Re: [RADIATOR] AuthBy SQL and database connections

[Heikki Vatiainen]

On 01/15/2014 10:00 AM, Vangelis Kyriakakis wrote:

>  If we have an AuthBy SQL clause and a SessionDatabase SQL one, both
> connecting to the same database with the same DBUsername, will Radiator
> create two separate connections (one for each clause) or just one for
> both clauses?

Hello Vangelis,

if DBSource, DBUsername and DBAuth (after expanding any % specials)
are the same, then the connection should be the same. By 'should' I mean
that Radiator calls DBI's connect() which hides the actual workings of
the underlying layers.

If you do for example, 'sudo netstat -t -p -n' you can check the TCP
connections and the processes that use them.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Michael]

you could use GENERIC like how Heikki suggested but still have separate rows in 
your sql and use SQL to join all the results, and apply the attribute names.  
For MySQL, group_concat:



mysql> select * from temp;
+++-+
| id | Server | Password|
+++-+
|  5 | 172.16.1.1 | tunnelpass1 |
|  6 | 172.16.1.2 | tunnelpass2 |
|  7 | 172.16.1.3 | tunnelpass3 |
+++-+
3 rows in set (0.00 sec)

mysql> select GROUP_CONCAT( CONCAT('Tunnel-Server-Endpoint=',Server )) AS 
Servers, GROUP_CONCAT( CONCAT('Tunnel-Server-Endpoint=', Password)) AS 
Passwords from temp order by id;
+---+--+
| Servers   
| Passwords 
   |
+---+--+
| 
Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2,Tunnel-Server-Endpoint=172.16.1.3
 | 
Tunnel-Server-Endpoint=tunnelpass1,Tunnel-Server-Endpoint=tunnelpass2,Tunnel-Server-Endpoint=tunnelpass3
 |
+---+--+
1 row in set (0.00 sec)


Michael





On 12-06-26 07:33 AM, Heikki Vatiainen wrote:
> On 06/26/2012 12:28 PM, Jim Tyrrell wrote:
>> At the moment I just have a single very simple table that I am testing
>> with, 2 columns 'Endpoint'&  'Password' with 2 rows in the table for 2
>> different Tunnel endpoints.
>
> How about changing the config to use GENERIC:
>
> AuthColumnDef   0,GENERIC,reply
> AuthColumnDef   1,GENERIC,reply
>
> The DB would then have Endpoint and Password columns with values like these:
>
> Endpoint column for row n:
> Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2
> Password column for row n:
> Tunnel-Password="tunnelpass1",Tunnel-Password="tunnelpass2"
>
> With GENERIC you could actually put all reply attributes into the same
> column but that would likely make maintaining the values harder.
>
> With Hugh's solution you could get rid of repeating the attribute names
> and storing just the values.
>
> Heikki
>
>
>> I could have multiple columns for the multiple tunnels, but then if I
>> wanted to add or remove tunnels I would need to update the Radiator
>> query each time to add/remove the extra AuthAttrDefs, but I'd like the
>> flexibility to just add/remove entries to the SQL table without having
>> to change the Radiator config.
>>
>> ie - if I have one tunnel in the table then the handler needs to return:
>>
>> Code:   Access-Accept
>> Tunnel-Server-Endpoint = 172.16.1.1
>> Tunnel-Password = "tunnelpass"
>>
>> And if an extra entry is added to the table then return the following
>> format:
>>
>> Code:   Access-Accept
>> Tunnel-Server-Endpoint = 172.16.1.1
>> Tunnel-Password = "tunnelpass"
>> Tunnel-Server-Endpoint = 172.16.1.2
>> Tunnel-Password = "tunnelpass2"
>>
>>
>> If I was able to use LDAP I could just have an object such as:
>>
>> uid=TunnelEndPoints
>> tunnelip=172.16.0.1
>> tunnelip=172.16.0.2
>> tunnelpass=blah1
>> tunnelpass=blah2
>>
>> And then use an AuthBy LDAP including the following:
>>
>>   AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
>>   AuthAttrDef tunnelpass,Tunnel-Password,reply
>>
>>
>> Is there not an equivalent of this for MySQL authentication?  How do
>> people store multiple attributes such as Framed-Route in MySQL and then
>> return multiple instances of this when they exist? (The examples above
>> would actually be returned as tagged attributes but I can worry about
>> that later).
>>
>> Thanks.
>>
>> Jim.
>>
>>
>> On 25/06/2012 18:05, Michael wrote:
>>>
>>> I seem to remember reading somewhere in the Radiator manual that it
>>> will only process the first sql row received therefore I don't think
>>> it will process multiple row results.  I can't seem to find in the
>>> manual where i read that though. On the other hand, you could have all
>>> reply values on the same row in the table, or create an sql statement
>>> that returns them all on one row.
>>>
>>> What is your sql table structure?  multiple tables?
>>>
>>> mike
>>>
>>>
>>> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
 Hi,

 Is it possible for AuthBy SQL to return multiple attributes if the query
 returns multiple rows?

