_TIME,Acct-Delay-Time,integer

AcctColumnDef
ACCT_INPUT_OCTETS,Acct-Input-Octets,integer

AcctColumnDef
ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer

AcctColumnDef   ACCT_SESSION_ID,Acct-Session-Id

AcctColumnDef
ACCT_SESSION_TIME,Acct-Session-Time,integer

AcctColumnDef
ACCT_INPUT_PACKETS,Acct-Input-Packets,integer

AcctColumnDef
ACCT_OUTPUT_PACKETS,Acct-Output-Packets,integer

AcctColumnDef   NAS_PORT_TYPE,NAS-Port-Type,integer

AcctColumnDef   ACCESS_DEVICE,h323-gw-id

AcctColumnDef
NETWORK_DEVICE_GROUP,Acct-Status-Type,intege





DBSourcedbi:Oracle:SID1

DBUsername  user

DBAuthpass

FailureBackoffTime  60



AccountingTable VOIPACCOUNTING2

AcctColumnDef
LOGGEDAT,%{GlobalVar:DBsysdate},literal

AcctColumnDef   CALL_LEG_SETUP_TIME,h323-setup-time

AcctColumnDef   GATEWAY_IDENTIFIER,h323-gw-id

AcctColumnDef   CONNECTION_ID,h323-conf-id

AcctColumnDef   CALL_LEG_DIRECTION,h323-call-origin

AcctColumnDef   CALL_LEG_TYPE,h323-call-type

AcctColumnDef
CALL_LEG_CONNECT_TIME,h323-connect-time

AcctColumnDef
CALL_LEG_DISCONNECT_TIME,h323-disconnect-time

AcctColumnDef
CALL_LEG_DISCONNECT_CAUSE,h323-disconnect-cause

AcctColumnDef
REMOTE_GATEWAY_IP_ADDRESS,h323-remote-address

AcctColumnDef   VOICE_QUALITY,h323-voice-quality

AcctColumnDef   USER_NAME,User-Name

AcctColumnDef   CALLED_STATION_ID,Called-Station-Id

AcctColumnDef
CALLING_STATION_ID,Calling-Station-Id

AcctColumnDef
ACCT_STATUS_TYPE,Acct-Status-Type,integer

AcctColumnDef   ACCT_DELAY_TIME,Acct-Delay-Time

AcctColumnDef   ACCT_INPUT_OCTETS,Acct-Input-Octets

AcctColumnDef
ACCT_OUTPUT_OCTETS,Acct-Output-Octets

AcctColumnDef   ACCT_SESSION_ID,Acct-Session-Id

AcctColumnDef   ACCT_SESSION_TIME,Acct-Session-Time

AcctColumnDef
ACCT_INPUT_PACKETS,Acct-Input-Packets

AcctColumnDef
ACCT_OUTPUT_PACKETS,Acct-Output-Packets

AcctColumnDef   NAS_PORT_TYPE,NAS-Port-Type,integer

AcctColumnDef   ACCESS_DEVICE,h323-gw-id

AcctColumnDef
NETWORK_DEVICE_GROUP,Acct-Status-Type,integer







# Log accounting to a detail file. %D is replaced by DbDir above

AcctLogFileName %L/acct/%Y/VoIP_Acct_%Y.%m.%d.%q.csv



PostProcessingHook file:"%D/NAS_Stats"







When I see the debug I get this :



Code:   Accounting-Request

Identifier: 169

Authentic:  <142><223>lD<30><195>[4<30><135>/<155><133><2><204>:

Attrib

Re: [RADIATOR] question about machine based authentication

[Joy Veronneau]

Ok, that's what I was looking for! putting DEFAULT in the file yields the
desired behavior.

Thanks!

Joy

On 12/8/11 5:47 PM, "Heikki Vatiainen"  wrote:

>On 12/09/2011 12:31 AM, Joy Veronneau wrote:
>> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
>> the computer name. Seems like I would want the cert name checked?
>> Is there a way I can still check the cert name?
>
>In this case you could try not enabling EAPTLS_NoCheckId and use
>Filename %D/tls_anon with this single line:
>DEFAULT
>
>Since NoDefault is not on, the DEFAULT entry will match and user lookup
>should be successful.
>
>Another option is to have EAPTLS_NoCheckId enabled and do name matching
>with EAPTLS_CertificateVerifyHook
>
>Thanks!
>Heikki
>
>
>> Sorry to have so many questionsŠ
>> 
>> Thanks,
>> Joy
>> 
>> On 12/8/11 5:26 PM, "Heikki Vatiainen"  wrote:
>> 
>>> On 12/09/2011 12:15 AM, Joy Veronneau wrote:
>>>
 But if I do that, I will still have to have the names of the machines
in
 the tls_anon file, wouldn't I?
>>>
>>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46
>>> EAPTLS_NoCheckId". You can turn off the name check.
>>>
>>> Thanks!
>>> Heikki
>>>
 Thanks,

 Joy

 On 12/8/11 5:07 PM, "Heikki Vatiainen"  wrote:

> On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>
> Hello Joy,
>
>> I am still working on my machine based authentication config.
>>
>> Config1 (below) works fine but requires that the names of the
>>machines
>> be
>> listed in the file tls_anon.
>
> Try with something like this:
> 
>   AuthByPolicy ContinueWhileAccept
>   AuthBy file-tls
>   AuthBy external-adcert
> 
>
> With the above EAP-TLS will run first and when it is done and returns
> ACCEPT, the AuthBy EXTERNAL extra check will run determining the
> outcome
> of the whole authentication process.
>
> Please let us know of your results
>> 
>
>
>-- 
>Heikki Vatiainen 
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Heikki Vatiainen]

On 12/09/2011 12:31 AM, Joy Veronneau wrote:
> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
> the computer name. Seems like I would want the cert name checked?
> Is there a way I can still check the cert name?

In this case you could try not enabling EAPTLS_NoCheckId and use
Filename %D/tls_anon with this single line:
DEFAULT

Since NoDefault is not on, the DEFAULT entry will match and user lookup
should be successful.

Another option is to have EAPTLS_NoCheckId enabled and do name matching
with EAPTLS_CertificateVerifyHook

Thanks!
Heikki


> Sorry to have so many questionsŠ
> 
> Thanks,
> Joy
> 
> On 12/8/11 5:26 PM, "Heikki Vatiainen"  wrote:
> 
>> On 12/09/2011 12:15 AM, Joy Veronneau wrote:
>>
>>> But if I do that, I will still have to have the names of the machines in
>>> the tls_anon file, wouldn't I?
>>
>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46
>> EAPTLS_NoCheckId". You can turn off the name check.
>>
>> Thanks!
>> Heikki
>>
>>> Thanks,
>>>
>>> Joy
>>>
>>> On 12/8/11 5:07 PM, "Heikki Vatiainen"  wrote:
>>>
 On 12/07/2011 11:42 PM, Joy Veronneau wrote:

 Hello Joy,

> I am still working on my machine based authentication config.
>
> Config1 (below) works fine but requires that the names of the machines
> be
> listed in the file tls_anon.

 Try with something like this:
 
   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert
 

 With the above EAP-TLS will run first and when it is done and returns
 ACCEPT, the AuthBy EXTERNAL extra check will run determining the
 outcome
 of the whole authentication process.

 Please let us know of your results
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Joy Veronneau]

Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
the computer name. Seems like I would want the cert name checked?
Is there a way I can still check the cert name?

Sorry to have so many questionsŠ

Thanks,
Joy

On 12/8/11 5:26 PM, "Heikki Vatiainen"  wrote:

>On 12/09/2011 12:15 AM, Joy Veronneau wrote:
>
>> But if I do that, I will still have to have the names of the machines in
>> the tls_anon file, wouldn't I?
>
>Good point, I overlooked that part. Please see ref.pdf section "5.20.46
>EAPTLS_NoCheckId". You can turn off the name check.
>
>Thanks!
>Heikki
>
>> Thanks,
>> 
>> Joy
>> 
>> On 12/8/11 5:07 PM, "Heikki Vatiainen"  wrote:
>> 
>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>>>
>>> Hello Joy,
>>>
 I am still working on my machine based authentication config.

 Config1 (below) works fine but requires that the names of the machines
 be
 listed in the file tls_anon.
>>>
>>> Try with something like this:
>>> 
>>>   AuthByPolicy ContinueWhileAccept
>>>   AuthBy file-tls
>>>   AuthBy external-adcert
>>> 
>>>
>>> With the above EAP-TLS will run first and when it is done and returns
>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the
>>>outcome
>>> of the whole authentication process.
>>>
>>> Please let us know of your results

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Heikki Vatiainen]

On 12/09/2011 12:15 AM, Joy Veronneau wrote:

> But if I do that, I will still have to have the names of the machines in
> the tls_anon file, wouldn't I?

Good point, I overlooked that part. Please see ref.pdf section "5.20.46
EAPTLS_NoCheckId". You can turn off the name check.

Thanks!
Heikki

> Thanks,
> 
> Joy
> 
> On 12/8/11 5:07 PM, "Heikki Vatiainen"  wrote:
> 
>> On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>>
>> Hello Joy,
>>
>>> I am still working on my machine based authentication config.
>>>
>>> Config1 (below) works fine but requires that the names of the machines
>>> be
>>> listed in the file tls_anon.
>>
>> Try with something like this:
>> 
>>   AuthByPolicy ContinueWhileAccept
>>   AuthBy file-tls
>>   AuthBy external-adcert
>> 
>>
>> With the above EAP-TLS will run first and when it is done and returns
>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
>> of the whole authentication process.
>>
>> Please let us know of your results
>>
>>> I need to modify this config so that I do not need to maintain a list of
>>> host names on the radiator server and so that I can execute an external
>>> script that formats a Filter-Id for a VLAN name to return with the
>>> ACCEPT.
>>> I thought this would be pretty straight forward, see config2 below. The
>>> problem is that just this minor change causes the client to hang or
>>> something during the negotiation. Once the accept is sent, nothing else
>>> happens - we've verified this looking at the traffic on the AP. I've
>>> included a debug log as well.
>>>
>>> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
>>> or I just can't use AuthBy EXTERNAL in combination with TLS?
>>>
>>> TIA,
>>> Joy
>>>
>>> ---
>>> config1: (works if names of computers are in tis_anon file)
>>> 
>>>   Identifier TLS
>>>   Filename %D/tls_anon
>>>   EAPType TLS
>>>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>>>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>>>   EAPTLS_CertificateType PEM
>>>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>>>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>>>   EAPTLS_MaxFragmentSize 1000
>>>   AutoMPPEKeys
>>> 
>>>
>>> 
>>>   Identifier ADCERT
>>>   Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
>>> Filter-Id)
>>> 
>>>
>>>
>>>
>>> 
>>>   Identifier dot1x_tls
>>>   AuthByPolicy ContinueWhileAccept
>>>   AuthBy TLS
>>> 
>>>
>>> 
>>>   AuthByPolicy ContinueAlways
>>>   RewriteUsername s/^host\///
>>>   AuthBy dot1x_tls
>>>   AuthBy ADCERT
>>>   AcctLogFileName %L/%y%m%d-eduroam.log
>>> 
>>> 
>>> config2 (doesn't work. see log below.)
>>> #
>>> 
>>>   Identifier TLS
>>> #Filename %D/tls_anon
>>>   EAPType TLS
>>>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>>>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>>>   EAPTLS_CertificateType PEM
>>>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>>>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>>>   EAPTLS_MaxFragmentSize 1000
>>>   Command /app/radius/scripts/authby.ADCERT
>>>   AutoMPPEKeys
>>> 
>>>
>>> 
>>>   Identifier dot1x_tls
>>>   AuthByPolicy ContinueWhileAccept
>>>   AuthBy TLS
>>> 
>>>
>>>
>>> 
>>>   AuthByPolicy ContinueAlways
>>>   RewriteUsername s/^host\///
>>>   AuthBy dot1x_tls
>>> #   AuthBy ADCERT
>>>   AcctLogFileName %L/%y%m%d-eduroam.log
>>>   AuthLog QRadar_WIRELESS
>>> 
>>>
>>> ---
>>>
>>> the debug log
>>>
>>> *** Received from 132.236.115.218 port 33004 
>>> Code:   Access-Request
>>> Identifier: 186
>>> Authentic:  
>>> <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
>>> Attributes:
>>> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
>>> NAS-IP-Address = 132.236.115.218
>>> NAS-Port = 1
>>> NAS-Identifier = "cit.redrover.secure"
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> Calling-Station-Id = "0014D1EA856B"
>>> Called-Station-Id = "000B866222B0"
>>> Service-Type = Login-User
>>> Framed-MTU = 1100
>>> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
>>> Aruba-Essid-Name = "eduroam-test"
>>> Aruba-Location-Id = "test-rhodes-745-ap"
>>> Message-Authenticator =
>>> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p
>>>
>>> Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
>>> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
>>> Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
>>> CIT-JV11GTEST2.cit.cornell.edu
>>> Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
>>> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
>>> Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP:
>>> dot1x_tls
>>> Wed Dec  7 16:32:46 2011: DEBUG: Running command:
>>> /app/radius/scripts/authby.ADCERT
>>> Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
>>> Wed Dec  7 16:32:46 2011: DEBUG: AuthBy 

Re: [RADIATOR] question about machine based authentication

[Joy Veronneau]

But if I do that, I will still have to have the names of the machines in
the tls_anon file, wouldn't I?

Thanks,

Joy

On 12/8/11 5:07 PM, "Heikki Vatiainen"  wrote:

>On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>
>Hello Joy,
>
>> I am still working on my machine based authentication config.
>> 
>> Config1 (below) works fine but requires that the names of the machines
>>be
>> listed in the file tls_anon.
>
>Try with something like this:
>
>   AuthByPolicy ContinueWhileAccept
>   AuthBy file-tls
>   AuthBy external-adcert
>
>
>With the above EAP-TLS will run first and when it is done and returns
>ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
>of the whole authentication process.
>
>Please let us know of your results
>
>> I need to modify this config so that I do not need to maintain a list of
>> host names on the radiator server and so that I can execute an external
>> script that formats a Filter-Id for a VLAN name to return with the
>>ACCEPT.
>> I thought this would be pretty straight forward, see config2 below. The
>> problem is that just this minor change causes the client to hang or
>> something during the negotiation. Once the accept is sent, nothing else
>> happens - we've verified this looking at the traffic on the AP. I've
>> included a debug log as well.
>> 
>> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
>> or I just can't use AuthBy EXTERNAL in combination with TLS?
>> 
>> TIA,
>> Joy
>> 
>> ---
>> config1: (works if names of computers are in tis_anon file)
>> 
>>   Identifier TLS
>>   Filename %D/tls_anon
>>   EAPType TLS
>>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>>   EAPTLS_CertificateType PEM
>>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>>   EAPTLS_MaxFragmentSize 1000
>>   AutoMPPEKeys
>> 
>> 
>> 
>>   Identifier ADCERT
>>   Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
>> Filter-Id)
>> 
>> 
>> 
>> 
>> 
>>   Identifier dot1x_tls
>>   AuthByPolicy ContinueWhileAccept
>>   AuthBy TLS
>> 
>> 
>> 
>>   AuthByPolicy ContinueAlways
>>   RewriteUsername s/^host\///
>>   AuthBy dot1x_tls
>>   AuthBy ADCERT
>>   AcctLogFileName %L/%y%m%d-eduroam.log
>> 
>> 
>> config2 (doesn't work. see log below.)
>> #
>> 
>>   Identifier TLS
>> #Filename %D/tls_anon
>>   EAPType TLS
>>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>>   EAPTLS_CertificateType PEM
>>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>>   EAPTLS_MaxFragmentSize 1000
>>   Command /app/radius/scripts/authby.ADCERT
>>   AutoMPPEKeys
>> 
>> 
>> 
>>   Identifier dot1x_tls
>>   AuthByPolicy ContinueWhileAccept
>>   AuthBy TLS
>> 
>> 
>> 
>> 
>>   AuthByPolicy ContinueAlways
>>   RewriteUsername s/^host\///
>>   AuthBy dot1x_tls
>> #   AuthBy ADCERT
>>   AcctLogFileName %L/%y%m%d-eduroam.log
>>   AuthLog QRadar_WIRELESS
>> 
>> 
>> ---
>> 
>> the debug log
>> 
>> *** Received from 132.236.115.218 port 33004 
>> Code:   Access-Request
>> Identifier: 186
>> Authentic:  
>><201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
>> Attributes:
>> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
>> NAS-IP-Address = 132.236.115.218
>> NAS-Port = 1
>> NAS-Identifier = "cit.redrover.secure"
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Calling-Station-Id = "0014D1EA856B"
>> Called-Station-Id = "000B866222B0"
>> Service-Type = Login-User
>> Framed-MTU = 1100
>> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
>> Aruba-Essid-Name = "eduroam-test"
>> Aruba-Location-Id = "test-rhodes-745-ap"
>> Message-Authenticator =
>> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p
>> 
>> Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
>> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
>> Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
>> CIT-JV11GTEST2.cit.cornell.edu
>> Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
>> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
>> Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP:
>>dot1x_tls
>> Wed Dec  7 16:32:46 2011: DEBUG: Running command:
>> /app/radius/scripts/authby.ADCERT
>> Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
>> Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
>> Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
>> CIT-JV11GTEST2.cit.cornell.edu
>> Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
>> *** Sending to 132.236.115.218 port 33004 
>> Code:   Access-Accept
>> Identifier: 186
>> Authentic:  <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
>> Attribu

Re: [RADIATOR] question about machine based authentication

[Heikki Vatiainen]

On 12/07/2011 11:42 PM, Joy Veronneau wrote:

Hello Joy,

> I am still working on my machine based authentication config.
> 
> Config1 (below) works fine but requires that the names of the machines be
> listed in the file tls_anon.

Try with something like this:

   AuthByPolicy ContinueWhileAccept
   AuthBy file-tls
   AuthBy external-adcert


With the above EAP-TLS will run first and when it is done and returns
ACCEPT, the AuthBy EXTERNAL extra check will run determining the outcome
of the whole authentication process.

Please let us know of your results

> I need to modify this config so that I do not need to maintain a list of
> host names on the radiator server and so that I can execute an external
> script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
> I thought this would be pretty straight forward, see config2 below. The
> problem is that just this minor change causes the client to hang or
> something during the negotiation. Once the accept is sent, nothing else
> happens - we've verified this looking at the traffic on the AP. I've
> included a debug log as well.
> 
> I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
> or I just can't use AuthBy EXTERNAL in combination with TLS?
> 
> TIA,
> Joy
> 
> ---
> config1: (works if names of computers are in tis_anon file)
> 
>   Identifier TLS
>   Filename %D/tls_anon
>   EAPType TLS
>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>   EAPTLS_MaxFragmentSize 1000
>   AutoMPPEKeys
> 
> 
> 
>   Identifier ADCERT
>   Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
> Filter-Id)
> 
> 
> 
> 
> 
>   Identifier dot1x_tls
>   AuthByPolicy ContinueWhileAccept
>   AuthBy TLS
> 
> 
> 
>   AuthByPolicy ContinueAlways
>   RewriteUsername s/^host\///
>   AuthBy dot1x_tls
>   AuthBy ADCERT
>   AcctLogFileName %L/%y%m%d-eduroam.log
> 
> 
> config2 (doesn't work. see log below.)
> #
> 
>   Identifier TLS
> #Filename %D/tls_anon
>   EAPType TLS
>   EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>   EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>   EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>   EAPTLS_MaxFragmentSize 1000
>   Command /app/radius/scripts/authby.ADCERT
>   AutoMPPEKeys
> 
> 
> 
>   Identifier dot1x_tls
>   AuthByPolicy ContinueWhileAccept
>   AuthBy TLS
> 
> 
> 
> 
>   AuthByPolicy ContinueAlways
>   RewriteUsername s/^host\///
>   AuthBy dot1x_tls
> #   AuthBy ADCERT
>   AcctLogFileName %L/%y%m%d-eduroam.log
>   AuthLog QRadar_WIRELESS
> 
> 
> ---
> 
> the debug log
> 
> *** Received from 132.236.115.218 port 33004 
> Code:   Access-Request
> Identifier: 186
> Authentic:  <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
> Attributes:
> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
> NAS-IP-Address = 132.236.115.218
> NAS-Port = 1
> NAS-Identifier = "cit.redrover.secure"
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "0014D1EA856B"
> Called-Station-Id = "000B866222B0"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
> Aruba-Essid-Name = "eduroam-test"
> Aruba-Location-Id = "test-rhodes-745-ap"
> Message-Authenticator =
> <139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p
> 
> Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
> 'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
> Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
> CIT-JV11GTEST2.cit.cornell.edu
> Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
> host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
> Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
> Wed Dec  7 16:32:46 2011: DEBUG: Running command:
> /app/radius/scripts/authby.ADCERT
> Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
> Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
> CIT-JV11GTEST2.cit.cornell.edu
> Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
> *** Sending to 132.236.115.218 port 33004 
> Code:   Access-Accept
> Identifier: 186
> Authentic:  <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
> Attributes:
> Filter-Id = "eduroam-correct"
> 
> (That's all that's in the logsŠ)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible a

Re: [RADIATOR] question about machine based authentication

[Joy Veronneau]

Hi,

I am still working on my machine based authentication config.