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Heikki Vatiainen]

On 06/26/2012 12:28 PM, Jim Tyrrell wrote:
> At the moment I just have a single very simple table that I am testing 
> with, 2 columns 'Endpoint' & 'Password' with 2 rows in the table for 2 
> different Tunnel endpoints.

How about changing the config to use GENERIC:

   AuthColumnDef   0,GENERIC,reply
   AuthColumnDef   1,GENERIC,reply

The DB would then have Endpoint and Password columns with values like these:

Endpoint column for row n:
Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2
Password column for row n:
Tunnel-Password="tunnelpass1",Tunnel-Password="tunnelpass2"

With GENERIC you could actually put all reply attributes into the same
column but that would likely make maintaining the values harder.

With Hugh's solution you could get rid of repeating the attribute names
and storing just the values.

Heikki


> I could have multiple columns for the multiple tunnels, but then if I 
> wanted to add or remove tunnels I would need to update the Radiator 
> query each time to add/remove the extra AuthAttrDefs, but I'd like the 
> flexibility to just add/remove entries to the SQL table without having 
> to change the Radiator config.
> 
> ie - if I have one tunnel in the table then the handler needs to return:
> 
> Code:   Access-Accept
>Tunnel-Server-Endpoint = 172.16.1.1
>Tunnel-Password = "tunnelpass"
> 
> And if an extra entry is added to the table then return the following 
> format:
> 
> Code:   Access-Accept
>Tunnel-Server-Endpoint = 172.16.1.1
>Tunnel-Password = "tunnelpass"
>Tunnel-Server-Endpoint = 172.16.1.2
>Tunnel-Password = "tunnelpass2"
> 
> 
> If I was able to use LDAP I could just have an object such as:
> 
> uid=TunnelEndPoints
> tunnelip=172.16.0.1
> tunnelip=172.16.0.2
> tunnelpass=blah1
> tunnelpass=blah2
> 
> And then use an AuthBy LDAP including the following:
> 
>  AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
>  AuthAttrDef tunnelpass,Tunnel-Password,reply
> 
> 
> Is there not an equivalent of this for MySQL authentication?  How do 
> people store multiple attributes such as Framed-Route in MySQL and then 
> return multiple instances of this when they exist? (The examples above 
> would actually be returned as tagged attributes but I can worry about 
> that later).
> 
> Thanks.
> 
> Jim.
> 
> 
> On 25/06/2012 18:05, Michael wrote:
>>
>> I seem to remember reading somewhere in the Radiator manual that it 
>> will only process the first sql row received therefore I don't think 
>> it will process multiple row results.  I can't seem to find in the 
>> manual where i read that though. On the other hand, you could have all 
>> reply values on the same row in the table, or create an sql statement 
>> that returns them all on one row.
>>
>> What is your sql table structure?  multiple tables?
>>
>> mike
>>
>>
>> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
>>> Hi,
>>>
>>> Is it possible for AuthBy SQL to return multiple attributes if the query
>>> returns multiple rows?
>>>
>>> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
>>> with the following simplified config:
>>>
>>> 
>>>   DBSourcedbi:mysql:databasename:192.168.10.3
>>>   DBUsername  DBuser
>>>   DBAuth  DBPass
>>>   AuthSelect SELECT Endpoint, Password FROM endpoints
>>>   AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>>>   AuthColumnDef   1,Tunnel-Password,reply
>>> 
>>>
>>> This works fine at the moment as I only have 1 row in the table which
>>> represents 1 endpoint.  But I now want to return multiple endpoints so
>>> the Access-Accept would be something along the lines of:
>>>
>>> Code:   Access-Accept
>>> Attributes:
>>>   Tunnel-Server-Endpoint = 172.16.1.1
>>>   Tunnel-Password = "tunnelpass"
>>>   Tunnel-Server-Endpoint = 172.16.1.2
>>>   Tunnel-Password = "tunnelpass2"
>>>
>>> I had hoped to just add a 2nd row to the table, but the handler just
>>> returns the values from the 1st row of the result.  I'd like to be able
>>> to return additional attributes for each row returned so I can easily
>>> add/remove more endpoints to the table as and when I need to.
>>>
>>> Thanks.
>>>
>>> Jim.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solari

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Hugh Irvine]

Hello Jim -

I generally do this sort of thing in a hook, using a "dummy" AuthBy SQL clause 
to operate against.

Doing it this way allows to you use all of the normal Radiator code to do most 
of the heavy lifting.

There are a number of examples doing similar things in "goodies/hooks.txt" that 
should give you the general idea.

regards

Hugh


On 26 Jun 2012, at 19:28, Jim Tyrrell wrote:

> At the moment I just have a single very simple table that I am testing 
> with, 2 columns 'Endpoint' & 'Password' with 2 rows in the table for 2 
> different Tunnel endpoints.
> 
> I could have multiple columns for the multiple tunnels, but then if I 
> wanted to add or remove tunnels I would need to update the Radiator 
> query each time to add/remove the extra AuthAttrDefs, but I'd like the 
> flexibility to just add/remove entries to the SQL table without having 
> to change the Radiator config.
> 
> ie - if I have one tunnel in the table then the handler needs to return:
> 
> Code:   Access-Accept
>   Tunnel-Server-Endpoint = 172.16.1.1
>   Tunnel-Password = "tunnelpass"
> 
> And if an extra entry is added to the table then return the following 
> format:
> 
> Code:   Access-Accept
>   Tunnel-Server-Endpoint = 172.16.1.1
>   Tunnel-Password = "tunnelpass"
>   Tunnel-Server-Endpoint = 172.16.1.2
>   Tunnel-Password = "tunnelpass2"
> 
> 
> If I was able to use LDAP I could just have an object such as:
> 
> uid=TunnelEndPoints
> tunnelip=172.16.0.1
> tunnelip=172.16.0.2
> tunnelpass=blah1
> tunnelpass=blah2
> 
> And then use an AuthBy LDAP including the following:
> 
> AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
> AuthAttrDef tunnelpass,Tunnel-Password,reply
> 
> 
> Is there not an equivalent of this for MySQL authentication?  How do 
> people store multiple attributes such as Framed-Route in MySQL and then 
> return multiple instances of this when they exist? (The examples above 
> would actually be returned as tagged attributes but I can worry about 
> that later).
> 
> Thanks.
> 
> Jim.
> 
> 
> On 25/06/2012 18:05, Michael wrote:
>> 
>> I seem to remember reading somewhere in the Radiator manual that it 
>> will only process the first sql row received therefore I don't think 
>> it will process multiple row results.  I can't seem to find in the 
>> manual where i read that though. On the other hand, you could have all 
>> reply values on the same row in the table, or create an sql statement 
>> that returns them all on one row.
>> 
>> What is your sql table structure?  multiple tables?
>> 
>> mike
>> 
>> 
>> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
>>> Hi,
>>> 
>>> Is it possible for AuthBy SQL to return multiple attributes if the query
>>> returns multiple rows?
>>> 
>>> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
>>> with the following simplified config:
>>> 
>>> 
>>>  DBSourcedbi:mysql:databasename:192.168.10.3
>>>  DBUsername  DBuser
>>>  DBAuth  DBPass
>>>  AuthSelect SELECT Endpoint, Password FROM endpoints
>>>  AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>>>  AuthColumnDef   1,Tunnel-Password,reply
>>> 
>>> 
>>> This works fine at the moment as I only have 1 row in the table which
>>> represents 1 endpoint.  But I now want to return multiple endpoints so
>>> the Access-Accept would be something along the lines of:
>>> 
>>> Code:   Access-Accept
>>> Attributes:
>>>  Tunnel-Server-Endpoint = 172.16.1.1
>>>  Tunnel-Password = "tunnelpass"
>>>  Tunnel-Server-Endpoint = 172.16.1.2
>>>  Tunnel-Password = "tunnelpass2"
>>> 
>>> I had hoped to just add a 2nd row to the table, but the handler just
>>> returns the values from the 1st row of the result.  I'd like to be able
>>> to return additional attributes for each row returned so I can easily
>>> add/remove more endpoints to the table as and when I need to.
>>> 
>>> Thanks.
>>> 
>>> Jim.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Jim Tyrrell]

At the moment I just have a single very simple table that I am testing 
with, 2 columns 'Endpoint' & 'Password' with 2 rows in the table for 2 
different Tunnel endpoints.