Config1 (below) works fine but requires that the names of the machines be
listed in the file tls_anon.

I need to modify this config so that I do not need to maintain a list of
host names on the radiator server and so that I can execute an external
script that formats a Filter-Id for a VLAN name to return with the ACCEPT.
I thought this would be pretty straight forward, see config2 below. The
problem is that just this minor change causes the client to hang or
something during the negotiation. Once the accept is sent, nothing else
happens - we've verified this looking at the traffic on the AP. I've
included a debug log as well.

I'd appreciate any ideas anyone might have. Maybe I have my syntax wrong
or I just can't use AuthBy EXTERNAL in combination with TLS?

TIA,
Joy

---
config1: (works if names of computers are in tis_anon file)

  Identifier TLS
  Filename %D/tls_anon
  EAPType TLS
  EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
  EAPTLS_CertificateFile /app/radius/keys/agate1.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
  EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys



  Identifier ADCERT
  Command /app/radius/scripts/authby.ADCERT (looks up VLAN and returns
Filter-Id)





  Identifier dot1x_tls
  AuthByPolicy ContinueWhileAccept
  AuthBy TLS



  AuthByPolicy ContinueAlways
  RewriteUsername s/^host\///
  AuthBy dot1x_tls
  AuthBy ADCERT
  AcctLogFileName %L/%y%m%d-eduroam.log


config2 (doesn't work. see log below.)
#

  Identifier TLS
#Filename %D/tls_anon
  EAPType TLS
  EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
  EAPTLS_CertificateFile /app/radius/keys/agate1.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
  EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
  EAPTLS_MaxFragmentSize 1000
  Command /app/radius/scripts/authby.ADCERT
  AutoMPPEKeys



  Identifier dot1x_tls
  AuthByPolicy ContinueWhileAccept
  AuthBy TLS




  AuthByPolicy ContinueAlways
  RewriteUsername s/^host\///
  AuthBy dot1x_tls
#   AuthBy ADCERT
  AcctLogFileName %L/%y%m%d-eduroam.log
  AuthLog QRadar_WIRELESS


---

the debug log

*** Received from 132.236.115.218 port 33004 
Code:   Access-Request
Identifier: 186
Authentic:  <201><217><161><218><164><173>b<229><24><147><163>G#<30>]<179>
Attributes:
User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
NAS-IP-Address = 132.236.115.218
NAS-Port = 1
NAS-Identifier = "cit.redrover.secure"
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0014D1EA856B"
Called-Station-Id = "000B866222B0"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
Aruba-Essid-Name = "eduroam-test"
Aruba-Location-Id = "test-rhodes-745-ap"
Message-Authenticator =
<139><149>3<145><153>Z<4><192><210>[,<170>g<15><21>p

Wed Dec  7 16:32:46 2011: DEBUG: Handling request with Handler
'Aruba-Essid-Name="eduroam-test", User-Name = /^host/i', Identifier ''
Wed Dec  7 16:32:46 2011: DEBUG: Rewrote user name to
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec  7 16:32:46 2011: DEBUG:  Deleting session for
host/CIT-JV11GTEST2.cit.cornell.edu, 132.236.115.218, 1
Wed Dec  7 16:32:46 2011: DEBUG: Handling with Radius::AuthGROUP: dot1x_tls
Wed Dec  7 16:32:46 2011: DEBUG: Running command:
/app/radius/scripts/authby.ADCERT
Wed Dec  7 16:32:46 2011: DEBUG: External command exited with status 0
Wed Dec  7 16:32:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Wed Dec  7 16:32:46 2011: DEBUG: Access accepted for
CIT-JV11GTEST2.cit.cornell.edu
Wed Dec  7 16:32:46 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 
Code:   Access-Accept
Identifier: 186
Authentic:  <234><162><3>*<215><25><250>&<21>t<149><129>><168><202><204>
Attributes:
Filter-Id = "eduroam-correct"

(That's all that's in the logsŠ)










___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Heikki Vatiainen]

On 11/19/2011 12:18 AM, Joy Veronneau wrote:

> I think I need some more help with my config. It is working ok for my
> machine cert based authentication, but only if I put the name of the
> machine in a file on the radius server. Here is my config snippet:

You could experiment using . Instead of using file as user
database, the config would lookup user (machine name) and group
information from LDAP.

See goodies/ad-ldap.cfg and goodies/ldap.cfg for hints. For example
using global catalog port and NoCheckPassword. NoCheckPassword should be
used since you are not interested in password, but attributes the
machine account has in AD.

Please let us know how it goes.
Heikki

> 
> 
> Identifier TLS
> Filename %D/tls_anon
> EAPType TLS
> EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
> EAPTLS_CertificateFile /app/radius/keys/agate1.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
> EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> 
> 
> 
> 
> AuthByPolicy ContinueAlways
> RewriteUsername s/^host\///
> AuthBy TLS
> 
> 
> 
> 
> and %D/tls_anon contains:
> CIT-JV11GTEST2.cit.cornell.edu
> 
> I would like to avoid having to maintain all the machine names on the
> radius server. I would prefer to do some sort of NTLM auth that would
> read the machine cert and then check to see if the machine is in a
> certain group.
> 
> I tried using  but that really broke everything... I do
> have NTLM working for username/pw based authn but I need to do that AND
> machine based…
> 
> I'd appreciate a hint. Thanks-
> 
> Joy
> 
> On 11/10/11 5:21 PM, "Heikki Vatiainen"  > wrote:
> 
> On 11/09/2011 09:46 PM, Joy Veronneau wrote:
> 
> Is it possible for the radiator server to do machine-based
> authentication (via certificate) to an Active Directory domain?
> 
> 
> You may want to check if the really mean certificates, since machine
> based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
> machine joins to domain, a password and username is automatically
> created and these can be used for machine based authentication. This is
> also supported by Radiator by default too.
> 
> I have MSCHAPv2 working to our AD domain with username/password, but
> now someone is asking about machine-based authentication. They are
> currently doing this with an MS radius server and would like to
> switch to our centrally managed radius server and central AD system.
> I know that we would have to issue a new cert to the machine
> from the
> central AD domain… but I'm not finding much about how to set up
> radiator in my on-line research so far.
> 
> 
> EAP-TLS, see goodies too, can be used here. Radiator can also do extra
> checks for certs besides just checking if the cert is valid or not.
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Joy Veronneau]

Hi,
I think I need some more help with my config. It is working ok for my machine 
cert based authentication, but only if I put the name of the machine in a file 
on the radius server. Here is my config snippet:


Identifier TLS
Filename %D/tls_anon
EAPType TLS
EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
EAPTLS_CertificateFile /app/radius/keys/agate1.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys


AuthByPolicy ContinueAlways
RewriteUsername s/^host\///
AuthBy TLS



and %D/tls_anon contains:
CIT-JV11GTEST2.cit.cornell.edu

I would like to avoid having to maintain all the machine names on the radius 
server. I would prefer to do some sort of NTLM auth that would read the machine 
cert and then check to see if the machine is in a certain group.

I tried using  but that really broke everything... I do have NTLM 
working for username/pw based authn but I need to do that AND machine based…

I'd appreciate a hint. Thanks-

Joy

On 11/10/11 5:21 PM, "Heikki Vatiainen" 
mailto:h...@open.com.au>> wrote:

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Heikki Vatiainen]

On 11/15/2011 07:43 PM, Joy Veronneau wrote:

> I've made some progress on this. The windows 7 machine is now contacting
> the radius server, but its username starts with "host/" and radiator
> doesn't seem to like that. Should the machine be sending some sort of
> different username? I don't think I can get the request to the correct
> handler until I fix this problem?

Radiator will recognize host/ and do the authentication with correct
username. The machine seems to be sending the username correctly, so
that's not the problem.

Tue Nov 15 12:41:42 2011: INFO: Access rejected for
host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name

Your configuration file has UsernameCharset specified so that it does
not include /

If you change UsernameCharset this problem will go away.

Thanks!
Heikki


> The network settings on the windows 7 machine are:
> Security type: WPA2 Enterprise
> encryption type: TKIP
> Network authentication method: microsoft: smartcard or other certificate
> (Settings-> Use a certificate on this computer, use simple certificate
> selection)
> advanced settings: 802.1x Specify authentication mode: Computer
> authentication.
> 
> 
> Here is what I see on the radius logs:
> 
> User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
> NAS-IP-Address = 132.236.115.218
> NAS-Port = 1
> NAS-Identifier = "cit.redrover.secure"
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "0014D1EA856B"
> Called-Station-Id = "000B866222B0"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
> Aruba-Essid-Name = "eduroam-test"
> Aruba-Location-Id = "test-rhodes-745-ap"
> Message-Authenticator =
> ]<179>:f<223><241><242>Z<13>:<204><222><150><130>J<181>
> 
> Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Nov 15 12:41:42 2011: INFO: Access rejected for
> host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name
> Tue Nov 15 12:41:42 2011: DEBUG: Packet dump:
> *** Sending to 132.236.115.218 port 33004 
> Code:   Access-Reject
> Identifier: 219
> Authentic:  <138>5<9><254><236><131>3<184>xLU?N4<139><225>
> Attributes:
> Reply-Message = "Request Denied"
> 
> Thanks again,
> 
> Joy


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Joy Veronneau]

Hi,

I've made some progress on this. The windows 7 machine is now contacting the 
radius server, but its username starts with "host/" and radiator doesn't seem 
to like that. Should the machine be sending some sort of different username? I 
don't think I can get the request to the correct handler until I fix this 
problem?

The network settings on the windows 7 machine are:
Security type: WPA2 Enterprise
encryption type: TKIP
Network authentication method: microsoft: smartcard or other certificate 
(Settings-> Use a certificate on this computer, use simple certificate 
selection)
advanced settings: 802.1x Specify authentication mode: Computer authentication.


Here is what I see on the radius logs:

User-Name = "host/CIT-JV11GTEST2.cit.cornell.edu"
NAS-IP-Address = 132.236.115.218
NAS-Port = 1
NAS-Identifier = "cit.redrover.secure"
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0014D1EA856B"
Called-Station-Id = "000B866222B0"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><1><0>(<1>host/CIT-JV11GTEST2.cit.cornell.edu
Aruba-Essid-Name = "eduroam-test"
Aruba-Location-Id = "test-rhodes-745-ap"
Message-Authenticator = 
]<179>:f<223><241><242>Z<13>:<204><222><150><130>J<181>

Tue Nov 15 12:41:42 2011: DEBUG: Handling request with Handler '', Identifier ''
Tue Nov 15 12:41:42 2011: INFO: Access rejected for 
host/CIT-JV11GTEST2.cit.cornell.edu: Invalid character in User-Name
Tue Nov 15 12:41:42 2011: DEBUG: Packet dump:
*** Sending to 132.236.115.218 port 33004 
Code:   Access-Reject
Identifier: 219
Authentic:  <138>5<9><254><236><131>3<184>xLU?N4<139><225>
Attributes:
Reply-Message = "Request Denied"

Thanks again,

Joy


On 11/10/11 5:21 PM, "Heikki Vatiainen" 
mailto:h...@open.com.au>> wrote:

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

Is it possible for the radiator server to do machine-based
authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

I have MSCHAPv2 working to our AD domain with username/password, but
now someone is asking about machine-based authentication. They are
currently doing this with an MS radius server and would like to
switch to our centrally managed radius server and central AD system.
I know that we would have to issue a new cert to the machine from the
central AD domain… but I'm not finding much about how to set up
radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

--
Heikki Vatiainen mailto:h...@open.com.au>>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] question about machine based authentication

[Heikki Vatiainen]

On 11/09/2011 09:46 PM, Joy Veronneau wrote:

> Is it possible for the radiator server to do machine-based 
> authentication (via certificate) to an Active Directory domain?

You may want to check if the really mean certificates, since machine
based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
machine joins to domain, a password and username is automatically
created and these can be used for machine based authentication. This is
also supported by Radiator by default too.

> I have MSCHAPv2 working to our AD domain with username/password, but
> now someone is asking about machine-based authentication. They are
> currently doing this with an MS radius server and would like to
> switch to our centrally managed radius server and central AD system.
> I know that we would have to issue a new cert to the machine from the
> central AD domain… but I'm not finding much about how to set up
> radiator in my on-line research so far.

EAP-TLS, see goodies too, can be used here. Radiator can also do extra
checks for certs besides just checking if the cert is valid or not.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] question about machine based authentication

[Joy Veronneau]

Hi,
Is it possible for the radiator server to do machine-based authentication (via 
certificate) to an Active Directory domain? I have MSCHAPv2 working to our AD 
domain with username/password, but now someone is asking about machine-based 
authentication. They are currently doing this with an MS radius server and 
would like to switch to our centrally managed radius server and central AD 
system. I know that we would have to issue a new cert to the machine from the 
central AD domain… but I'm not finding much about how to set up radiator in my 
on-line research so far.

Thanks in advance :)

Joy
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question on FarmSize, SocketQueueLength, and net.core.rmem_max on Linux

[Heikki Vatiainen]

On 08/23/2011 05:52 PM, Frank Danielson wrote:

> We are currently running Radiator 4.7 under Redhat 5.5 and I am 
> trying to make sure I understand the effect that the FarmSize
> setting has on the amount of memory allocated for the SocketQueue.
>
> If Radiator is configured with some FarmSize does each worker have
> its own SocketQueue with the effect of making the total amount of
> memory allocated = FarmSize * SocketQueueLength?

I think the allocated memory is always 1*SocketQueueLength. This is
based on the fact that the socket is shared between the clients and the
assumption that the socket queue is part of kernel and the fan out to
the workers happens on the OS/user space boundary. In other words, my
take is one socket queue servers one or multiple readers.

If someone know better, please let me know.

> For example if my SocketQueueLength is 100 and the FarmSize is 4,
> is there a total of 400 bytes allocated or is it just 100? In
> either instance I am assuming that the net.core.rmem_max size needs
> to be at least as large as that number, is that correct?

If my theory holds, then it might be a good idea to increase rmem_max
because there are multiple readers that can dequeue packets and smooth
incoming bursts.

An alternate view is, if there are always workers that are ready to
process messages, then they should be able to drain normal size queue
even if the queue input rate is high.

There's also /proc/sys/net/ipv4/udp_mem which migh be useful to tune UDP
queues only.

http://www.kernel.org/doc/man-pages/online/pages/man7/udp.7.html

This is an interesting question. If you decide to experiment with
different settings, maybe you could let us know of results.

Thanks!
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Question on FarmSize, SocketQueueLength, and net.core.rmem_max on Linux

[Frank Danielson]

We are currently running Radiator 4.7 under Redhat 5.5 and I am trying to make 
sure I understand the effect that the FarmSize setting has on the amount of 
memory allocated for the SocketQueue. If Radiator is configured with some 
FarmSize does each worker have its own SocketQueue with the effect of making 
the total amount of memory allocated = FarmSize * SocketQueueLength? For 
example if my SocketQueueLength is 100 and the FarmSize is 4, is there a 
total of 400 bytes allocated or is it just 100? In either instance I am 
assuming that the net.core.rmem_max size needs to be at least as large as that 
number, is that correct?

Frank Danielson
ClearSky Mobile Media, Inc. | fdaniel...@csky.com

A human being should be able to change a diaper, plan an invasion, butcher a 
hog, conn a ship, design a building, write a sonnet, balance accounts, build a 
wall, set a bone, comfort the dying, take orders, give orders, cooperate, act 
alone, solve equations, analyze a new problem, pitch manure, program a 
computer, cook a tasty meal, fight efficiently, die gallantly. Specialization 
is for insects.

-Robert A. Heinlein

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Question about IP Pool.

[Heikki Vatiainen]

On 08/20/2011 09:07 PM, Faisal Imtiaz wrote:

Hello Faisal,

> I am currently using Raditor configured with mysql for authenticating 
> DSL Subscribers. So far we have been allocating fixed IP addresses & 
> framed routes as needed for the subscribers.
> 
> We have  bunch of subscribers who need to be on dynamic IP's.   There is 
> a RADPOOL table, that I can add  addresses to either manually or via 
> AddressPool...
> 
> What I am having trouble with is on What do I need to 'define' for the 
> user so that Radiator will get an IP address from the RADPOOL Table ?
> and What code if any I need to put in radius.cfg for this to happen.

Please see goodies/addressallocator.cfg in Radiator distribution package
for an example.

The idea is to run the normal authentication first followed by AuthBy
DYNADDRESS. The AuthByPolicy should be set so that DYNADDRESS is only
used if the normal authentication first succeeds.

You should probably keep your existing Handler and AuthBy as they are
and add a new Handler to match the dynaddress users. This new Handler
would have two AuthBys where the first does normal authentication
followed by the second AuthBy that does address allocation from AddressPool.

You can also have more AuthBys if needed, but the above is a simple
extension of your current setup shown below.

Best regards,
Heikki

> Many Thanks in advance.
> ===
> here is what my AuthBy looks like
> 
> 
>  # MySQL DB, DB radius, host localhost
>  DBSource dbi:mysql:xxx
>  DBUsername x
>  DBAuth xxx
> 
>  # Define Table and Columns for Authentication
>  AuthSelect select PASSWORD, SERVICETYPE, 
> FRAMEDPROTOCOL, TRAFFICSHAPE, ACL, PORTLIMIT, TIMELEFT, IPPOOL, FRAMEDI$
>  from SUBSCRIBERS where USERNAME = %0
>  AuthColumnDef 0, Password, check
>  AuthColumnDef 1, GENERIC, check
>  AuthColumnDef 2, GENERIC, reply
>  AuthColumnDef 3, GENERIC, reply
>  AuthColumnDef 4, GENERIC, reply
>  AuthColumnDef 5, GENERIC, reply
>  AuthColumnDef 6, GENERIC, reply
>  AuthColumnDef 7, GENERIC, reply
>  AuthColumnDef 8, GENERIC, reply
>  AuthColumnDef 9, GENERIC, reply
>  AuthColumnDef 10, GENERIC, reply
>  AuthColumnDef 11, GENERIC, reply
>  AuthColumnDef 12, GENERIC, reply
> 
>  # Define Table and Columns for Accounting
>  AccountingTable ACCOUNTING
>  AcctColumnDef   USERNAME,User-Name
>  AcctColumnDef   TIME_STAMP,Timestamp,formatted-date,\
>  '%Y/%m/%e %H:%M:%S'
>  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>  AcctColumnDef   NASIPADDRESS,NAS-IP-Address
>  AcctColumnDef   NASPORT,NAS-Port,integer
>  AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> 
> =
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Question about IP Pool.