I could have multiple columns for the multiple tunnels, but then if I 
wanted to add or remove tunnels I would need to update the Radiator 
query each time to add/remove the extra AuthAttrDefs, but I'd like the 
flexibility to just add/remove entries to the SQL table without having 
to change the Radiator config.

ie - if I have one tunnel in the table then the handler needs to return:

Code:   Access-Accept
   Tunnel-Server-Endpoint = 172.16.1.1
   Tunnel-Password = "tunnelpass"

And if an extra entry is added to the table then return the following 
format:

Code:   Access-Accept
   Tunnel-Server-Endpoint = 172.16.1.1
   Tunnel-Password = "tunnelpass"
   Tunnel-Server-Endpoint = 172.16.1.2
   Tunnel-Password = "tunnelpass2"


If I was able to use LDAP I could just have an object such as:

uid=TunnelEndPoints
tunnelip=172.16.0.1
tunnelip=172.16.0.2
tunnelpass=blah1
tunnelpass=blah2

And then use an AuthBy LDAP including the following:

 AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
 AuthAttrDef tunnelpass,Tunnel-Password,reply


Is there not an equivalent of this for MySQL authentication?  How do 
people store multiple attributes such as Framed-Route in MySQL and then 
return multiple instances of this when they exist? (The examples above 
would actually be returned as tagged attributes but I can worry about 
that later).

Thanks.

Jim.


On 25/06/2012 18:05, Michael wrote:
>
> I seem to remember reading somewhere in the Radiator manual that it 
> will only process the first sql row received therefore I don't think 
> it will process multiple row results.  I can't seem to find in the 
> manual where i read that though. On the other hand, you could have all 
> reply values on the same row in the table, or create an sql statement 
> that returns them all on one row.
>
> What is your sql table structure?  multiple tables?
>
> mike
>
>
> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
>> Hi,
>>
>> Is it possible for AuthBy SQL to return multiple attributes if the query
>> returns multiple rows?
>>
>> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
>> with the following simplified config:
>>
>> 
>>   DBSourcedbi:mysql:databasename:192.168.10.3
>>   DBUsername  DBuser
>>   DBAuth  DBPass
>>   AuthSelect SELECT Endpoint, Password FROM endpoints
>>   AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>>   AuthColumnDef   1,Tunnel-Password,reply
>> 
>>
>> This works fine at the moment as I only have 1 row in the table which
>> represents 1 endpoint.  But I now want to return multiple endpoints so
>> the Access-Accept would be something along the lines of:
>>
>> Code:   Access-Accept
>> Attributes:
>>   Tunnel-Server-Endpoint = 172.16.1.1
>>   Tunnel-Password = "tunnelpass"
>>   Tunnel-Server-Endpoint = 172.16.1.2
>>   Tunnel-Password = "tunnelpass2"
>>
>> I had hoped to just add a 2nd row to the table, but the handler just
>> returns the values from the 1st row of the result.  I'd like to be able
>> to return additional attributes for each row returned so I can easily
>> add/remove more endpoints to the table as and when I need to.
>>
>> Thanks.
>>
>> Jim.
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Michael]

I seem to remember reading somewhere in the Radiator manual that it will only 
process the first sql row received therefore I don't think it will process 
multiple row results.  I can't seem to find in the manual where i read that 
though. On the other hand, you could have all reply values on the same row in 
the table, or create an sql statement that returns them all on one row.

What is your sql table structure?  multiple tables?

mike


On 12-06-25 08:52 AM, Jim Tyrrell wrote:
> Hi,
>
> Is it possible for AuthBy SQL to return multiple attributes if the query
> returns multiple rows?
>
> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
> with the following simplified config:
>
> 
>   DBSourcedbi:mysql:databasename:192.168.10.3
>   DBUsername  DBuser
>   DBAuth  DBPass
>   AuthSelect SELECT Endpoint, Password FROM endpoints
>   AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>   AuthColumnDef   1,Tunnel-Password,reply
> 
>
> This works fine at the moment as I only have 1 row in the table which
> represents 1 endpoint.  But I now want to return multiple endpoints so
> the Access-Accept would be something along the lines of:
>
> Code:   Access-Accept
> Attributes:
>   Tunnel-Server-Endpoint = 172.16.1.1
>   Tunnel-Password = "tunnelpass"
>   Tunnel-Server-Endpoint = 172.16.1.2
>   Tunnel-Password = "tunnelpass2"
>
> I had hoped to just add a 2nd row to the table, but the handler just
> returns the values from the 1st row of the result.  I'd like to be able
> to return additional attributes for each row returned so I can easily
> add/remove more endpoints to the table as and when I need to.
>
> Thanks.
>
> Jim.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results

[Heikki Vatiainen]

On 02/09/2012 01:43 PM, Michael wrote:

> I use a reject column in my user database, and SELECT it like this:
> SELECT username, crypt, CONCAT('Reject:',reject), 
> 
> and:
> AuthColumnDef   2, Auth-Type, check

Yes, this is a very good method to do it.