[Faisal Imtiaz]

Hello,
I am currently using Raditor configured with mysql for authenticating 
DSL Subscribers. So far we have been allocating fixed IP addresses & 
framed routes as needed for the subscribers.

We have  bunch of subscribers who need to be on dynamic IP's.   There is 
a RADPOOL table, that I can add  addresses to either manually or via 
AddressPool...

What I am having trouble with is on What do I need to 'define' for the 
user so that Radiator will get an IP address from the RADPOOL Table ?
and What code if any I need to put in radius.cfg for this to happen.

Many Thanks in advance.
===
here is what my AuthBy looks like


 # MySQL DB, DB radius, host localhost
 DBSource dbi:mysql:xxx
 DBUsername x
 DBAuth xxx

 # Define Table and Columns for Authentication
 AuthSelect select PASSWORD, SERVICETYPE, 
FRAMEDPROTOCOL, TRAFFICSHAPE, ACL, PORTLIMIT, TIMELEFT, IPPOOL, FRAMEDI$
 from SUBSCRIBERS where USERNAME = %0
 AuthColumnDef 0, Password, check
 AuthColumnDef 1, GENERIC, check
 AuthColumnDef 2, GENERIC, reply
 AuthColumnDef 3, GENERIC, reply
 AuthColumnDef 4, GENERIC, reply
 AuthColumnDef 5, GENERIC, reply
 AuthColumnDef 6, GENERIC, reply
 AuthColumnDef 7, GENERIC, reply
 AuthColumnDef 8, GENERIC, reply
 AuthColumnDef 9, GENERIC, reply
 AuthColumnDef 10, GENERIC, reply
 AuthColumnDef 11, GENERIC, reply
 AuthColumnDef 12, GENERIC, reply

 # Define Table and Columns for Accounting
 AccountingTable ACCOUNTING
 AcctColumnDef   USERNAME,User-Name
 AcctColumnDef   TIME_STAMP,Timestamp,formatted-date,\
 '%Y/%m/%e %H:%M:%S'
 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
 AcctColumnDef   NASIPADDRESS,NAS-IP-Address
 AcctColumnDef   NASPORT,NAS-Port,integer
 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address

=

-- 
Faisal Imtiaz
Snappy Internet&  Telecom
7266 SW 48 Street
Miami, Fl 33155
Tel: 305 663 5518 x 232
Helpdesk: 305 663 5518 option 2 Email: supp...@snappydsl.net


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Cisco WLAN Controller and radiator...question

[Hugh Irvine]

Hello -

Radiator will work fine in this environment - many of our customers use the 
same Cisco controllers.

You will find a great many example configuration files in the "goodies" 
directory of the Radiator distribution.

Note that the most recent release is Radiator 4.7 (plus patches).

Your best approach will be to set up a separate test installation of Radiator 
with one of the new Cisco devices to do some experiments on exactly what is 
required.

Once you have the test installation operating correctly, you can either merge 
the test configuration into the production configuration, or you can leave them 
as separate instances and operate the WLAN network independently.

regards

Hugh


On 7 Oct 2010, at 00:04, Cihan Subasi (Garanti Teknoloji) wrote:

>  
>  Hello,
> We would like to use our existing Radiator Server for our new project, which 
> involves using Cisco WLAN Controllers. In summary, we will set up a guest 
> wireless network, where users will use web-authentication. The 
> username/password information will be passed to Radiator from WLAN 
> Controllers and the result will be either permit or deny. We would like to 
> use RADIUS accounting as well, keeping detailed logs of usernames, network 
> access times etc.
> If you have documentation and templates for this purpose, we would be happy 
> if you could supply us with this information.
> kind regards,
>  
> 
> Cihan Subaşı
> Network Yönetimi
> Yönetici  Evren Mahallesi, Koçman Caddesi No:34 Güneşli 34212 İstanbul
> Tel   :   +90 212 478 35 35
> Direkt:   +90 212 478 34 26
> Faks  :   +90 212 657 04 73
> 
> 
> This message and attachments are confidential and intended solely for the 
> individual(s) stated in this
> message. If you received this message although you are not the addressee, you 
> are responsible to keep the
> message confidential. The sender has no responsibility for the accuracy or 
> correctness of the
> information in the message and its attachments. Our company shall have no 
> liability for any changes
> or late receiving, loss of integrity and confidentiality, viruses and any 
> damages caused in
> anyway to your computer system.
> 
> Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve 
> gizlidir. Bu mesajin muhatabi
> olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj iceriginin 
> gizliligi ve bu gizlilik yukumlulugune
> uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Mesaj ve eklerinde yer 
> alan bilgilerin dogrulugu ve
> guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu 
> bulunmamaktadir. Sirketimiz
> mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, 
> butunlugunun ve gizliliginin
> korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi 
> herhangi bir zarardan
> sorumlu tutulamaz.
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Cisco WLAN Controller and radiator...question

[Cihan Subasi (Garanti Teknoloji)]

 Hello,
We would like to use our existing Radiator Server for our new project, which 
involves using Cisco WLAN Controllers. In summary, we will set up a guest 
wireless network, where users will use web-authentication. The 
username/password information will be passed to Radiator from WLAN Controllers 
and the result will be either permit or deny. We would like to use RADIUS 
accounting as well, keeping detailed logs of usernames, network access times 
etc.
If you have documentation and templates for this purpose, we would be happy if 
you could supply us with this information.
kind regards,





This message and attachments are confidential and intended solely for the 
individual(s) stated in this message. If you received this message although you 
are not the addressee, you are responsible to keep the message confidential. 
The sender has no responsibility for the accuracy or correctness of the 
information in the message and its attachments. Our company shall have no 
liability for any changes or late receiving, loss of integrity and 
confidentiality, viruses and any damages caused in anyway to your computer 
system.  

Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve 
gizlidir. Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi 
halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi 
zorunlulugu tarafiniz icin de soz konusudur. Mesaj ve eklerinde yer alan 
bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin 
herhangi bir sorumlulugu bulunmamaktadir. Sirketimiz mesajin ve bilgilerinin 
size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin 
korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi 
herhangi bir zarardan sorumlu tutulamaz.<>___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: (RADIATOR) Question in

[Hugh Irvine]

Hello MAN -

All of the attributes in the current radius request are passed to the 
external command on standard input, and the results are returned on 
standard output. Please refer to section 6.26 in the Radiator manual 
("doc/ref.html"). If you want to add any parameters to be passed to the 
external program you should add them as attributes to the current 
request before calling the AuthBy EXTERNAL clause.

You should also look at the source code in the file 
"Radius/AuthEXTERNAL.pm" to see exactly what happens.

regards

Hugh

On Friday, Oct 3, 2003, at 11:22 Australia/Melbourne, Man Meng Fei 
wrote:

Hi Mke and Hugh
May i know how should i pass the parameter into the perl script when i
execute  and how can get the result after execute the
perl script ?
Thank

MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Man Meng Fei
Sent: Thursday, October 02, 2003 1:58 PM
To: 'Mike McCauley'; 'Hugh Irvine'
Cc: [EMAIL PROTECTED]
Subject: RE: (RADIATOR) Question in 
Hi
Do i need to pass any parameter to testcommand.pl ?
MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike McCauley
Sent: Thursday, October 02, 2003 12:36 PM
To: Hugh Irvine; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in 
Hi Hugh,

If you look at godies/external.cfg, you will see he needs something 
like
this:

		Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run
C:\Perl\bin\testcommand.pl without some cluues.
Cheers.

On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
Hello Man Meng Fei -

I suspect that Radiator is not able to run the external command.

What happens when you run the following in a MS-DOS window:

	C:\Perl\bin\testcommand.pl

There is probably something wrong with either the path or the contents

of the file.

regards

Hugh

On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei

wrote:
Hi
Currently i am using a sample configuration (external.cfg) and perl
script (testcommand.pl) which can be retrieved from goodies
directory to understand the implementation of .
But after i executed it, i can't get the expected test result. I got
No
Reply at Radius client. I hope someone can help me to make this
EXTERNAL> sample working.

Lastly i attached Radius Configration file which i used for the
testing and Radius Server and Radius Client's output result
Man Meng Fei



--radius.cfg---
# external.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with #
EXTERNAL authentication. #
# There is an example external program called testcommand.pl
# in the goodies directory, whichthe example below uses. It
# will accept the request if the username is "fred" otherwise reject
# it.
#
# So if you run Radiator with this config file, then do
# radpwtst -noacct -trace -user fred
# you will see something like:
# sending Access-Request...
# OK
# Code:   Access-Accept
# Identifier: 109
# Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
# Attributes:
# Reply-Message = "you are fred"
#
#
# And if you do:
# radpwtst -noacct -trace -user someoneelse
# you will see something like:
# sending Access-Request...
# Rejected
# Code:   Access-Reject
# Identifier: 70
# Authentic:
<165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
# Attributes:
# Reply-Message = "you are NOT fred, you are 'someoneelse'"
# Reply-Message = "Request Denied"
#
# You should consider this file to be a starting point only # $Id:
external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator
Trace 		4

# You will probably want to change this to suit your site. 
Secret  mysecret
DupInterval 0



# For NT, you might want something like this
Command C:\Perl\bin\testcommand.pl
# For Unix, maybe something like this
#   #Command ./goodies/testcommand.pl
# This will cause the User-Password
# to be decrypted before being passed to the
# external program
DecryptPassword
# You might prefer use this to tell AuthBy EXTERNAL
# to get the result from the first line of the
# output. The permitted values are ACCEPT, REJECT
# IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
# its the only way to get it to work.
# We recommend you use this method
ResultInOutput






---Radius Server Output--

Microsoft Windows 2000 [V

RE: (RADIATOR) Question in

[Man Meng Fei]

Hi Mke and Hugh
May i know how should i pass the parameter into the perl script when i
execute  and how can get the result after execute the
perl script ?

Thank 

MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Man Meng Fei
Sent: Thursday, October 02, 2003 1:58 PM
To: 'Mike McCauley'; 'Hugh Irvine'
Cc: [EMAIL PROTECTED]
Subject: RE: (RADIATOR) Question in 


Hi
Do i need to pass any parameter to testcommand.pl ?


MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike McCauley
Sent: Thursday, October 02, 2003 12:36 PM
To: Hugh Irvine; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in 


Hi Hugh,

If you look at godies/external.cfg, you will see he needs something like
this:

Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run 
C:\Perl\bin\testcommand.pl without some cluues.

Cheers.


On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
> Hello Man Meng Fei -
>
> I suspect that Radiator is not able to run the external command.
>
> What happens when you run the following in a MS-DOS window:
>
>   C:\Perl\bin\testcommand.pl
>
> There is probably something wrong with either the path or the contents

> of the file.
>
> regards
>
> Hugh
>
>
> On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei
>
> wrote:
> > Hi
> > Currently i am using a sample configuration (external.cfg) and perl
> > script (testcommand.pl) which can be retrieved from goodies 
> > directory to understand the implementation of .
> > But after i executed it, i can't get the expected test result. I got
No
> > Reply at Radius client. I hope someone can help me to make this
 > EXTERNAL> sample working.
> >
> > Lastly i attached Radius Configration file which i used for the
> > testing and Radius Server and Radius Client's output result
> >
> > Man Meng Fei
> >
> >
> >
> > --radius.cfg---
> > # external.cfg
> > #
> > # Example Radiator configuration file.
> > # This very simple file will allow you to get started with #
> > EXTERNAL authentication. #
> > # There is an example external program called testcommand.pl
> > # in the goodies directory, whichthe example below uses. It
> > # will accept the request if the username is "fred" otherwise reject
> > # it.
> > #
> > # So if you run Radiator with this config file, then do
> > # radpwtst -noacct -trace -user fred
> > # you will see something like:
> > # sending Access-Request...
> > # OK
> > # Code:   Access-Accept
> > # Identifier: 109
> > # Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
> > # Attributes:
> > # Reply-Message = "you are fred"
> > #
> > #
> > # And if you do:
> > # radpwtst -noacct -trace -user someoneelse
> > # you will see something like:
> > # sending Access-Request...
> > # Rejected
> > # Code:   Access-Reject
> > # Identifier: 70
> > # Authentic:
<165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
> > # Attributes:
> > # Reply-Message = "you are NOT fred, you are 'someoneelse'"
> > # Reply-Message = "Request Denied"
> >
> >
> > #
> > # You should consider this file to be a starting point only # $Id:
> > external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
> >
> > Foreground
> > LogStdout
> > LogDir  c:/Program Files/Radiator
> > DbDir   c:/Program Files/Radiator
> >
> > Trace   4
> >
> > # You will probably want to change this to suit your site.  > DEFAULT>
> > Secret  mysecret
> > DupInterval 0
> > 
> >
> > 
> > 
> > # For NT, you might want something like this
> > Command C:\Perl\bin\testcommand.pl
> >
> > # For Unix, maybe something like this
> > #   #Command ./goodies/testcommand.pl
> >
> > # This will cause the User-Password
> > # to be decrypted before being passed to the
> > # external program
> > DecryptPassword
> >
> > # You might prefer use this to tell AuthBy EXTERNAL
> > # to get the result from the first line of the
> > # output. The permitted values are ACCEPT, REJECT
> 

RE: (RADIATOR) Question in

[Man Meng Fei]

Hi
Do i need to pass any parameter to testcommand.pl ?


MAN

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike McCauley
Sent: Thursday, October 02, 2003 12:36 PM
To: Hugh Irvine; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in 


Hi Hugh,

If you look at godies/external.cfg, you will see he needs something like
this:

Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run 
C:\Perl\bin\testcommand.pl without some cluues.

Cheers.


On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
> Hello Man Meng Fei -
>
> I suspect that Radiator is not able to run the external command.
>
> What happens when you run the following in a MS-DOS window:
>
>   C:\Perl\bin\testcommand.pl
>
> There is probably something wrong with either the path or the contents

> of the file.
>
> regards
>
> Hugh
>
>
> On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei
>
> wrote:
> > Hi
> > Currently i am using a sample configuration (external.cfg) and perl 
> > script (testcommand.pl) which can be retrieved from goodies 
> > directory to understand the implementation of .
> > But after i executed it, i can't get the expected test result. I got
No
> > Reply at Radius client. I hope someone can help me to make this
 > EXTERNAL> sample working.
> >
> > Lastly i attached Radius Configration file which i used for the 
> > testing and Radius Server and Radius Client's output result
> >
> > Man Meng Fei
> >
> >
> >
> > --radius.cfg---
> > # external.cfg
> > #
> > # Example Radiator configuration file.
> > # This very simple file will allow you to get started with # 
> > EXTERNAL authentication. #
> > # There is an example external program called testcommand.pl
> > # in the goodies directory, whichthe example below uses. It
> > # will accept the request if the username is "fred" otherwise reject
> > # it.
> > #
> > # So if you run Radiator with this config file, then do
> > # radpwtst -noacct -trace -user fred
> > # you will see something like:
> > # sending Access-Request...
> > # OK
> > # Code:   Access-Accept
> > # Identifier: 109
> > # Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
> > # Attributes:
> > # Reply-Message = "you are fred"
> > #
> > #
> > # And if you do:
> > # radpwtst -noacct -trace -user someoneelse
> > # you will see something like:
> > # sending Access-Request...
> > # Rejected
> > # Code:   Access-Reject
> > # Identifier: 70
> > # Authentic:
<165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
> > # Attributes:
> > # Reply-Message = "you are NOT fred, you are 'someoneelse'"
> > # Reply-Message = "Request Denied"
> >
> >
> > #
> > # You should consider this file to be a starting point only # $Id: 
> > external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
> >
> > Foreground
> > LogStdout
> > LogDir  c:/Program Files/Radiator
> > DbDir   c:/Program Files/Radiator
> >
> > Trace   4
> >
> > # You will probably want to change this to suit your site.  > DEFAULT>
> > Secret  mysecret
> > DupInterval 0
> > 
> >
> > 
> > 
> > # For NT, you might want something like this
> > Command C:\Perl\bin\testcommand.pl
> >
> > # For Unix, maybe something like this
> > #   #Command ./goodies/testcommand.pl
> >
> > # This will cause the User-Password
> > # to be decrypted before being passed to the
> > # external program
> > DecryptPassword
> >
> > # You might prefer use this to tell AuthBy EXTERNAL
> > # to get the result from the first line of the
> > # output. The permitted values are ACCEPT, REJECT
> > # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
> > # its the only way to get it to work.
> > # We recommend you use this method
> > ResultInOutput
> > 
> > 
> >
> >
> >
> >
> >
> > ---Radius Server Output--
> >
> > Microsoft Windows 2000 [Version 5.00.2195]

Re: (RADIATOR) Question in

[Mike McCauley]

Hi Hugh,

If you look at godies/external.cfg, you will see he needs something like this:

Command c:/perl/bin/perl ./goodies/testcommand.pl

DOS does not know how to interpret #!/usr/bin/perl so it cant run 
C:\Perl\bin\testcommand.pl without some cluues.

Cheers.


On Thu, 2 Oct 2003 12:23 pm, Hugh Irvine wrote:
> Hello Man Meng Fei -
>
> I suspect that Radiator is not able to run the external command.
>
> What happens when you run the following in a MS-DOS window:
>
>   C:\Perl\bin\testcommand.pl
>
> There is probably something wrong with either the path or the contents
> of the file.
>
> regards
>
> Hugh
>
>
> On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei
>
> wrote:
> > Hi
> > Currently i am using a sample configuration (external.cfg) and perl
> > script (testcommand.pl) which can be retrieved from goodies directory
> > to
> > understand the implementation of .
> > But after i executed it, i can't get the expected test result. I got No
> > Reply at Radius client. I hope someone can help me to make this  > EXTERNAL> sample working.
> >
> > Lastly i attached Radius Configration file which i used for the testing
> > and Radius Server and Radius Client's output result
> >
> > Man Meng Fei
> >
> >
> >
> > --radius.cfg---
> > # external.cfg
> > #
> > # Example Radiator configuration file.
> > # This very simple file will allow you to get started with
> > # EXTERNAL authentication.
> > #
> > # There is an example external program called testcommand.pl
> > # in the goodies directory, whichthe example below uses. It
> > # will accept the request if the username is "fred" otherwise reject
> > # it.
> > #
> > # So if you run Radiator with this config file, then do
> > # radpwtst -noacct -trace -user fred
> > # you will see something like:
> > # sending Access-Request...
> > # OK
> > # Code:   Access-Accept
> > # Identifier: 109
> > # Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
> > # Attributes:
> > # Reply-Message = "you are fred"
> > #
> > #
> > # And if you do:
> > # radpwtst -noacct -trace -user someoneelse
> > # you will see something like:
> > # sending Access-Request...
> > # Rejected
> > # Code:   Access-Reject
> > # Identifier: 70
> > # Authentic:  <165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
> > # Attributes:
> > # Reply-Message = "you are NOT fred, you are 'someoneelse'"
> > # Reply-Message = "Request Denied"
> >
> >
> > #
> > # You should consider this file to be a starting point only
> > # $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
> >
> > Foreground
> > LogStdout
> > LogDir  c:/Program Files/Radiator
> > DbDir   c:/Program Files/Radiator
> >
> > Trace   4
> >
> > # You will probably want to change this to suit your site.
> > 
> > Secret  mysecret
> > DupInterval 0
> > 
> >
> > 
> > 
> > # For NT, you might want something like this
> > Command C:\Perl\bin\testcommand.pl
> >
> > # For Unix, maybe something like this
> > #   #Command ./goodies/testcommand.pl
> >
> > # This will cause the User-Password
> > # to be decrypted before being passed to the
> > # external program
> > DecryptPassword
> >
> > # You might prefer use this to tell AuthBy EXTERNAL
> > # to get the result from the first line of the
> > # output. The permitted values are ACCEPT, REJECT
> > # IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
> > # its the only way to get it to work.
> > # We recommend you use this method
> > ResultInOutput
> > 
> > 
> >
> >
> >
> >
> >
> > ---Radius Server Output--
> >
> > Microsoft Windows 2000 [Version 5.00.2195]
> > (C) Copyright 1985-2000 Microsoft Corp.
> >
> > C:\Documents and Settings\man\Desktop>PERL c:\perl\bin\radiusd
> > Thu Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file
> > 'C:\Program
> >  Files\Radiator\radius.cfg'
> > This Radiator license will expire on 2004-02-01
> > This Radiator license will stop operating after 1000 requests
> > To purchase an unlimited full source version of Radiator, see
> > http://www.open.com.au/ordering.html
> > To extend your evaluation period, contact [EMAIL PROTECTED]
> >
> > Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program
> > Files/Radia
> > tor/dictionary'
> > Thu Oct  2 01:16:58 2003: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Thu Oct  2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646
> > Thu Oct  2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man
> > (EVALUATIO
> > N)
> > Thu Oct  2 01:18:52 2003: DEBUG: Packet dump:
> > *** Received from 127.0.0.1 port 3006 
> > Code:   Access-Request
> > Identifier: 67
> > Authentic:  1234567890123456
> > Attributes:
> > User-Name = "mikem"
> > Ser

RE: (RADIATOR) Question in

[Man Meng Fei]

Hi
I have changed the radius configuration file by adding "perl" after the
command which look 

Command perl C:/Radiator/goodies/testcommand.pl

After change the configuration file, the radius server able receive the
client request and execute the PERL script, but there are no return from
the perl script, may i know where went wrong ? The purpose for this
testing is i want to find out how to pass the RADIUS attribute value
into the perl program, and get the reply value from the perl script.
Hope you can help me on this.

Below are the information i got from the Radius Server and Client
console screen.

Thank you 

MAN


--Radius Server Console Screen-

C:\>PERL c:\perl\bin\radiusd
Thu Oct  2 10:47:49 2003: DEBUG: Finished reading configuration file
'C:\Program Files\Rad
iator\radius.cfg'
This Radiator license will expire on 2004-02-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

Thu Oct  2 10:47:49 2003: DEBUG: Reading dictionary file 'c:/Program
Files/Radiator/dictio
nary'
Thu Oct  2 10:47:49 2003: DEBUG: Creating authentication port
0.0.0.0:1645
Thu Oct  2 10:47:49 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Oct  2 10:47:49 2003: NOTICE: Server started: Radiator 3.7 on man
(EVALUATION)
Thu Oct  2 10:47:52 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3508 
Code:   Access-Request
Identifier: 37
Authentic:  1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Thu Oct  2 10:47:52 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Oct  2 10:47:52 2003: DEBUG:  Deleting session for mikem,
203.63.154.1, 1234
Thu Oct  2 10:47:52 2003: DEBUG: Running command: perl
C:/Radiator/goodies/testcommand.pl



---Radius Client Console Screen-
C:\>perl c:\perl\bin\radpwtst -user mikem -password fred
sending Access-Request...
No reply
sending Accounting-Request Start...
No reply
sending Accounting-Request Stop...
No reply

C:\>perl c:\perl\bin\radpwtst -user mikem -password fred
sending Access-Request...
No reply
sending Accounting-Request Start...
No reply
sending Accounting-Request Stop...
No reply

C:\>




-Original Message-----
From: Hugh Irvine [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 02, 2003 10:24 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Question in 



Hello Man Meng Fei -

I suspect that Radiator is not able to run the external command.

What happens when you run the following in a MS-DOS window:

C:\Perl\bin\testcommand.pl

There is probably something wrong with either the path or the contents 
of the file.

regards

Hugh


On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei 
wrote:

> Hi
> Currently i am using a sample configuration (external.cfg) and perl 
> script (testcommand.pl) which can be retrieved from goodies directory 
> to understand the implementation of .
> But after i executed it, i can't get the expected test result. I got
No
> Reply at Radius client. I hope someone can help me to make this
 EXTERNAL> sample working.
>
> Lastly i attached Radius Configration file which i used for the 
> testing and Radius Server and Radius Client's output result
>
> Man Meng Fei
>
>
>
> --radius.cfg---
> # external.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # EXTERNAL authentication.
> #
> # There is an example external program called testcommand.pl # in the 
> goodies directory, whichthe example below uses. It # will accept the 
> request if the username is "fred" otherwise reject # it.
> #
> # So if you run Radiator with this config file, then do
> # radpwtst -noacct -trace -user fred
> # you will see something like:
> # sending Access-Request...
> # OK
> # Code:   Access-Accept
> # Identifier: 109
> # Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
> # Attributes:
> # Reply-Message = "you are fred"
> #
> #
> # And if you do:
> # radpwtst -noacct -trace -user someoneelse
> # you will see something like:
> # sending Access-Request...
> # Rejected
> 

Re: (RADIATOR) Question in

[Hugh Irvine]

Hello Man Meng Fei -

I suspect that Radiator is not able to run the external command.

What happens when you run the following in a MS-DOS window:

	C:\Perl\bin\testcommand.pl

There is probably something wrong with either the path or the contents 
of the file.

regards

Hugh

On Thursday, Oct 2, 2003, at 03:56 Australia/Melbourne, Man Meng Fei 
wrote:

Hi
Currently i am using a sample configuration (external.cfg) and perl
script (testcommand.pl) which can be retrieved from goodies directory 
to
understand the implementation of .
But after i executed it, i can't get the expected test result. I got No
Reply at Radius client. I hope someone can help me to make this 
EXTERNAL> sample working.

Lastly i attached Radius Configration file which i used for the testing
and Radius Server and Radius Client's output result
Man Meng Fei



--radius.cfg---
# external.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# EXTERNAL authentication.
#
# There is an example external program called testcommand.pl
# in the goodies directory, whichthe example below uses. It
# will accept the request if the username is "fred" otherwise reject
# it.
#
# So if you run Radiator with this config file, then do
# radpwtst -noacct -trace -user fred
# you will see something like:
# sending Access-Request...
# OK
# Code:   Access-Accept
# Identifier: 109
# Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
# Attributes:
# Reply-Message = "you are fred"
#
#
# And if you do:
# radpwtst -noacct -trace -user someoneelse
# you will see something like:
# sending Access-Request...
# Rejected
# Code:   Access-Reject
# Identifier: 70
# Authentic:  <165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
# Attributes:
# Reply-Message = "you are NOT fred, you are 'someoneelse'"
# Reply-Message = "Request Denied"
#
# You should consider this file to be a starting point only
# $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $
Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator
Trace 		4

# You will probably want to change this to suit your site.

Secret  mysecret
DupInterval 0



# For NT, you might want something like this
Command C:\Perl\bin\testcommand.pl

# For Unix, maybe something like this
#   #Command ./goodies/testcommand.pl
# This will cause the User-Password
# to be decrypted before being passed to the
# external program
DecryptPassword
# You might prefer use this to tell AuthBy EXTERNAL
# to get the result from the first line of the
# output. The permitted values are ACCEPT, REJECT
# IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
# its the only way to get it to work.
# We recommend you use this method
ResultInOutput






---Radius Server Output--

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\man\Desktop>PERL c:\perl\bin\radiusd
Thu Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file
'C:\Program
 Files\Radiator\radius.cfg'
This Radiator license will expire on 2004-02-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]
Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program
Files/Radia
tor/dictionary'
Thu Oct  2 01:16:58 2003: DEBUG: Creating authentication port
0.0.0.0:1645
Thu Oct  2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Oct  2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man
(EVALUATIO
N)
Thu Oct  2 01:18:52 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3006 
Code:   Access-Request
Identifier: 67
Authentic:  1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"
Thu Oct  2 01:18:52 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Oct  2 01:18:52 2003: DEBUG:  Deleting session for mikem,
203.63.154.1, 1234
Thu Oct  2 01:18:52 2003: DEBUG: Running command:
C:\Perl\bin\testcommand.pl
Thu Oct  2 01:25:09 2003: ERR: ResultInOutput is enabled, but the first
line of from the E
XTRNAL command is an unknown result code
Thu Oct  2 01:25:09 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3006 
Code:   Accounting-Request
Identifier: 68
Authentic:

(RADIATOR) Question in

[Man Meng Fei]

Hi
Currently i am using a sample configuration (external.cfg) and perl
script (testcommand.pl) which can be retrieved from goodies directory to
understand the implementation of .
But after i executed it, i can't get the expected test result. I got No
Reply at Radius client. I hope someone can help me to make this  sample working.

Lastly i attached Radius Configration file which i used for the testing
and Radius Server and Radius Client's output result

Man Meng Fei



--radius.cfg---
# external.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# EXTERNAL authentication.
#
# There is an example external program called testcommand.pl
# in the goodies directory, whichthe example below uses. It
# will accept the request if the username is "fred" otherwise reject
# it.
#
# So if you run Radiator with this config file, then do
# radpwtst -noacct -trace -user fred
# you will see something like:
# sending Access-Request...
# OK
# Code:   Access-Accept
# Identifier: 109
# Authentic:  <12>_B<215><2>=<149><140>kBM<130><221><10>.S
# Attributes:
# Reply-Message = "you are fred"
#
# 
# And if you do:
# radpwtst -noacct -trace -user someoneelse
# you will see something like:
# sending Access-Request...
# Rejected
# Code:   Access-Reject
# Identifier: 70
# Authentic:  <165><206>RiJ<208><139><245><129>@<170><136><23>s<24><23>
# Attributes:
# Reply-Message = "you are NOT fred, you are 'someoneelse'"
# Reply-Message = "Request Denied"


#
# You should consider this file to be a starting point only
# $Id: external.cfg,v 1.3 2003/09/22 23:30:56 mikem Exp $

Foreground
LogStdout
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator

Trace   4

# You will probably want to change this to suit your site.

Secret  mysecret
DupInterval 0




# For NT, you might want something like this
Command C:\Perl\bin\testcommand.pl

# For Unix, maybe something like this
#   #Command ./goodies/testcommand.pl

# This will cause the User-Password
# to be decrypted before being passed to the
# external program
DecryptPassword

# You might prefer use this to tell AuthBy EXTERNAL
# to get the result from the first line of the
# output. The permitted values are ACCEPT, REJECT
# IGNORE CHALLENGE or REJECT_IMMEDIATE. ON Win98
# its the only way to get it to work.
# We recommend you use this method
ResultInOutput







---Radius Server Output--

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\man\Desktop>PERL c:\perl\bin\radiusd
Thu Oct  2 01:16:58 2003: DEBUG: Finished reading configuration file
'C:\Program
 Files\Radiator\radius.cfg'
This Radiator license will expire on 2004-02-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

Thu Oct  2 01:16:58 2003: DEBUG: Reading dictionary file 'c:/Program
Files/Radia
tor/dictionary'
Thu Oct  2 01:16:58 2003: DEBUG: Creating authentication port
0.0.0.0:1645
Thu Oct  2 01:16:58 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Thu Oct  2 01:16:58 2003: NOTICE: Server started: Radiator 3.7 on man
(EVALUATIO
N)
Thu Oct  2 01:18:52 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3006 
Code:   Access-Request
Identifier: 67
Authentic:  1234567890123456
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>"

Thu Oct  2 01:18:52 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Oct  2 01:18:52 2003: DEBUG:  Deleting session for mikem,
203.63.154.1, 1234
Thu Oct  2 01:18:52 2003: DEBUG: Running command:
C:\Perl\bin\testcommand.pl
Thu Oct  2 01:25:09 2003: ERR: ResultInOutput is enabled, but the first
line of from the E
XTRNAL command is an unknown result code
Thu Oct  2 01:25:09 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 3006 
Code:   Accounting-Request
Identifier: 68
Authentic:  <30>Z<190><154>(<20><153><30><10>c<24><237><243><176>V<236>
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
   

Re: (RADIATOR) Question on PreHandlerHook

[Hugh Irvine]

Hello Oscar -

You should use "changeUserName()".

	${$_[0]}->changeUserName("new-test-value");

See the code in Radius/Radius.pm->changeUserName().

This is because Radiator does some caching of the username internally.

regards

Hugh

On Monday, Sep 1, 2003, at 04:45 Australia/Melbourne, Oscar Garzón 
wrote:

 
Hello, I`m trying to use a PreHandlerHook to modify an Auth Request 
before it is processed by Handlers. However it doesn't seem to be 
working and I wonder whether it's on me the mistake.
 

In radius.cfg I Put:
 

Secret xxx
PreHandlerHook file:"/etc/radiator/Hooks/hook2.pl"

 

In hook2.pl I put:
sub {
    ${$_[0]}->change_attr("User-Name","new-test-value");
    &main::log($main::LOG_DEBUG, "Customized Preprocessing: New Value 
for Attribute User-Name ".$rq->get_attr("User-Name")  );
    return;
}

On Trace 4 I see.
Code:   Access-Request
Identifier: 105
Authentic:  1234567890123456
Attributes:
   User-Name = "ogarzon"
   Service-Type = Framed-User
   NAS-IP-Address = 127.0.0.1
   NAS-Port = 1234
   Called-Station-Id = "123456789"
   Calling-Station-Id = "987654321"
   NAS-Port-Type = Async
   User-Password = 
"8C<205><151><209><24><167><194><4><30><251>0<131><245><203>O"
 
Sun Aug 31 13:18:40 2003: DEBUG: Rewrote user name to ogarzon
Sun Aug 31 13:18:40 2003: DEBUG: Preprocessing: New Value for 
Attribute User-Name new-test-value
Sun Aug 31 13:18:40 2003: DEBUG: Handling request with Handler ''
Sun Aug 31 13:18:40 2003: DEBUG: sqlsess Deleting session for ogarzon, 
127.0.0.1, 1234
Sun Aug 31 13:18:40 2003: DEBUG: Handling with Radius::AuthSQL
Sun Aug 31 13:18:40 2003: DEBUG: Query is: SELECT ENCRYPTEDPASSWORD, 
CHECKATTR, REPLYATTR FROM USER WHERE USERNAME = 'ogarzon'
Sun Aug 31 13:18:40 2003: DEBUG: Radius::AuthSQL looks for match with 
ogarzon
 
---
 
Since the Log entry is written, I guess it is getting inside the 
Hook, log also says the value was effectively changed to 
''new-test-value", but handler is still trying to authenticate 
original User-Name...
 
I was expecting the request to arrive modified to the Handler, but, It 
looks like its value is kept unmodified outside the hook. Is it 
supposed to be like that? or..What am I missing? does it have 
something to do with per value/reference parameters?
 
Thanks in advance.
 
Oscar L . Garzón.
 

 
 
 
 
 
 
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question on PreHandlerHook

[Oscar Garzón]

 
Hello, I`m trying 
to use a PreHandlerHook to modify an Auth Request before it is processed by 
Handlers. However it doesn't seem to be working and I wonder whether it's on me 
the mistake.
 

In radius.cfg I 
Put:
 
Secret xxxPreHandlerHook 
file:"/etc/radiator/Hooks/hook2.pl"

 


In hook2.pl I 
put:
sub 
{
    
${$_[0]}->change_attr("User-Name","new-test-value");
    
&main::log($main::LOG_DEBUG, "Customized Preprocessing: New Value for 
Attribute User-Name ".$rq->get_attr("User-Name")  );
    
return;}


On Trace 4 I 
see.
Code:   
Access-RequestIdentifier: 105Authentic:  
1234567890123456Attributes:   
User-Name = "ogarzon"   Service-Type = 
Framed-User   NAS-IP-Address = 
127.0.0.1   NAS-Port = 
1234   Called-Station-Id = 
"123456789"   Calling-Station-Id = 
"987654321"   NAS-Port-Type = 
Async   User-Password = 
"8C<205><151><209><24><167><194><4><30><251>0<131><245><203>O"
 
Sun Aug 31 13:18:40 
2003: DEBUG: Rewrote user name to ogarzonSun Aug 31 13:18:40 2003: DEBUG: 
Preprocessing: New Value for Attribute User-Name 
new-test-value
Sun Aug 31 13:18:40 
2003: DEBUG: Handling request with Handler ''Sun Aug 31 13:18:40 2003: 
DEBUG: sqlsess Deleting session for ogarzon, 127.0.0.1, 1234Sun Aug 31 
13:18:40 2003: DEBUG: Handling with Radius::AuthSQLSun Aug 31 13:18:40 2003: 
DEBUG: Query is: SELECT ENCRYPTEDPASSWORD, CHECKATTR, REPLYATTR FROM USER WHERE 
USERNAME = 'ogarzon'
Sun Aug 31 13:18:40 
2003: DEBUG: Radius::AuthSQL looks for match with 
ogarzon
 
---
 
Since the Log entry is written, I 
guess it is getting inside the Hook, log also says the value was 
effectively changed to ''new-test-value", but handler is still trying to 
authenticate original User-Name... 
 
I was expecting the request to arrive 
modified to the Handler, but, It looks like its value is kept unmodified outside 
the hook. Is it supposed to be like that? or.. What am I missing? does it have something to do with 
per value/reference parameters?
 
Thanks in 
advance.
 
Oscar L . 
Garzón.
 

 
 
 
 
 
 

Re: (RADIATOR) Question about spliting the NAS-IP-ADDRESS for SQL use

[Hugh Irvine]

Hello Troy -

I suggest you write a PreClientHook that will add the pseudo-attributes 
shown below to the incoming request packet.

There is an example that does something quite similar for Cisco 
pseudo-attributes in the file "goodies/hooks.txt".

regards

Hugh

On Friday, Aug 22, 2003, at 06:49 Australia/Melbourne, Troy Holder 
wrote:

We have a DB table with all of our network equipment in it and plan to
use that to determine what Authby to use for different types of
equipment ( got to love how Cisco wants different reply values to allow
a user into enable mode). I plan to have a Handler call an AuthBy SQL 
to
do a query for the Auth-Type the device needs use and then run that
AuthBy clause. The problem that I am running into is that we have the
equipment's IP address broken up into the octets. I know that I can use
%N in the SQL in the config, but how can I get %IP1.%IP2.%IP3.%IP4 (as
in %N = %IP1.%IP2.%IP3.%IP4) instead?

--
---
| Troy Holder[EMAIL PROTECTED] |
| Senior Network Engineer |
|   Communication Technologies|
| North Carolina State University |
---

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about spliting the NAS-IP-ADDRESS for SQL use

[Troy Holder]

We have a DB table with all of our network equipment in it and plan to
use that to determine what Authby to use for different types of
equipment ( got to love how Cisco wants different reply values to allow
a user into enable mode). I plan to have a Handler call an AuthBy SQL to
do a query for the Auth-Type the device needs use and then run that
AuthBy clause. The problem that I am running into is that we have the
equipment's IP address broken up into the octets. I know that I can use
%N in the SQL in the config, but how can I get %IP1.%IP2.%IP3.%IP4 (as
in %N = %IP1.%IP2.%IP3.%IP4) instead?

-- 
---
| Troy Holder[EMAIL PROTECTED] |
| Senior Network Engineer |
|   Communication Technologies|
| North Carolina State University |
---

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

[Hugh Irvine]

Hello Steve -

Your configuration file is incorrect.