> so, if the reject column is NULL, CONCAT returns NULL and it passed, but if 
> the reject column has text in it, CONCAT returns 'Reject:reject reason', and 
> the user is rejected.

Also, if SQL call returns 'Accept', the password check must still be
successful. So Auth-Type by itself does not accept the user if the
password is wrong.

A slight difference between this method and using hooks is the returned
Reply-Message with bad password. The above method returns Bad password
while with hooks it's possible to return message from SQL call.

Thanks!
Heikki

> 
> 
> On 12-02-08 12:40 PM, Lee Solway wrote:
>> Is there a way I can set an access Accept or Reject in the MySQL results
>> generated by AuthBy SQL?
>>
>> Currently I have a stored procedure that I call in the following.. I
>> would like the SP to be able to reject the Access-Request with an error
>> message also if possible..
>>
>>  AuthSelectCALL get_reply_attr('%U')
>>  AuthColumnDef 0, GENERIC, reply
>>  AuthColumnDef 1, User-Password, check
>>
>> Thanks,
>> Lee
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results

[Michael]

I use a reject column in my user database, and SELECT it like this:
SELECT username, crypt, CONCAT('Reject:',reject), 

and:
AuthColumnDef   2, Auth-Type, check

so, if the reject column is NULL, CONCAT returns NULL and it passed, but if the 
reject column has text in it, CONCAT returns 'Reject:reject reason', and the 
user is rejected.




On 12-02-08 12:40 PM, Lee Solway wrote:
> Is there a way I can set an access Accept or Reject in the MySQL results
> generated by AuthBy SQL?
>
> Currently I have a stored procedure that I call in the following.. I
> would like the SP to be able to reject the Access-Request with an error
> message also if possible..
>
>  AuthSelectCALL get_reply_attr('%U')
>  AuthColumnDef 0, GENERIC, reply
>  AuthColumnDef 1, User-Password, check
>
> Thanks,
> Lee
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results

[Heikki Vatiainen]

On 02/08/2012 07:40 PM, Lee Solway wrote:

Hello Lee,

> Is there a way I can set an access Accept or Reject in the MySQL results 
> generated by AuthBy SQL?

Please see below for one method.

> Currently I have a stored procedure that I call in the following.. I 
> would like the SP to be able to reject the Access-Request with an error 
> message also if possible..
> 
> AuthSelectCALL get_reply_attr('%U')
> AuthColumnDef 0, GENERIC, reply
> AuthColumnDef 1, User-Password, check

You could do both (control accept/reject and return reason) with
something like this. First change get_reply_attr to return 'true' or
'false' to control Accept or Reject. Also add another return value which
is the Reply-Message that is returned with Access-Reject.

 AuthColumnDef 2,X-Accepted-By-Sql,check
 AuthColumnDef 3,X-Reject-Msg,request

In the Handler or Realm clause prime X-Accepted-By-Sql like this:

AddToRequest X-Accepted-By-Sql=true

In the same Handler or Realm add RejectHasReason and a PostAuthHook to
replace reason with the value from SQL call.

RejectHasReason.
PostAuthHook sub { my $p = ${$_[0]}; my $rp = ${$_[1]}; \
   my $result = $_[2]; my $reason = $_[3]; \
return unless $$result == $main::REJECT; \
$$reason = $p->get_attr('X-Reject-Msg'); \
}

Putting this together, if the third value returned by SQL call is
something else than 'true' the request will be rejected. The hook will
then set the returned Reply-Message based on X-Reject-Msg which comes
from SQL call.

For more about the hook parameters, please see the reference manual.

Thanks!
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL results

[Heikki Vatiainen]

On 03/03/2011 04:49 PM, Vangelis Kyriakakis wrote:

>   I would like to know what happens when AuthSelect query in AuthBy 
> SQL returns two or more rows. Which one is used? The first or the last?
>   Example:
> 
> Username | Reply_item
> ---
> user  |  reply1
> user  |  reply2
> 
> AuthSelect select Reply_item from table where Username='user'
> AuthColumnDef   0,GENERIC,reply
> 
> Which reply_item is going to be used?