You cannot have Realms inside Handlers. If you are using Handlers, you  
must use only Handlers and they cannot be placed inside other Handlers.  
You cannot have  clauses inside  clauses either.

regards

Hugh

On Thursday, Jul 31, 2003, at 02:29 Australia/Melbourne, Steve  
Caporossi wrote:

Hugh,
Layers 8 & 9 prevent me from running Radiator on anything but a Linux  
box, I have no bias. :-)

I am not very familiar with AD.  My understanding is that policies can  
be managed for users, machines, etc.  In our environment, we are  
mapping drives and limiting machines/user rights to resources.  We  
would like for these policies to be passed down from the AD server.

In the meantime...I have been trying to get it working via LDAP2.

Unfortunately, I must be missing something because it does not look  
like AuthBy LDAP 2 is ever being used.

I attached my config and a debug of an attempt to connect from a  
machine logging into the domain.  Can you tell me what I am missing?

Notice that I have the Tunnelled by TTLS and PEAP commented out, *do  
not* have an anonymous user in my password file, but, I can  
authenticate wireless users via TTLS sucessfully.  Am I mistaken or  
should this be happening? - Just not those trying to authenticate to  
the domain.

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
You can use the AuthBy RADIUS clause to forward radius requests to a  
remote radius server. The exact configuration will depend on what  
else you are already doing in your configuration file. I am not sure  
I understand what you mean by "domain policies" - can you give me a  
bit more detail?
BTW - Radiator runs just fine on W2K server.
regards
Hugh
On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve  
Caporossi wrote:
Running radiator on a W2K server does not appear to be an option for  
us...I need to forward any domain logins ie, domain\username to a  
Windows radius server, but only if they try to login to the domain.   
Has anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using  
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages,  
or disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only  
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance  
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual  
("doc/ref.html").
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve  
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie  
into AD for domain login and username/password checking.  In the  
reference manual section 6.40  it has the statement,


It is only available on Windows 2000 platforms. It is implemented  
in AuthADSI.pm"


I am a little confused...does this mean that radiator needs to be  
running on W2K?

Thanks,
--  
Steve

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no  
secrets),
together with a trace 4 debug showing what is happening?


--  
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--  
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#

#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir  /var/log/radius
DbDir   /etc/radiusserver
PidFile /var/run/radius.pid
DictionaryFile  /etc/radiusserver/dictionary
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace   4
AuthPort 1645,1812
AcctPort 1646,1813
# Add Clients below...


Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private


Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private


Identifier vpn
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private


Identifier wlan
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
IgnoreAcctSignature

#
#

Re: (RADIATOR) Question about AuthBy ADSI

[Steve Caporossi]

Hugh,
Layers 8 & 9 prevent me from running Radiator on anything but a Linux 
box, I have no bias. :-)

I am not very familiar with AD.  My understanding is that policies can 
be managed for users, machines, etc.  In our environment, we are mapping 
drives and limiting machines/user rights to resources.  We would like 
for these policies to be passed down from the AD server.

In the meantime...I have been trying to get it working via LDAP2.

Unfortunately, I must be missing something because it does not look like 
AuthBy LDAP 2 is ever being used.

I attached my config and a debug of an attempt to connect from a machine 
logging into the domain.  Can you tell me what I am missing?

Notice that I have the Tunnelled by TTLS and PEAP commented out, *do 
not* have an anonymous user in my password file, but, I can authenticate 
wireless users via TTLS sucessfully.  Am I mistaken or should this be 
happening? - Just not those trying to authenticate to the domain.

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -

You can use the AuthBy RADIUS clause to forward radius requests to a 
remote radius server. The exact configuration will depend on what else 
you are already doing in your configuration file. I am not sure I 
understand what you mean by "domain policies" - can you give me a bit 
more detail?

BTW - Radiator runs just fine on W2K server.

regards

Hugh

On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve Caporossi 
wrote:

Running radiator on a W2K server does not appear to be an option for 
us...I need to forward any domain logins ie, domain\username to a 
Windows radius server, but only if they try to login to the domain.  
Has anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using 
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages, 
or disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only 
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance 
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual 
("doc/ref.html").
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40  it has the statement,


It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm"


I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?


--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
# radius.cfg
#

#Foreground
#LogStdout
LogFile /var/log/radius/%m%d%y.log
LogDir  /var/log/radius
DbDir   /etc/radiusserver
PidFile /var/run/radius.pid
DictionaryFile  /etc/radiusserver/dictionary

# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace   4

AuthPort 1645,1812
AcctPort 1646,1813


# Add Clients below... 


Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private


 
Identifier ppp
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private



Identifier vpn
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private



Identifier wlan
Secret mysecret
DupInterval 2
NasType Cisco
SNMPCommunity private
IgnoreAcctSignature


#
#
 PPP Config ##


 
# AuthByPolicy ContinueAlways
AuthByPolicy ContinueWhileIgnore  # Default



DBSourcedbi:mysql:radius
DBUsername  dbuser
DBAuth  password

AuthSelect

# Only insert Start and Stop reque

Re: (RADIATOR) Question about configuration file

[Mike McCauley]

Hello Geoffrey,


On Fri, 25 Jul 2003 09:42 am, Hugh Irvine wrote:
> Hello Geoffrey -
>
> On Thursday, Jul 24, 2003, at 19:40 Australia/Melbourne, DUFOUR
>
> Geoffrey wrote:
> > Hello,
> >
> >  
> >
> > As far as I understand, radiusd reads the configuration file only once
> > (when it starts). Correct ?
>
> Correct - but see below.
>
> >  
> >
> > Is there a way to force radiusd to read the file every x min. or every
> > time the file is updated (new realm, RADIUS client, …) without
> > restarting it ?
>
> No. Although you can use a HUP signal to cause a warm restart during
> which the configuration file is reread.
>
> >  
> >
> > I would also like to know if it is possible to store realms/handlers
> > configuration information in a SQL database instead of in a flat file
> > (the same way you can do it for RADIUS clients with ClientListSQL).
>
> No there isn't.

However, I have seen some cases using an include statement in the config file 
that opens a pipe to custom program that contructs Radiator clauses on the 
fly from an SQL database.

Cheers.

>
> regards
>
> Hugh
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about configuration file

[Andrew Stevenson]

On Thu, 24 Jul 2003, DUFOUR Geoffrey wrote:

> As far as I understand, radiusd reads the configuration file only once
> (when it starts). Correct ?

AFAIK

> Is there a way to force radiusd to read the file every x min. or every
> time the file is updated (new realm, RADIUS client, ...) without
> restarting it ?

You can get it to reload every x mins by sending SIGHUP from cron. If you
want it to happen when the config file changes you could either make the
cron job check modification times of the file and still check ever x
minutes or use a program like wait_on.

Andrew
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about configuration file

[Hugh Irvine]

Hello Geoffrey -

On Thursday, Jul 24, 2003, at 19:40 Australia/Melbourne, DUFOUR Geoffrey wrote:

Hello,

?

As far as I understand, radiusd reads the configuration file only once (when it starts). Correct ?


Correct - but see below.

?

Is there a way to force radiusd to read the file every x min. or every time the file is updated (new realm, RADIUS client, …) without restarting it ?


No. Although you can use a HUP signal to cause a warm restart during which the configuration file is reread.

?

I would also like to know if it is possible to store realms/handlers configuration information in a SQL database instead of in a flat file (the same way you can do it for RADIUS clients with ClientListSQL).


No there isn't.

regards

Hugh


NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

(RADIATOR) Question about configuration file

[DUFOUR Geoffrey]

Hello,

 

As far as I understand, radiusd reads the
configuration file only once (when it starts). Correct ? 

 

Is there a way to force radiusd to read the file
every x min. or every time the file is updated (new realm, RADIUS client, …)
without restarting it ?

 

I would also like to know if it is possible to store
realms/handlers configuration information in a SQL database instead of in a
flat file (the same way you can do it for RADIUS clients with ClientListSQL).

 

Regards.

 

Geoffrey

Re: (RADIATOR) Question about AuthBy ADSI

[Hugh Irvine]

Hello Steve -

You can use the AuthBy RADIUS clause to forward radius requests to a 
remote radius server. The exact configuration will depend on what else 
you are already doing in your configuration file. I am not sure I 
understand what you mean by "domain policies" - can you give me a bit 
more detail?

BTW - Radiator runs just fine on W2K server.

regards

Hugh

On Thursday, Jul 24, 2003, at 00:44 Australia/Melbourne, Steve 
Caporossi wrote:

Running radiator on a W2K server does not appear to be an option for 
us...I need to forward any domain logins ie, domain\username to a 
Windows radius server, but only if they try to login to the domain.  
Has anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using 
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages, 
or disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -
Correct. AuthBy ADSI and the new AuthBy LSA clauses are only 
supported on recent Windows releases.
You can either try the AuthBy NT clause, or you can run an instance 
of Radiator on the Windows host and proxy requests to it.
You will find details on AuthBy NT in section 6.27 of the manual 
("doc/ref.html").
regards
Hugh
On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:
I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40  it has the statement,


It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm"


I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

[Steve Caporossi]

Running radiator on a W2K server does not appear to be an option for 
us...I need to forward any domain logins ie, domain\username to a 
Windows radius server, but only if they try to login to the domain.  Has 
anyone done this and be willing to share their methodology?

Can the domain policies be passed down to the machine as well using 
AuthBy LDAP, AuthBy Radius or AuthBy NT?   Are there any advantages, or 
disadvantages, between these?

Thanks,
Steve
Hugh Irvine wrote:

Hello Steve -

Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported 
on recent Windows releases.

You can either try the AuthBy NT clause, or you can run an instance of 
Radiator on the Windows host and proxy requests to it.

You will find details on AuthBy NT in section 6.27 of the manual 
("doc/ref.html").

regards

Hugh

On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40  it has the statement,


It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm"


I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AuthBy ADSI

[Hugh Irvine]

Hello Steve -

Correct. AuthBy ADSI and the new AuthBy LSA clauses are only supported 
on recent Windows releases.

You can either try the AuthBy NT clause, or you can run an instance of 
Radiator on the Windows host and proxy requests to it.

You will find details on AuthBy NT in section 6.27 of the manual 
("doc/ref.html").

regards

Hugh

On Wednesday, Jul 23, 2003, at 06:13 Australia/Melbourne, Steve 
Caporossi wrote:

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie 
into AD for domain login and username/password checking.  In the 
reference manual section 6.40  it has the statement,


It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm"


I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about AuthBy ADSI

[Steve Caporossi]

I am running radiator 3.6 (fully patched) on RH7.3 and need to tie into 
AD for domain login and username/password checking.  In the reference 
manual section 6.40  it has the statement,


It is only available on Windows 2000 platforms. It is implemented in 
AuthADSI.pm"


I am a little confused...does this mean that radiator needs to be 
running on W2K?

Thanks,
--
Steve
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question --> solved I think =)

[Chris Garzon]

- Original Message - 
From: "Hugh Irvine" <[EMAIL PROTECTED]>
To: "Chris Garzon" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, July 22, 2003 7:59 AM
Subject: Re: (RADIATOR) question


> You should test your SQL statements by hand with your database tools
> first before putting them in the configuration file.

Hi I've managed to get things working, thought I might share, thanks for the
tips for all those who helped especially to Hugh and Mike
I used mysql's UNIX_TIMESTAMP() function. since the VALIDFROM='now' returns
a NULL value it was more appropriate to
use: VALIDFROM=UNIX_TIMESTAMP(NOW())

cheers!

chris




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Hugh Irvine]

Hello Chris -

You should test your SQL statements by hand with your database tools 
first before putting them in the configuration file.

regards

Hugh

On Monday, Jul 21, 2003, at 20:10 Australia/Melbourne, Chris Garzon 
wrote:

Hi,

I've set up my AcctSQLStatement to look like this:

AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, 
OCTETSINLEFT=OCTETSINLEFT-0%{Ac \
ct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} 
where
USERNAME='%n'

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS 
NULL

now the second statement returns this error in the logfile:

Mon Jul 21 18:02:49 2003: ERR: do failed for 'update RADUSERS set
VALIDFROM=now where VALIDFROM=NULL': Unknown column 'now' in 'field 
list'

-chris

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003
This Email is protected by RAV AntiVirus Security Software for SuSE 
Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Chris Garzon]

Hi,

I've set up my AcctSQLStatement to look like this:

AcctSQLStatement update RADUSERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Ac \
ct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where
USERNAME='%n'

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL

now the second statement returns this error in the logfile:

Mon Jul 21 18:02:49 2003: ERR: do failed for 'update RADUSERS set
VALIDFROM=now where VALIDFROM=NULL': Unknown column 'now' in 'field list'


-chris


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Chris]

> AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL
and

Oh, ok thanks I get it, now how can my Radmin database set VALIDFROM
initially to NULL, I tried to test it using radmin editUser.pl web script
and it gave out this error: Not updated because: Invalid date/time format in
'Valid from'

thanks,
chris




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Mike McCauley]

Hello Chris,

On Fri, 18 Jul 2003 09:56 pm, Chris wrote:
> > You could use an AcctSQLStatement that sets thir expiry date if it is
> > currently NULL. The the first successful session start will set their
>
> expiry
>
> > date to, say the current date + 30 days (or whatever your policy is).
>
> thanks mike should I be safe then if  I add this to my AcctSQLStatement to
> update my VALIDFROM table:
>
> AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM='0',
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time} etc.

It might be more common to let the starting value of VALIDFROM be NULL (which 
means Radiator would ignore it first time around), and then set it with:

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM IS NULL and 
...

>
> thanks,
> Chris
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003
>
> This Email is protected by RAV AntiVirus Security Software for SuSE Linux
> eMail Server

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Chris]

> You could use an AcctSQLStatement that sets thir expiry date if it is
> currently NULL. The the first successful session start will set their
expiry
> date to, say the current date + 30 days (or whatever your policy is).

thanks mike should I be safe then if  I add this to my AcctSQLStatement to
update my VALIDFROM table:

AcctSQLStatement update RADUSERS set VALIDFROM=now where VALIDFROM='0',
TIMELEFT=TIMELEFT-0%{Acct-Session-Time} etc.

thanks,
Chris


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[queksteven]

Hi Chris,

My advice for different time zone u should be using a stored procedure to
process the accounting event. The person might be said surfing 11pm and end
@2am. u will be charging 11-12am and the rest free.

We have implementing the rating using the stored procedure and it allows
flexibility as well.


Hope it help.



Mike McCauley <[EMAIL PROTECTED]>   18/07/2003 03:57 PM
Sent by: [EMAIL PROTECTED]

   
   
  To:  "Chris" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
  
  cc:  (bcc: QUEK Steven/Prod Dev Dir/STSunPage/ST Group)  
   
  Subject: Re: (RADIATOR) question 
   
   
   
   
   
   
   






Hello Chris,


On Fri, 18 Jul 2003 12:05 pm, Chris wrote:
> Hello list,
>
> I'm using radmin + radiator, Right now I want to do these to my system,
> please point me out to some examples or possible solutions:
>
> 1. How do I make first time users to base their starting usage from the
> moment they first logged into the system?

You could use an AcctSQLStatement that sets thir expiry date if it is
currently NULL. The the first successful session start will set their
expiry
date to, say the current date + 30 days (or whatever your policy is).


> 2. I want to implement an off
> peak time wherein when users login from 12am to 7am that their usage
won't
> be deducted during those specified time.

You could set up multiple Handlers, each with a different Time check items:

# off peak

 
 # no AccountingTable or AcctColumnDef entries here
 # means no accounting data inserted
 
 


# all the rest

 
 
 


The AuthBy RADMIN clauses would be
>
> thanks,
> chris
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

--
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.




[This e-mail is confidential and may also be privileged. If you are not the
intended recipient, please delete it and notify us immediately; you should
not copy or use it for any purpose, nor disclose its contents to any other
person. Thank you.]


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Mike McCauley]

Hello Chris,


On Fri, 18 Jul 2003 12:05 pm, Chris wrote:
> Hello list,
>
> I'm using radmin + radiator, Right now I want to do these to my system,
> please point me out to some examples or possible solutions:
>
> 1. How do I make first time users to base their starting usage from the
> moment they first logged into the system? 

You could use an AcctSQLStatement that sets thir expiry date if it is 
currently NULL. The the first successful session start will set their expiry 
date to, say the current date + 30 days (or whatever your policy is).


> 2. I want to implement an off
> peak time wherein when users login from 12am to 7am that their usage won't
> be deducted during those specified time.

You could set up multiple Handlers, each with a different Time check items:

# off peak


# no AccountingTable or AcctColumnDef entries here
# means no accounting data inserted




# all the rest






The AuthBy RADMIN clauses would be 
>
> thanks,
> chris
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.501 / Virus Database: 299 - Release Date: 7/14/2003

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) question

[Chris]

This Email is protected by RAV AntiVirus Security Software for SuSE Linux eMail Server

Re: (RADIATOR) Question about configuration

[Hugh Irvine]

Hello William -

Thanks for your mail.

As far as I can see from what you show below, Radiator is running  
correctly.

When you start the "radiusd" process, it prints out the messages as  
shown and then it waits until it receives a radius request from a  
client device. It looks like "radiusd" is starting correctly, but it is  
not receiving any requests.

You will need to configure the router to do radius authentication and  
accounting, so you should check with your router vendor to find out  
what configuration is required.

regards

Hugh

On Thursday, Jul 17, 2003, at 00:38 Australia/Melbourne, William  
Palencia wrote:

Hi. I'm installing radiator by first time, and can't get it start. I  
don't
know was wrong. Here is the configuration file.

/ 
*** 
*/

Foreground
LogStdout
AuthPort1645
AcctPort1646
LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator

Secret  cisco
DupInterval 0


Secret  cisco
DupInterval 0


DBSourcedbi:mysql:radius
DBUsername  root
DBAuth  admin2003



DBSourcedbi:mysql:radius
DBUsername  root
DBAuth  admin2003
AccountingTable ACCOUNTING
AcctColumnDef   USERNAME,User-Name
AcctColumnDef   TIME_STAMP,Timestamp,integer
AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef   NASIDENTIFIER,NAS-Identifier
AcctColumnDef   NASPORT,NAS-Port,integer
AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
AcctFailedLogFileName missedaccounting


/ 
*** 
*/

I want to authenticate users from and router. The router has the ip
address 192.168.1.1, I'm usng the database shema included in the  
radiator
distruibution.

When i tell radius to start , get the following message :

This Radiator license will expire on 2003-10-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]
And don't get any more messages.

Can some body tell me was wrong.

Thanks.

William Palencia
Ingeniero de Operaciones
Colombiatel S.A.
Tel: 6743080 - 6743026
Cel: 315 3626346
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about configuration

[William Palencia]

Hi. I'm installing radiator by first time, and can't get it start. I don't
know was wrong. Here is the configuration file.

//

Foreground
LogStdout

AuthPort1645
AcctPort1646

LogDir  c:/Program Files/Radiator
DbDir   c:/Program Files/Radiator


Secret  cisco
DupInterval 0



Secret  cisco
DupInterval 0



DBSourcedbi:mysql:radius
DBUsername  root
DBAuth  admin2003





DBSourcedbi:mysql:radius
DBUsername  root
DBAuth  admin2003

AccountingTable ACCOUNTING
AcctColumnDef   USERNAME,User-Name
AcctColumnDef   TIME_STAMP,Timestamp,integer
AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef   NASIDENTIFIER,NAS-Identifier
AcctColumnDef   NASPORT,NAS-Port,integer
AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address

AcctFailedLogFileName missedaccounting



//

I want to authenticate users from and router. The router has the ip
address 192.168.1.1, I'm usng the database shema included in the radiator
distruibution.

When i tell radius to start , get the following message :

This Radiator license will expire on 2003-10-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]


And don't get any more messages.

Can some body tell me was wrong.

Thanks.

William Palencia
Ingeniero de Operaciones
Colombiatel S.A.
Tel: 6743080 - 6743026
Cel: 315 3626346


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about AutyBy LSA module?

[Mike McCauley]

Hello John,


On Thu, 19 Jun 2003 01:27 am, John McFadden wrote:
> Saw the annoucement on the AuthBy LSA module and I wanted to make sure I
> understood it's implications.
>
> Does this module allow us to authenticate MSCHAP passwords against an
> ActiveDirectory of NT domain controller?

Yes.

>
> This has been a big issue up to now and one reason why we've been
> ignoring PEAP and Microsoft's built in VPN client.

Yes, few Radius servers can support this combination of PEAP or MSCHAP and 
windows passwords.

>
> Comments?

Try it :-)

Cheers.


>
> Thanks in advance.
> John McFadden
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about AutyBy LSA module?

[John McFadden]

Saw the annoucement on the AuthBy LSA module and I wanted to make sure I 
understood it's implications.

Does this module allow us to authenticate MSCHAP passwords against an 
ActiveDirectory of NT domain controller?

This has been a big issue up to now and one reason why we've been 
ignoring PEAP and Microsoft's built in VPN client.

Comments?

Thanks in advance.
John McFadden
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question about Radiator and Orinoco AP-2500

[Hugh Irvine]

Hello Primoz -

You should probably use a packet sniffer (snoop, tcpdump, 
ethereal...)to check on exactly what radius reply attributes are being 
sent back by Cisco ACS and then configure Radiator to send the same 
ones.

In general you will need at least the following:


  
 Filename /radiator/conf/users
 AddToReply Service-Type = Framed-User, \
  Framed-Protocol = PPP
  

regards

Hugh

On Wednesday, Mar 19, 2003, at 20:24 Australia/Melbourne, Primoz 
Jeroncic wrote:

Hi there

I was trying to find something about this in mailing list archive but
I didn't have to much luck so I hope you won't mind to much if this
question was answered already.
I have Orinoco (Proxim) AP-2500 which I configured for getting
authorization about allowed users from external Radius. My problem
is that when I use Cisco Secure ACS as Radius it works fine and
clients can browse web, send mails, use telnet etc. without problems
once when they sign with their username and password. As soon as I
change Cisco Secure ACS with Radiator only thing which still works
is browsing web. Sending mail, telneting etc. stop working. I'm
almost 100% sure there's just one small thing which should be
configured with Radiator to send back to Orinoco some attributes
and everything would work, but I really don't have any idea what
those attributes would be, since even on Cisco Secure ACS I didn't
configure anythnig special except username and password for user
and client IP address and authentication key (using Radius IETF
authentication not some vendor specific one).
Problem is that I would really like to use Radiator for this
and not something else, since I can write some aplication which will
be maintaining users file, much easier then playing with some SQL
for same purpose. And not to mention that I would rather have it
run on some Unix box and not Windows server. Cisco ACS runs on Solaris
too but for this project I don't have budget for Sun machine and
Cisco ACS doesn't run on Solaris for Intel.
Btw.. current config is this:
Radius.cfg

  Secret test
  DupInterval 0


  
 Filename /radiator/conf/users
  

/radiator/conf/users
user1 Password = "test1", Expiration = 25/03/03
Idle-Timeout = 5,
Session-Timeout = 5,
Fall-Through = yes
Thanks in advance for any help.

Best regards,
Primoz Jeroncic
Support - IP/VoIP Connectivity & Routing
---
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2   fax:  +386 1 562 18 55   |   1 + 1 = 3
1236 Trzin  mailto:[EMAIL PROTECTED] | for larger values of 1
Slovenija   http://www.softnet.si/primoz
---
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) question about Radiator and Orinoco AP-2500

[Primoz Jeroncic]

Hi there

I was trying to find something about this in mailing list archive but
I didn't have to much luck so I hope you won't mind to much if this
question was answered already.

I have Orinoco (Proxim) AP-2500 which I configured for getting
authorization about allowed users from external Radius. My problem
is that when I use Cisco Secure ACS as Radius it works fine and
clients can browse web, send mails, use telnet etc. without problems
once when they sign with their username and password. As soon as I
change Cisco Secure ACS with Radiator only thing which still works
is browsing web. Sending mail, telneting etc. stop working. I'm
almost 100% sure there's just one small thing which should be
configured with Radiator to send back to Orinoco some attributes
and everything would work, but I really don't have any idea what
those attributes would be, since even on Cisco Secure ACS I didn't
configure anythnig special except username and password for user
and client IP address and authentication key (using Radius IETF
authentication not some vendor specific one).

Problem is that I would really like to use Radiator for this
and not something else, since I can write some aplication which will
be maintaining users file, much easier then playing with some SQL
for same purpose. And not to mention that I would rather have it
run on some Unix box and not Windows server. Cisco ACS runs on Solaris
too but for this project I don't have budget for Sun machine and
Cisco ACS doesn't run on Solaris for Intel.

Btw.. current config is this:
Radius.cfg


  Secret test
  DupInterval 0


  
 Filename /radiator/conf/users
  


/radiator/conf/users
user1 Password = "test1", Expiration = 25/03/03
Idle-Timeout = 5,
Session-Timeout = 5,
Fall-Through = yes

Thanks in advance for any help.

Best regards,
Primoz Jeroncic
Support - IP/VoIP Connectivity & Routing
---
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2   fax:  +386 1 562 18 55   |   1 + 1 = 3
1236 Trzin  mailto:[EMAIL PROTECTED] | for larger values of 1
Slovenija   http://www.softnet.si/primoz
---


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: Fwd: (RADIATOR) Odyssey client and Radiator - Question

[Steve Caporossi]

It seems to me that the accounting is useless if everything appears to 
come from "anonymous".  Is there a way to configure radiator so it 
records the actual username that authenticated?  Funk says this will be 
possible in the new release of their radius server and suggests I buy 
it...not acceptable to us.



Thanks, Steve

Mike McCauley wrote:
Hello Steve,



Begin forwarded message:

From: Steve Caporossi <[EMAIL PROTECTED]>
Date: Tue Mar 4, 2003  00:38:57 Australia/Melbourne
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Odyssey client and Radiator - Question
We are evaluating the Odyssey client for authenticating our wireless
users via TTLS.  I noticed that unless a user sets their username
under the TTLS settings tab, "anonymous" is recorded in the logs.  Is
anyone else using this client and, have you come up with a workaround
for this behavior?

This is the normal and expected behaviour for TTLS. They put anonymous by 
default in the outer request so that the 'real' user name is not available 
for sniffing.

The downside is that the Radius requests all appear to be from 'anonymous'.

You can change this behaviour in the Odyssey client by editing the 
Profile/TTLS Setting page, and changing the 'Anonymous name:' field.

Hope that helps.

Cheers.



Thanks,
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?




--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: Fwd: (RADIATOR) Odyssey client and Radiator - Question

[Mike McCauley]

Hello Steve,


> Begin forwarded message:
> > From: Steve Caporossi <[EMAIL PROTECTED]>
> > Date: Tue Mar 4, 2003  00:38:57 Australia/Melbourne
> > To: [EMAIL PROTECTED]
> > Subject: (RADIATOR) Odyssey client and Radiator - Question
> >
> > We are evaluating the Odyssey client for authenticating our wireless
> > users via TTLS.  I noticed that unless a user sets their username
> > under the TTLS settings tab, "anonymous" is recorded in the logs.  Is
> > anyone else using this client and, have you come up with a workaround
> > for this behavior?

This is the normal and expected behaviour for TTLS. They put anonymous by 
default in the outer request so that the 'real' user name is not available 
for sniffing.

The downside is that the Radius requests all appear to be from 'anonymous'.

You can change this behaviour in the Odyssey client by editing the 
Profile/TTLS Setting page, and changing the 'Anonymous name:' field.

Hope that helps.

Cheers.


> >
> > Thanks,
> > --
> > Steve Caporossi
> > Network Systems Engineer
> > Center for Computing and Information Technology
> > Medical University of South Carolina
> > 843.876.5083
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Odyssey client and Radiator - Question

[Steve Caporossi]

We are evaluating the Odyssey client for authenticating our wireless 
users via TTLS.  I noticed that unless a user sets their username under 
the TTLS settings tab, "anonymous" is recorded in the logs.  Is anyone 
else using this client and, have you come up with a workaround for this 
behavior?

Thanks,
--
Steve Caporossi
Network Systems Engineer
Center for Computing and Information Technology
Medical University of South Carolina
843.876.5083
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question on Make Test error [Radiator 3.5 on Solaris 2.8]

[Hugh Irvine]

Hello Kiaran -

Could you please send me the name of the registered company that has purchased this copy of Radiator?

Please reply to me directly and include the username that you use to access the web site.

thanks and regards

Hugh


On Tuesday, Feb 25, 2003, at 14:05 Australia/Melbourne, [EMAIL PROTECTED] wrote:

Hello,

I run into several "not ok" when doing the "Make Test" for Radiator 3.5 on Solaris 2.8
not ok 5a
not ok 5d
not ok 5f

Can you tell me what could be the cause? am I missing a particular file?

Thanks in advance,
Kiaran


# /usr/local/ActivePerl-5.6/bin/perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for Radius
#
# /usr/local/ActivePerl-5.6/bin/perl test.pl
Starting tests...
Starting 2 test servers. Please wait...
This Radiator license will expire on 2003-06-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

This Radiator license will expire on 2003-06-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

ok 1a
ok 1b
ok 1c
ok 1d
ok 1e
ok 2a
ok 2b
ok 2c
ok 2d
ok 2e
ok 2f
ok 2g
ok 2h
ok 2i
ok 2j
ok 2k
ok 2l
ok 2m
ok 2n
ok 2o
ok 2p
ok 2q
ok 2r
ok 2s
ok 2t
ok 2u
ok 2v
ok 2x
ok 2y
ok 2z
ok 3a
ok 3b
ok 3c
ok 3d
ok 3e
ok 3f
ok 3g
ok 3h
ok 4a
ok 4b
ok 4c
not ok 5a
ok 5b
ok 5c
not ok 5d
ok 5e
not ok 5f
ok 5g
ok 6a
ok 6b
ok 6c
ok 6d
ok 6e
ok 6f
ok 6g
ok 6h
ok 7a
ok 7b
ok 7c
ok 8a
ok 8b
Tests completed
sh: kill: no such process
#



NB: have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

(RADIATOR) Question on Make Test error [Radiator 3.5 on Solaris 2.8]

[KiaranZobel]

Hello,

I run into several "not ok" when doing the "Make Test" for Radiator 3.5 on Solaris 2.8
not ok 5a
not ok 5d
not ok 5f

Can you tell me what could be the cause? am I missing a particular file?

Thanks in advance,
Kiaran


# /usr/local/ActivePerl-5.6/bin/perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for Radius
# 
# /usr/local/ActivePerl-5.6/bin/perl test.pl
Starting tests...
Starting 2 test servers. Please wait...
This Radiator license will expire on 2003-06-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see 
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

This Radiator license will expire on 2003-06-01
This Radiator license will stop operating after 1000 requests
To purchase an unlimited full source version of Radiator, see 
http://www.open.com.au/ordering.html
To extend your evaluation period, contact [EMAIL PROTECTED]

ok 1a
ok 1b
ok 1c
ok 1d
ok 1e
ok 2a
ok 2b
ok 2c
ok 2d
ok 2e
ok 2f
ok 2g
ok 2h
ok 2i
ok 2j
ok 2k
ok 2l
ok 2m
ok 2n
ok 2o
ok 2p
ok 2q
ok 2r
ok 2s
ok 2t
ok 2u
ok 2v
ok 2x
ok 2y
ok 2z
ok 3a
ok 3b
ok 3c
ok 3d
ok 3e
ok 3f
ok 3g
ok 3h
ok 4a
ok 4b
ok 4c
not ok 5a
ok 5b
ok 5c
not ok 5d
ok 5e
not ok 5f
ok 5g
ok 6a
ok 6b
ok 6c
ok 6d
ok 6e
ok 6f
ok 6g
ok 6h
ok 7a
ok 7b
ok 7c
ok 8a
ok 8b
Tests completed
sh: kill: no such process
# 

Re: (RADIATOR) question on AuthSQLStatement

[Hugh Irvine]

Hello Seung Park -

There is no mechanism currently to access the results of an 
AuthSQLStatement later during packet processing.

This is why I suggested a PostAuthHook to post-process the results of 
the AuthSelect/AuthColumnDef in my other mail.

Of course, you can also run SQL statements directly in a hook as well.

regards

Hugh


On Monday, Dec 30, 2002, at 22:50 Australia/Melbourne, Seung Park wrote:

I understand that the AuthSQLStatement allows arbitrary sql statements 
to be run at sundry points in the request process. Is there any way to 
access the results of those AuthSQLStatements?

For example, if my AuthSQLStatement  executes: select data1, data2, 
data3 from table_XX where data1 = "ABC", how do I get at the returned 
value of the select?


Thank you,
S.Park


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) question on AuthSQLStatement

[Seung Park]

I understand that the AuthSQLStatement allows arbitrary sql statements 
to be run at sundry points in the request process. Is there any way to 
access the results of those AuthSQLStatements?

For example, if my AuthSQLStatement  executes: select data1, data2, 
data3 from table_XX where data1 = "ABC", how do I get at the returned 
value of the select?


Thank you,
S.Park


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question

[Hugh Irvine]

Hello Chris -

Keep in mind that there are two different things going on in this 
scenario. The first is authentication which checks the username and 
password (and does whatever checks are required), and the second is 
accounting which is used to manage the session database.

You should get the information from the database and return it to the 
NAS in the accept in a "Class" attribute. Then you can use the contents 
of the Class attribute which is included in the accounting requests in 
your own session database queries.

Have a look at sections 6.7 and 6.28 in the Radiator 3.3.1 reference 
manual ("doc/ref.html").

regards

Hugh


On Tuesday, Nov 12, 2002, at 18:14 Canada/Eastern, Chris Kay wrote:


Questions is...

I wish to pull some information for a db while auth and then set that
Information in the session db

Would I set this then pull it and enter it, or can I make it global or
something?

Any help is grateful


-
Chris Kay (Systems Development)
Techex Communications
Website: www.techex.com.au Email: [EMAIL PROTECTED]
Telephone: 1300 88 111 2 - Fax: (02) 9970 5788
-

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.




NB: I am travelling this week, so there may be delays in our 
correspondence.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question

[Chris Kay]

Questions is...

I wish to pull some information for a db while auth and then set that
Information in the session db

Would I set this then pull it and enter it, or can I make it global or
something?

Any help is grateful


- 
Chris Kay (Systems Development) 
Techex Communications 
Website: www.techex.com.au Email: [EMAIL PROTECTED] 
Telephone: 1300 88 111 2 - Fax: (02) 9970 5788 
-  

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: Fwd: (RADIATOR) Question on FailurePolicy within SQLRADIUS

[Mike McCauley]

Hi Martin,

On Wed, 6 Nov 2002 18:58, Hugh Irvine wrote:
> Mikey -
>
> Could you answer Martin please?
>
> ta
>
> Hugh
>
> Begin forwarded message:
> > From: "Martin Edge" <[EMAIL PROTECTED]>
> > Date: Wed Nov 6, 2002  9:17:50 AM Australia/Melbourne
> > To: "Radiator" <[EMAIL PROTECTED]>
> > Subject: (RADIATOR) Question on FailurePolicy within SQLRADIUS
> >
> > Hey Guys,
> >
> > Quick question (well, it might not be ;)), I have a feeling I might
> > have
> > asked something along the same lines before..
> >
> > But I'm trying to test the FailurePolicy settings within SQLRADIUS.
> > Having a
> > look..
> >
> > Now, within the code, it's saying if HostColumnDef exists, then use
> > getHostColumns in order to set the current configuration for the next
> > host
> > to proxy to. When the failurepolicy is set from retrieving the server,
> > I'm
> > trying to confirm whether it would be assigning the FailurePolicy to
> > that
> > one server, just for that request, or to a group of packets to the same
> > destination server port pair.

The failure policy from teh database is used to set a flag in the request 
packet. So the policy you get applies to just that request sent to just that 
server. Obviously, the failurePolicy will usually be exactly the same for 
every request sent to a particular server, but it doent have to be so.


> >
> > $fp is used within the code here, but I'm not sure what that is
> > referencing
> > .. Appears to be the current packet instance ?

$fp refers to the packet currently being forwarded.


> >
> > Technically, if there is no host to proxy to, (which I guessing is
> > quite
> > possible as there is no single identifier for a destination proxy,
> > This is
> > that NumHosts debarkle again), then it will fall back to the
> > superclass to
> > fall back to any hardwired hosts. At which point does it honor the
> > failurepolicy ?

If no host comes from the database, then there is no host to proxy to and 
therefore the failure policy has no meaning (recall the policy defines what 
to do if there is no reply to a proxied packet)

If no host comes from the database, it falls back to any hardwired hosts in 
AuthBy SQLRADIUS.

> >
> > Is the expectation that a FailurePolicy will only be used when the
> > hosts
> > that "are" avaliable are being ignored? 
...are not replying. Yes.

>> Not when HostSelect returns no
> > results on the second attempt for those downstreams with an additional
> > RADIUS server (as defined by the limitations of NumHosts) that don't
> > exist?
Correct.

> >
> > I guess the global issue appears to be that a downstream proxy customer
> > isn't "identified" as anyone in particular within the RADIUS code.
> >
> > Is there any plans for development within the SQLRADIUS module to
> > create an
> > pseudo-identifier, to give the ability to configuring information
> > about the
> > downstream and setting statistics etc. for each Downstream Identifier
> > within
> > the SQLRADIUS results.. ? Or is this too specific and would be best
> > hiding
> > in it's own AuthBy Module ?

No current plans for SQLRADIUS, but obvious and generally felt deficiencies 
will (as always) be addressed. Discussion is welcome.

> >
> > Hope I'm not being too confusing :-)
> >
> > Regards,
> > Martin Edge
> > Software/Network Engineer
> > KBS Internet
> >
> > Phone: 1300 727 205
> > Web: http://www.kbs.net.au/
> > Extranet: http://xray.kbs.net.au/
> > eMail: [EMAIL PROTECTED]
> > -=-=-=-
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on [EMAIL PROTECTED]
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about "Calls" table

[Hugh Irvine]

Hello Lin -

This is because the default format for integer-date is being used.

If you want to change it you should specify your own DateFromat.

See sections 6.28.14 and 6.3 in the Radiator 3.3.1 reference manual.

regards

Hugh


On Wednesday, November 6, 2002, at 07:55 AM, Huaikun Lin wrote:


Hi Hugh

Here is my radius configuration:
Foreground
LogStdout
LogDir  /var/log/radius
DbDir   /local/etc/radius
PidFile /var/run/radiusd.pid
SnmpgetProg /local/bin/snmpget
AuthPort1645
AcctPort1646
Trace 3


...



RewriteUsername s/^([^@]+).*/$1/

# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=xxx;database=xxx
DBUsername  
DBAuth  

# You can add to or change these if you want.
AccountingTable Calls
AcctColumnDef   UserName,User-Name
AcctColumnDef   CallDate,Timestamp,integer-date
AcctColumnDef   AcctStatusType,Acct-Status-Type,integer
AcctColumnDef   AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef
AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef   AcctSessionId,Acct-Session-Id
AcctColumnDef
AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef  
AcctTerminateCause,Ascend-Disconnect-Cause,integ
er
#   AcctColumnDef
AcctTerminateCause,Acct-Terminate-Cause,integer
#   AcctColumnDef   NASIdentifier,NAS-Identifier
AcctColumnDef   NASIdentifier,NAS-IP-Address
AcctColumnDef   NASPort,NAS-Port,integer

AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check

# Log all accounting into daily log files
AcctLogFileName /var/log/radius/log/%Y%m%d.act



RewriteUsername s/^([^@]+).*/$1/
# If Platypus rejects the login, forward it to the old Radius  
server
#AuthByPolicy ContinueUntilAccept
PasswordLogFileName %L/password.log



# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=;database=xxx
DBUsername  xx
DBAuth  xx
AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check



Filename %D/users


Filename %D/users





The following is one example of trace 4 debug:

Thu Sep  5 23:00:03 2002: DEBUG: Packet dump:
*** Received from 203.96.xx.xx port 39577 
Code:   Access-Request
Identifier: 167
Authentic:  <0><0>X<242><0><0><0>,4<0><0>B<173>
Attributes:
Proxy-Action = "AUTHENTICATE"
User-Name = "andy.hema"
User-Password =  
"<184>/<213><9>gG<19><237>4<177><232><252><250><2><23> "
NAS-IP-Address = 192.168.8.253
NAS-Port = 278
Acct-Session-Id = "18159809"
USR-Interface-Index = 1534
Service-Type = Framed-User
Framed-Protocol = PPP
Chassis-Call-Slot = 2
Chassis-Call-Span = 1
Chassis-Call-Channel = 22
Calling-Station-Id = ""
Called-Station-Id = "1900"
Connect-Speed = NONE
NAS-Port-Type = Async
User-Id = "andy.hema"
NAS-Identifier = "ipw1-n1-15.ipnet.telecom.co.nz"
User-Realm = "actrix"
Proxy-State = 0

Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Realm=twor.ac.nz  
should be use
d to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Request-Type =  
Accounting-Requ
est should be used to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler  should be used to  
handle this
 request
Thu Sep  5 23:00:03 2002: DEBUG: Handling request with Handler ''
Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG:  Deleting session for andy.hema,  
192.168.8.253,
 278
Thu Sep  5 23:00:03 2002: DEBUG: do query is: delete from RADONLINE  
where NASIDE
NTIFIER='192.168.8.253' and NASPORT=0278

Thu Sep  5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD
Thu Sep  5 23:00:03 

(RADIATOR) Question on FailurePolicy within SQLRADIUS

[Martin Edge]

Hey Guys,

Quick question (well, it might not be ;)), I have a feeling I might have
asked something along the same lines before..

But I'm trying to test the FailurePolicy settings within SQLRADIUS. Having a
look..

Now, within the code, it's saying if HostColumnDef exists, then use
getHostColumns in order to set the current configuration for the next host
to proxy to. When the failurepolicy is set from retrieving the server, I'm
trying to confirm whether it would be assigning the FailurePolicy to that
one server, just for that request, or to a group of packets to the same
destination server port pair.

$fp is used within the code here, but I'm not sure what that is referencing
.. Appears to be the current packet instance ?

Technically, if there is no host to proxy to, (which I guessing is quite
possible as there is no single identifier for a destination proxy, This is
that NumHosts debarkle again), then it will fall back to the superclass to
fall back to any hardwired hosts. At which point does it honor the
failurepolicy ?

Is the expectation that a FailurePolicy will only be used when the hosts
that "are" avaliable are being ignored? Not when HostSelect returns no
results on the second attempt for those downstreams with an additional
RADIUS server (as defined by the limitations of NumHosts) that don't exist?

I guess the global issue appears to be that a downstream proxy customer
isn't "identified" as anyone in particular within the RADIUS code.

Is there any plans for development within the SQLRADIUS module to create an
pseudo-identifier, to give the ability to configuring information about the
downstream and setting statistics etc. for each Downstream Identifier within
the SQLRADIUS results.. ? Or is this too specific and would be best hiding
in it's own AuthBy Module ?

Hope I'm not being too confusing :-)

Regards,
Martin Edge
Software/Network Engineer
KBS Internet

Phone: 1300 727 205
Web: http://www.kbs.net.au/
Extranet: http://xray.kbs.net.au/
eMail: [EMAIL PROTECTED]
-=-=-=-

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about "Calls" table

[Huaikun Lin]

Hi Hugh

Here is my radius configuration:
Foreground
LogStdout
LogDir  /var/log/radius
DbDir   /local/etc/radius
PidFile /var/run/radiusd.pid
SnmpgetProg /local/bin/snmpget
AuthPort1645
AcctPort1646
Trace 3


...



RewriteUsername s/^([^@]+).*/$1/

# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=xxx;database=xxx
DBUsername  
DBAuth  

# You can add to or change these if you want.
AccountingTable Calls
AcctColumnDef   UserName,User-Name
AcctColumnDef   CallDate,Timestamp,integer-date
AcctColumnDef   AcctStatusType,Acct-Status-Type,integer
AcctColumnDef   AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef   AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef   AcctSessionId,Acct-Session-Id
AcctColumnDef   AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef 
AcctTerminateCause,Ascend-Disconnect-Cause,integ
er
#   AcctColumnDef   AcctTerminateCause,Acct-Terminate-Cause,integer
#   AcctColumnDef   NASIdentifier,NAS-Identifier
AcctColumnDef   NASIdentifier,NAS-IP-Address
AcctColumnDef   NASPort,NAS-Port,integer

AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check

# Log all accounting into daily log files
AcctLogFileName /var/log/radius/log/%Y%m%d.act



RewriteUsername s/^([^@]+).*/$1/
# If Platypus rejects the login, forward it to the old Radius server
#AuthByPolicy ContinueUntilAccept
PasswordLogFileName %L/password.log



# You can use this to force Radiator to limit
# maximum session times to how many minutes
# are left in subaccounts.timeleft
DefaultSimultaneousUse 1
TimeBanking
# Change DBSource, DBUsername, DBAuth for your database
# See the reference manual
DBSourcedbi:Sybase:server=;database=xxx
DBUsername  xx
DBAuth  xx
AddATDefaults
AuthSelect ,sa.LoginLimit
AuthColumnDef 0,Simultaneous-Use,check



Filename %D/users


Filename %D/users





The following is one example of trace 4 debug:

Thu Sep  5 23:00:03 2002: DEBUG: Packet dump:
*** Received from 203.96.xx.xx port 39577 
Code:   Access-Request
Identifier: 167
Authentic:  <0><0>X<242><0><0><0>,4<0><0>B<173>
Attributes:
Proxy-Action = "AUTHENTICATE"
User-Name = "andy.hema"
User-Password = 
"<184>/<213><9>gG<19><237>4<177><232><252><250><2><23> "
NAS-IP-Address = 192.168.8.253
NAS-Port = 278
Acct-Session-Id = "18159809"
USR-Interface-Index = 1534
Service-Type = Framed-User
Framed-Protocol = PPP
Chassis-Call-Slot = 2
Chassis-Call-Span = 1
Chassis-Call-Channel = 22
Calling-Station-Id = ""
Called-Station-Id = "1900"
Connect-Speed = NONE
NAS-Port-Type = Async
User-Id = "andy.hema"
NAS-Identifier = "ipw1-n1-15.ipnet.telecom.co.nz"
User-Realm = "actrix"
Proxy-State = 0

Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Realm=twor.ac.nz should 
be use
d to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler Request-Type = 
Accounting-Requ
est should be used to handle this request
Thu Sep  5 23:00:03 2002: DEBUG: Check if Handler  should be used to handle 
this
 request
Thu Sep  5 23:00:03 2002: DEBUG: Handling request with Handler ''
Thu Sep  5 23:00:03 2002: DEBUG: Rewrote user name to andy.hema
Thu Sep  5 23:00:03 2002: DEBUG:  Deleting session for andy.hema, 
192.168.8.253,
 278
Thu Sep  5 23:00:03 2002: DEBUG: do query is: delete from RADONLINE where 
NASIDE
NTIFIER='192.168.8.253' and NASPORT=0278

Thu Sep  5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD
Thu Sep  5 23:00:03 2002: DEBUG: Handling with Radius::AuthEMERALD
Thu Sep  5 23:00:03 2002: DEBUG: Query is: select DateAdd(Day, 
ma.extension+ma.o
verdue, maExpireDate),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
sa.password, sa.login, sa.shell, sa.TimeLeft ,sa.LoginLimit
from masteraccounts ma, subacco

Re: (RADIATOR) Question about "Calls" table

[Hugh Irvine]

Hello Lin -

I will need to see a copy of your Radiator configuration file (no  
secrets) together with a trace 4 debug showing what is happening.

regards

Hugh


On Tuesday, November 5, 2002, at 10:21 AM, Huaikun Lin wrote:

Hi

I am using SQL server and radiator 3.1 radius.

In SQL server,we have a table "calls" which records the accounting  
data.

Recently,I found the data in one of the field "CallDate" (data  
type:datetime) is not exactly
acurate. This data type should record data like "2002-11-05 12:05:23".  
But the actual
data is something like "2002-11-05 12:05:00" which the "second" field  
is alway 0.
(The year,month,day,hour,min are right.)

When I check the radius debug, I can see the "Insert" statement  
doesn't include
the "second" field and make the data is not 100% acurate:

insert into Calls  
(UserName,AcctStatusType,NASPort,CallDate,AcctSessionId,AcctInputOctets 
,AcctSessionTime,
AcctOutputOctets) values ('test',2,541262250,'Nov  5, 2002  
12:10','204301AA-3DC6C5C6',25 45013,14466,66242572)

I think the insert statement in radius script causes the inacurate.

If there is no "second" field in there,the SQL database makes it to be  
"00".

Is there anywhere to fix that?

How to fix it.

Lin

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.410 / Virus Database: 231 - Release Date: 10/31/2002


NB: I am travelling this week, so there may be delays in our  
correspondence.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about "Calls" table

[Huaikun Lin]

Hi

I am using SQL server and radiator 3.1 radius.

In SQL server,we have a table "calls" which records the accounting data.

Recently,I found the data in one of the field "CallDate" (data 
type:datetime) is not exactly
acurate. This data type should record data like "2002-11-05 12:05:23". But 
the actual
data is something like "2002-11-05 12:05:00" which the "second" field is 
alway 0.
(The year,month,day,hour,min are right.)

When I check the radius debug, I can see the "Insert" statement doesn't include
the "second" field and make the data is not 100% acurate:

insert into Calls 
(UserName,AcctStatusType,NASPort,CallDate,AcctSessionId,AcctInputOctets,AcctSessionTime,
AcctOutputOctets) values ('test',2,541262250,'Nov  5, 2002 
12:10','204301AA-3DC6C5C6',25 45013,14466,66242572)

I think the insert statement in radius script causes the inacurate.

If there is no "second" field in there,the SQL database makes it to be "00".

Is there anywhere to fix that?

How to fix it.

Lin

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.410 / Virus Database: 231 - Release Date: 10/31/2002

Re: (RADIATOR) Question about AcctSQLStatement.

[Hugh Irvine]

Hello Sergio -

From section 6.2 in the Radiator 3.3.1 reference manual:

	%%  The percent character

regards

Hugh


On Thursday, October 24, 2002, at 02:44 AM, Sergio Gonzalez wrote:


*This message was transferred with a trial version of CommuniGate(tm) 
Pro*
Hello.

I'm having problems with the next SQL statement for accounting

AcctSQLStatement update TABLENAME set VALUE=0%{Acct-Session-Time} 
where ROW='%n' and
DATE_FORMAT(FROM_UNIXTIME(0%{Timestamp},'%d-%m-%y') = 'mm-dd-yy'

where mm-dd-yy is a date value in that format. Well, if I do in mysql 
(obviously replacing %0{Timestamp} for a valid value):

SELECT DATE_FORMAT(FROM_UNIXTIME('01035767266','%d-%m-%y') = 
'mm-dd-yy';

it works well. The format of the 
FROM_UNIXTIME(0%{Timestamp}-0%{Acct-Session-Time}) is rewrited like 
mm-dd-yy and then I can compare them, but the problem is when I try to 
do the same SQL statement with radius;  the %d, %m and the %y don't 
mean the same. Those "wildcards" are being interpreted like the actual 
day month and year of the box running radius.

How do I escape or make radius send to mysql the string "%d-%m-%y" 
without interpret them?.


Sergio Alejandro Gonzalez
Director Operativo
Network and Services Field Manager
SkyNet de Colombia.
Calle 100 No. 8A-55 Of. 711
Bogota, Cundinamarca
Colombia, South America.
Tel: 57 (+1) 6 422 020
Cel: 57 (+3)/(03315) 3551034
Pager: 540, 346 Cod 2010

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



NB: I am travelling this week, so there may be delays in our 
correspondence.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about AcctSQLStatement.

[Sergio Gonzalez]

*This message was transferred with a trial version of CommuniGate(tm) Pro*
Hello.

I'm having problems with the next SQL statement for accounting

AcctSQLStatement update TABLENAME set VALUE=0%{Acct-Session-Time} where 
ROW='%n' and
DATE_FORMAT(FROM_UNIXTIME(0%{Timestamp},'%d-%m-%y') = 'mm-dd-yy'

where mm-dd-yy is a date value in that format. Well, if I do in mysql 
(obviously replacing %0{Timestamp} for a valid value):

SELECT DATE_FORMAT(FROM_UNIXTIME('01035767266','%d-%m-%y') = 'mm-dd-yy';

it works well. The format of the 
FROM_UNIXTIME(0%{Timestamp}-0%{Acct-Session-Time}) is rewrited like 
mm-dd-yy and then I can compare them, but the problem is when I try to do 
the same SQL statement with radius;  the %d, %m and the %y don't mean the 
same. Those "wildcards" are being interpreted like the actual day month and 
year of the box running radius.

How do I escape or make radius send to mysql the string "%d-%m-%y" without 
interpret them?.


Sergio Alejandro Gonzalez
Director Operativo
Network and Services Field Manager
SkyNet de Colombia.
Calle 100 No. 8A-55 Of. 711
Bogota, Cundinamarca
Colombia, South America.
Tel: 57 (+1) 6 422 020
Cel: 57 (+3)/(03315) 3551034
Pager: 540, 346 Cod 2010

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about Radmin 1.6 feature

[Chairath K]

Hi All,
 
About Email to users features in Radmin 1.6 , can we config it to 
automaticcally send email to notify our customer that their own user 
account will be finish (e.g. timeleft has less than 1 hr , 
or account will be expire in 5 days) .
 
Regards,
Chairath
 
P.S. Can we run Ramin1.6 with Radiator 2.18.2 ?
 
 
 
 

Re: (RADIATOR) Question...

[Hugh Irvine]

Hello Stephen -

Have a look at "buildsql" in the Radiator distribution.

Section 10 in the Radiator 3.1 reference manual.
("doc/ref.html")

regards

Hugh


On Mon, 27 May 2002 10:21, Stephen Malenshek wrote:
> I was wondering if anyone has a script to import password and shadow files
> into a sql database authentication format.  I do not know a whole lot about
> writing perl scripts so I am not able to accomplish this on my own.  Thanks
> in advance.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question...

[Stephen Malenshek]

I was wondering if anyone has a script to import password and shadow files 
into a sql database authentication format.  I do not know a whole lot about 
writing perl scripts so I am not able to accomplish this on my own.  Thanks 
in advance.

-- 

Stephen Malenshek
President/CEO
Valuelinx Corporation
[EMAIL PROTECTED]

_
Post Office Box 1966Phone:  (479) 996-9064
#11 North Main Street   Fax:(479) 996-9444
Greenwood, Arkansas  72936  Alt. Fax:   (479) 546-0007
Toll-Free: (877) 996-9064
_
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Hugh Irvine]

Hello Arnulfo -

How are you programming the amount of time that a user is allowed to use? 
Most Radiator users employ an SQL database for user definitions and 
accounting and it is relatively easy to provide pre-paid services such as you 
describe in this way.

This topic has been discussed many times on the mailing list, so have a look 
at the archive site and do a search.

http://www.open.com.au/archives/radiator

regards

Hugh


On Mon, 22 Apr 2002 16:10, Arnulfo Rojas Yanquen wrote:
> Hugh
> our company offer services of Internet acces, the users hire this service
> by time determined, when has finished this time the Radiator must avoid
> that the user may connect again. This function is not doing the Radiator,
> and I not find the cause possible.
>
> Radiator is setup over RedHat 7, and use for authetication passwd-shadow
> and the version is Radiator 2.18.1
> THANKS
>
> Arnulfo
>
>
> _
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) question

[Arnulfo Rojas Yanquen]

Hugh
our company offer services of Internet acces, the users hire this service by 
time determined, when has finished this time the Radiator must avoid that 
the user may connect again. This function is not doing the Radiator, and I 
not find the cause possible.

Radiator is setup over RedHat 7, and use for authetication passwd-shadow and 
the version is Radiator 2.18.1
THANKS

Arnulfo


_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) question

[Arnulfo Rojas Yanquen]

Hugh
our company offer services of Internet acces, the users hire this service by 
time determined, when has finished this time the Radiator must avoid that 
the user may connect again. This function is not doing the Radiator, and I 
not find the cause possible.

Radiator is setup over RedHat 7, and use for authetication passwd-shadow and 
the version is Radiator 2.18.1
THANKS

Arnulfo


_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question Time

[Hugh Irvine]

Hello Mick -

You would use an AuthLog SQL for authentication logging.
See section 6.50 in the Radiator 3.0 reference manual.

For your proxy question I will need to see a copy of your configuration file 
(no secrets) together with a trace 4 debug from Radiator showing what is 
happening.

regards

Hugh


On Mon, 22 Apr 2002 15:02, Michael Saunders wrote:
> I would like to log. When users type in the wrong password.
> So I can explain to them how to type there own name correctly.
> I have found in the documentation how to do this with a log file.
> Is there anyway to do this into the database instead. As we have to
> many operators for a log file.
>
> Also when you proxy requests across to another radius server does
> radiator strip any reply attributes you may send. Because I am sending a
> request off
> to a third party using radiator but my reply attributes never make it to
> the other end.
> But they have nothing in there config that would make me think it is being
> stripped
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question Time

[Michael Saunders]

I would like to log. When users type in the wrong password.
So I can explain to them how to type there own name correctly.
I have found in the documentation how to do this with a log file.
Is there anyway to do this into the database instead. As we have to
many operators for a log file.

Also when you proxy requests across to another radius server does
radiator strip any reply attributes you may send. Because I am sending a
request off
to a third party using radiator but my reply attributes never make it to the
other end.
But they have nothing in there config that would make me think it is being
stripped

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) question

[Hugh Irvine]

Hello Arnulfo -

I am not exactly sure what you mean, as Radiator does not normally expire 
user accounts. Can you give me a bit more information about what you want to 
have happen?

regards

Hugh


On Sat, 20 Apr 2002 13:52, Arnulfo Rojas Yanquen wrote:
> Hello,
>
> I work an ISP and  I have a problem with Radiator.
>
> The problem is that the Radiator is not expired the account of the users.
>
> Radiator is sertup over RedHat 7, and use for authetication passwd-shadow
> and the version is Radiator 2.18.1
>
> THANKS
>
>
> Atentamente,
>
> =
> Arnulfo Rojas Yanquen.
> Asistente Técnico
> ExpressNet S.A.
> [EMAIL PROTECTED]
> Tel: (571) 5 404090
> Fax: (571) 2 491432
> Santafé de Bogotá D.C. - Colombia

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) question

[Arnulfo Rojas Yanquen]

 

Hello,
 
I work an ISP and  I have a problem with 
Radiator.
 
The problem is that the Radiator is not expired the 
account of the users.
 
Radiator is sertup over RedHat 7, and use for 
authetication passwd-shadow and the version is Radiator 2.18.1
 
THANKS
 
 
Atentamente,
 
=Arnulfo Rojas 
Yanquen.Asistente Técnico ExpressNet S.A. [EMAIL PROTECTED] Tel: (571) 5 
404090 Fax: (571) 2 491432Santafé de Bogotá D.C. - 
Colombia 
 

Re: (RADIATOR) Question

[Hugh Irvine]

Hello Stephen -

To assign static addresses, you would normally specify the address in the 
reply attributes for the user in whatever user database you have.

In a flat file it would look like this:

# define users
# check attributes on the first line (no trailing comma)
# reply attributes on second and subsequent lines

someuser Password = ., .
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 1.2.3.4,
Framed-IP-Netmask = .,
..

anotheruser Password = .., .
...

If you have any other questions, please contact me.

regards

Hugh

ps - the contents of the goodies directory like wimscomplex example are 
contributed by Radiator users and are not supported directly by us


On Wed, 27 Mar 2002 08:44, Stephen Malenshek wrote:
> I am trying to implement a new installation of Radiator 3.0 on Red Hat
> 7.2 with a Postgres backend on a separate machine.  I have searched
> through the archives and have a list in regards to static ip address
> assignment from radius and I have yet to find anything regarding this.
> Also, I have taken the wimscomplex example in the goodies and tried to
> adapt it to our environment.  My biggest problem is that I do not
> understand the mappings for the tables in the radius.cfg file for the
> database.  I will admit this, I do not have an extreme amount of
> knowledge of databases and all my experience with radius is with the
> Cistron version, which we have been running for three years.  Everything
> else we are doing is pretty normal and all pools are assigned by the
> nas, but I would be interested in looking at some type of configuration
> to where it issues the assignments.
>
> As a future development plan, I have expectations of converting
> everything for authentication to radius (Exim, ProFTP & Apache) to where
> we have a database of the information instead of local flat files and
> logs of everything.  This to me is our ultimate goal to achieve, and I
> am mentioning this to asses opinions from everyone on what the best way
> to plan for this implementation without slowing the initial down.
> Please let me know.  I would be more than happy to send any information
> necessary on if anyone is interested in helping me with this endeavor.
> Thanks in advance.
>
>
> Stephen Malenshek
> President/CEO
> Valuelinx Corporation
> [EMAIL PROTECTED]
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question

[Stephen Malenshek]

I am trying to implement a new installation of Radiator 3.0 on Red Hat
7.2 with a Postgres backend on a separate machine.  I have searched
through the archives and have a list in regards to static ip address
assignment from radius and I have yet to find anything regarding this.
Also, I have taken the wimscomplex example in the goodies and tried to
adapt it to our environment.  My biggest problem is that I do not
understand the mappings for the tables in the radius.cfg file for the
database.  I will admit this, I do not have an extreme amount of
knowledge of databases and all my experience with radius is with the
Cistron version, which we have been running for three years.  Everything
else we are doing is pretty normal and all pools are assigned by the
nas, but I would be interested in looking at some type of configuration
to where it issues the assignments.

As a future development plan, I have expectations of converting
everything for authentication to radius (Exim, ProFTP & Apache) to where
we have a database of the information instead of local flat files and
logs of everything.  This to me is our ultimate goal to achieve, and I
am mentioning this to asses opinions from everyone on what the best way
to plan for this implementation without slowing the initial down.
Please let me know.  I would be more than happy to send any information
necessary on if anyone is interested in helping me with this endeavor.
Thanks in advance.


Stephen Malenshek
President/CEO
Valuelinx Corporation
[EMAIL PROTECTED]




===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question

[Hugh Irvine]

Hello Steve -

We offer on-site training and consulting services on a contract basis. I have 
copied Joanne on this mail and she will send you the details.

You can set up a users file with a DEFAULT entry like this:

# define DEFAULT to accept everything

DEFAULT Auth-Type = Accept


regards

Hugh


On Sat, 2 Feb 2002 03:44, Steve Rainbow wrote:
> 1. Are there any training courses for Radiator in the UK.
>
> 2. All calls that come into my NAS are automatically forwarded to the
> radius for authentication. Normally, I set up the username/pasword in a
> User file but also now need to authenticate without a username/password. If
> I set up a User file with DEFAULT will that allow calls through.
>
> Thanks,
>
> Steve
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) Question

[Paul]

Hi Steve,

A handler like the one below will not perform any authentication:



AuthByPolicy ContinueWhileAccept
AuthBy AllocateIPAddressForGPRS

AcctLogFileName %L/%N-gprs-%{GlobalVar:HostId}-detail%Y%m%d.log
PostAuthHook file:"filename"



However remember that you may still need to send back some appropriate reply
attributes which you could do with an 'AddToReply' as per below:


   Identifier AllocateIPAddressForGPRS
   Allocator ORACLEallocatorGPRS
   PoolHint pool-%{Called-Station-Id}-%N
   MapAttributeyiaddr, Framed-IP-Address
   StripFromReply PoolHint
   AddToReply  Service-Type = "Framed-User", Framed-Protocol = "PPP",
Framed-Compression = "Van-Jacobson-TCP-IP", Framed-MTU = "1500",
Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None


These are just examples, you'll will need to tailor them to your specific
needs.

Hope this helps.



Paul

___

Paul O'Shea
Level9 Networks
___







-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Steve Rainbow
Sent: Friday, February 01, 2002 4:44 PM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Question


1. Are there any training courses for Radiator in the UK.

2. All calls that come into my NAS are automatically forwarded to the radius
for authentication. Normally, I set up the username/pasword in a User file
but also now need to authenticate without a username/password. If I set up a
User file with DEFAULT will that allow calls through.

Thanks,

Steve

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question

[Steve Rainbow]

1. Are there any training courses for Radiator in the UK.

2. All calls that come into my NAS are automatically forwarded to the radius
for authentication. Normally, I set up the username/pasword in a User file
but also now need to authenticate without a username/password. If I set up a
User file with DEFAULT will that allow calls through.

Thanks,

Steve

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Question about Radius and SQL

[Hugh Irvine]

Hello Martin -

> Fri Jan 25 17:42:13 2002 32431: ERR: Could not connect to any SQL database.
> Requ est is ignored. Backing off for 10 seconds
> Fri Jan 25 17:42:28 2002 911157: ERR: Execute failed for
> 'Sp_fetchUserPassword ' clouston'': SQL Timeout
> Fri Jan 25 17:42:32 2002 481065: ERR: Execute failed for

The problem shown above is that you can't connect to the database at all.

Also, in the timestamps shown above the number following the year is the 
number of microseconds. It is a six digit number, so the first digit is 
tenths of a second.

Ie: Fri Jan 25 17:42:28 2002 911157: 

the number 911157 is the number of microseconds.

regards

Hugh


On Fri, 25 Jan 2002 18:33, Martin Edge wrote:
> Hey Guys,
>
> Having a few issues, as we are unable to easily find out where the cause of
> the slowdown's we get when a "avalanche" scenario occurs.
>
> (where the amount of requests coming in, is faster than the processing
> power to complete them..)
>
> Is this necessarily an SQL timeout, or could there be other attributing
> factors to these errors:
>
> If so, how would we go about finding these out..
>
> I tried LogMicroseconds in a  routine, and this is the output
> below.. (although I dont see any milliseconds results..)
>
> Thanks for your help,
> Martin
>
>
>  snip 
> Fri Jan 25 17:42:13 2002 32431: ERR: Could not connect to any SQL database.
> Requ est is ignored. Backing off for 10 seconds
> Fri Jan 25 17:42:28 2002 911157: ERR: Execute failed for
> 'Sp_fetchUserPassword ' clouston'': SQL Timeout
> Fri Jan 25 17:42:32 2002 481065: ERR: Execute failed for
> 'Sp_fetchUserPassword ' clouston'': SQL Timeout
> Fri Jan 25 17:42:36 2002 960943: ERR: Could not connect to SQL database
> with DBI ->connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
> netbeans, beans2 000: timeout at
> /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.
>
> Fri Jan 25 17:42:36 2002 982364: ERR: Could not connect to any SQL
> database. Req uest is ignored. Backing off for 10 seconds
> Fri Jan 25 17:42:50 2002 371277: ERR: Execute failed for
> 'Sp_fetchUserPassword ' office'': SQL Timeout
> Fri Jan 25 17:42:52 2002 391393: ERR: Could not connect to SQL database
> with DBI ->connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
> netbeans, beans2 000: timeout at
> /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.
>
> Fri Jan 25 17:42:52 2002 421577: ERR: Could not connect to any SQL
> database. Req uest is ignored. Backing off for 10 seconds
> Fri Jan 25 17:43:07 2002 361641: ERR: Could not connect to SQL database
> with DBI ->connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
> netbeans, beans2 000: timeout at
> /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.
>
> Fri Jan 25 17:43:07 2002 411189: ERR: Could not connect to any SQL
> database. Req uest is ignored. Backing off for 10 seconds
> Fri Jan 25 17:43:21 2002 671671: ERR: Execute failed for
> 'Sp_fetchUserPassword ' simona'': SQL Timeout
> Fri Jan 25 17:43:23 2002 691896: ERR: Could not connect to SQL database
> with DBI ->connect dbi:Sybase:server=notus.izone.net.au;database=nb9901,
> netbeans, beans2 000: timeout at
> /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 507.
>
> Fri Jan 25 17:43:23 2002 716376: ERR: Could not connect to any SQL
> database. Req uest is ignored. Backing off for 10 seconds
> Fri Jan 25 17:43:39 2002 561994: ERR: Execute failed for
> 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
> Fri Jan 25 17:43:42 2002 501985: ERR: Execute failed for
> 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
> Fri Jan 25 17:43:45 2002 382053: ERR: Execute failed for
> 'Sp_fetchUserPassword ' clouston'': SQL Timeout
> Fri Jan 25 17:43:47 2002 972065: ERR: Execute failed for
> 'Sp_fetchUserPassword ' clouston'': SQL Timeout
> Fri Jan 25 17:43:50 2002 742074: ERR: Execute failed for
> 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
> Fri Jan 25 17:43:53 2002 321952: ERR: Execute failed for
> 'Sp_fetchUserPassword ' themoodies'': SQL Timeout
> Fri Jan 25 17:43:55 2002 722314: ERR: Execute failed for
> 'Sp_fetchUserPassword ' shields'': SQL Timeout
> Fri Jan 25 17:43:58 2002 32217: ERR: Execute failed for
> 'Sp_fetchUserPassword 's hields'': SQL Timeout
> Fri Jan 25 17:44:00 2002 532429: ERR: Execute failed for
> 'Sp_fetchUserPassword ' blp04395'': SQL Timeout
> Fri Jan 25 17:44:02 2002 832373: ERR: Execute failed for 'Sp_fetchUserPassw
> -
> Martin Edge
> Technical Services Co-ordinator
> Phoneware Online
> eMail:   [EMAIL PROTECTED]
> Phone: +613 9640 4140 ext. 193
>
> "In the end, it's speed, price and customer service."
> -

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform a

(RADIATOR) Question about Radius and SQL

[Martin Edge]

Hey 
Guys,
 
Having a few 
issues, as we are unable to easily find out where the cause of the slowdown's we 
get when a "avalanche" scenario occurs.
 
(where the amount 
of requests coming in, is faster than the processing power to complete 
them..)
 
Is this 
necessarily an SQL timeout, or could there be other attributing factors to these 
errors:
 
If so, how would 
we go about finding these out..
 
I tried 
LogMicroseconds in a  routine, and this is the output below.. 
(although I dont see any milliseconds results..)
 
Thanks for your 
help,
Martin
 
 
 snip 

Fri Jan 25 
17:42:13 2002 32431: ERR: Could not connect to any SQL database. Request is 
ignored. Backing off for 10 secondsFri Jan 25 17:42:28 2002 911157: ERR: 
Execute failed for 'Sp_fetchUserPassword 'clouston'': SQL TimeoutFri Jan 
25 17:42:32 2002 481065: ERR: Execute failed for 'Sp_fetchUserPassword 
'clouston'': SQL TimeoutFri Jan 25 17:42:36 2002 960943: ERR: Could not 
connect to SQL database with DBI->connect 
dbi:Sybase:server=notus.izone.net.au;database=nb9901, netbeans, beans2000: 
timeout at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 
507.
 
Fri Jan 25 
17:42:36 2002 982364: ERR: Could not connect to any SQL database. Request is 
ignored. Backing off for 10 secondsFri Jan 25 17:42:50 2002 371277: ERR: 
Execute failed for 'Sp_fetchUserPassword 'office'': SQL TimeoutFri Jan 
25 17:42:52 2002 391393: ERR: Could not connect to SQL database with 
DBI->connect dbi:Sybase:server=notus.izone.net.au;database=nb9901, 
netbeans, beans2000: timeout at 
/usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 
507.
 
Fri Jan 25 
17:42:52 2002 421577: ERR: Could not connect to any SQL database. Request is 
ignored. Backing off for 10 secondsFri Jan 25 17:43:07 2002 361641: ERR: 
Could not connect to SQL database with DBI->connect 
dbi:Sybase:server=notus.izone.net.au;database=nb9901, netbeans, beans2000: 
timeout at /usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 
507.
 
Fri Jan 25 
17:43:07 2002 411189: ERR: Could not connect to any SQL database. Request is 
ignored. Backing off for 10 secondsFri Jan 25 17:43:21 2002 671671: ERR: 
Execute failed for 'Sp_fetchUserPassword 'simona'': SQL TimeoutFri Jan 
25 17:43:23 2002 691896: ERR: Could not connect to SQL database with 
DBI->connect dbi:Sybase:server=notus.izone.net.au;database=nb9901, 
netbeans, beans2000: timeout at 
/usr/local/lib/perl5/site_perl/5.6.1/Radius/Util.pm line 
507.
 
Fri Jan 25 
17:43:23 2002 716376: ERR: Could not connect to any SQL database. Request is 
ignored. Backing off for 10 secondsFri Jan 25 17:43:39 2002 561994: ERR: 
Execute failed for 'Sp_fetchUserPassword 'themoodies'': SQL TimeoutFri 
Jan 25 17:43:42 2002 501985: ERR: Execute failed for 'Sp_fetchUserPassword 
'themoodies'': SQL TimeoutFri Jan 25 17:43:45 2002 382053: ERR: Execute 
failed for 'Sp_fetchUserPassword 'clouston'': SQL TimeoutFri Jan 25 
17:43:47 2002 972065: ERR: Execute failed for 'Sp_fetchUserPassword 
'clouston'': SQL TimeoutFri Jan 25 17:43:50 2002 742074: ERR: Execute 
failed for 'Sp_fetchUserPassword 'themoodies'': SQL TimeoutFri Jan 25 
17:43:53 2002 321952: ERR: Execute failed for 'Sp_fetchUserPassword 
'themoodies'': SQL TimeoutFri Jan 25 17:43:55 2002 722314: ERR: Execute 
failed for 'Sp_fetchUserPassword 'shields'': SQL TimeoutFri Jan 25 
17:43:58 2002 32217: ERR: Execute failed for 'Sp_fetchUserPassword 
'shields'': SQL TimeoutFri Jan 25 17:44:00 2002 532429: ERR: Execute 
failed for 'Sp_fetchUserPassword 'blp04395'': SQL TimeoutFri Jan 25 
17:44:02 2002 832373: ERR: Execute failed for 
'Sp_fetchUserPassw

-Martin Edge
Technical Services Co-ordinator
Phoneware Online
eMail: [EMAIL PROTECTED]
Phone: +613 9640 4140 ext. 193
 
"In the end, it's speed, price and customer 
service."
-
 

Re: (RADIATOR) Question about DBM Auth...

[Hugh Irvine]

Hello Fernando -

There are no limits on the number of AuthBy clauses you can use (unless there 
is some underlying operating system limit on the number of files a single 
process can have open).

Perhaps you can send me a copy of the complete configuration file (no 
secrets) together with a trace 4 debug from Radiator showing what is 
happening.

regards

Hugh


On Fri, 18 Jan 2002 02:53, Fernando Caranton Cruz wrote:
> Hi,
>
> I use the DBM Auth, but i wanna know if this type of authentication have
> any type of limit. I explain this
>
> This is the actual Realm in the radius.cfg
>
>
> 
> MaxSessions 1
> AcctLogFileName /usr/local/etc/radacct/%N/detail
> RejectHasReason
> 
> AuthByPolicy ContinueWhileReject
> 
> AuthByPolicy ContinueWhileReject
> 
> Filename /etc/raddb/radiator/plus/users
> 
> 
> Filename
> /etc/raddb/radiator/rdsigeneral/users 
> 
> 
> Filename /etc/raddb/radiator/prepago/users
> 
> 
> Host
> Secret
> RetryTimeout 10
> AuthPort 1645
> AcctPort 1646
> 
> 
> 
>
> but if I make some changes, the DB options not work
>
> Ej:
>
> 
> MaxSessions 1
> AcctLogFileName /usr/local/etc/radacct/%N/detail
> RejectHasReason
> 
> AuthByPolicy ContinueWhileReject
> 
> AuthByPolicy ContinueWhileReject
> 
> Filename /etc/raddb/radiator/plus/users
> 
> 
> Filename
> /etc/raddb/radiator/rdsigeneral/users 
> 
> Filename /etc/raddb/radiator/otherdir/users
> 
> 
> Filename /etc/raddb/radiator/otherdir/users
> 
> 
> Filename /etc/raddb/radiator/otherdir/users
> 
> 
> 
> Filename /etc/raddb/radiator/prepago/users
> 
> 
> Host
> Secret
> RetryTimeout 10
> AuthPort 1645
> AcctPort 1646
> 
> 
> 
>
> exist some kind of limit in the AuthBy option? how many can I use?  can use
> another type of config, Ej using AuthBy GROUP or others?
>
> tnx
>
> FCC

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Question about DBM Auth...

[Fernando Caranton Cruz]

Hi,
 
I use the DBM Auth, but i wanna know if this type 
of authentication have any type of limit. I explain this
 
This is the actual Realm in the 
radius.cfg
 
 
    
MaxSessions 
1    AcctLogFileName 
/usr/local/etc/radacct/%N/detail    
RejectHasReason        
AuthByPolicy 
ContinueWhileReject    
    
AuthByPolicy 
ContinueWhileReject    
    
Filename 
/etc/raddb/radiator/plus/users    
    
    
Filename 
/etc/raddb/radiator/rdsigeneral/users    
    
    
    
Filename 
/etc/raddb/radiator/prepago/users    
    
    
Host 
Secret 
    
RetryTimeout 
10    
AuthPort 
1645    
AcctPort 
1646    
    

 
but if I make some changes, the DB options not 
work
 
Ej:
 
    
MaxSessions 
1    AcctLogFileName 
/usr/local/etc/radacct/%N/detail    
RejectHasReason        
AuthByPolicy 
ContinueWhileReject    
    
AuthByPolicy 
ContinueWhileReject    
    
Filename 
/etc/raddb/radiator/plus/users    
    
    
Filename 
/etc/raddb/radiator/rdsigeneral/users    

        
                
    
Filename /etc/raddb/radiator/otherdir/users
    

    
            
            
Filename 
/etc/raddb/radiator/otherdir/users    

        
                
    
Filename 
/etc/raddb/radiator/otherdir/users    
    
    
    
Filename 
/etc/raddb/radiator/prepago/users    
    
    
Host    
Secret
    
RetryTimeout 
10    
AuthPort 
1645    
AcctPort 
1646    
    

 
exist some kind of limit in the AuthBy option? how 
many can I use?  can use another type of config, Ej using AuthBy GROUP or 
others? 
 
tnx
 
FCC