Hello Vangelis,

the answer is reply1. Even if the select returns multiple rows, only the
first row is used. The rest of the rows are not saved or used later.

Thanks!
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Hugh Irvine]

Hello Adam -

The -I parameter to perl indicates where to find the Radiator modules.

Here is the help for perl:


Radiator-4.6 hugh$ perl -h

Usage: perl [switches] [--] [programfile] [arguments]
  -0[octal] specify record separator (\0, if no argument)
  -aautosplit mode with -n or -p (splits $_ into @F)
  -C[number/list]   enables the listed Unicode features
  -ccheck syntax only (runs BEGIN and CHECK blocks)
  -d[:debugger] run program under debugger
  -D[number/list]   set debugging flags (argument is a bit mask or alphabets)
  -e programone line of program (several -e's allowed, omit programfile)
  -E programlike -e, but enables all optional features
  -fdon't do $sitelib/sitecustomize.pl at startup
  -F/pattern/   split() pattern for -a switch (//'s are optional)
  -i[extension] edit <> files in place (makes backup if extension supplied)
  -Idirectory   specify @INC/#include directory (several -I's allowed)
  -l[octal] enable line ending processing, specifies line terminator
  -[mM][-]moduleexecute "use/no module..." before executing program
  -nassume "while (<>) { ... }" loop around program
  -passume loop like -n but print line also, like sed
  -Prun program through C preprocessor before compilation
  -senable rudimentary parsing for switches after programfile
  -Slook for programfile using PATH environment variable
  -tenable tainting warnings
  -Tenable tainting checks
  -udump core after parsing program
  -Uallow unsafe operations
  -vprint version, subversion (includes VERY IMPORTANT perl 
info)
  -V[:variable] print configuration summary (or a single Config.pm variable)
  -wenable many useful warnings (RECOMMENDED)
  -Wenable all warnings
  -x[directory] strip off text before #!perl line and perhaps cd to 
directory
  -Xdisable all warnings


regards

Hugh


On 26 Jun 2010, at 00:16, Adam Gerson wrote:

> That worked. Thank you. What did -i do?
> 
> Adam
> 
> 
> -- 
> Adam Gerson
> Assistant Director of Technology
> Columbia Grammar and Prep School
> phone. 212-749-6200 ex. 321
> fax.  212-428-6806
> ager...@cgps.org
> http://www.cgps.org
> 
> On 6/24/10 5:10 AM, Hugh Irvine wrote:
>> 
>> Hello Adam -
>> 
>> Try this:
>> 
>> 
>>  /opt/local/bin/perl -I /usr/local/src/Radiator/Radiator-Locked-4.6 
>> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
>> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 24 Jun 2010, at 03:46, Adam Gerson wrote:
>> 
>>> I have figured out that MacPorts installs its own copy of perl into 
>>> /opt/local/bin
>>> 
>>> I need to use that perl, which includes the mysql packages. When I call 
>>> that perl explicitly I get this error:
>>> 
>>> sidekick:~ sadmin$ /opt/local/bin/perl 
>>> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
>>> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>>> 
>>> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
>>> /opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
>>> /opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
>>> /opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
>>> /opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
>>> /opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) at 
>>> (eval 8) line 20,<_>  line 575.
>>> BEGIN failed--compilation aborted at (eval 8) line 20,<_>  line 575.
>>> ...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
>>> 2,<_>  line 575.
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Adam Gerson
>>> Assistant Director of Technology
>>> Columbia Grammar and Prep School
>>> phone. 212-749-6200 ex. 321
>>> fax.  212-428-6806
>>> ager...@cgps.org
>>> http://www.cgps.org
>>> 
>>> On 6/22/10 3:21 PM, Hugh Irvine wrote:
 
 Hello Adam -
 
 The error message you show below indicates your database is not running 
 (or is unreachable for some reason).
 
 regards
 
 Hugh
 
 
 On 22 Jun 2010, at 15:03, Adam Gerson wrote:
 
> Well, nothing has changed in my config file and my database is still up
> and working. I have not used Radiator for a week or two. I started it
> today to test it and now it cannot contact the database. I got an email
> saying my trail had experienced, but at startup Radiator reports its
> good until 2011 or 1000 connections.
> 
> 
> 
> 
> 
> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> This Radiator license will expire on 2011-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of R

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Adam Gerson]

That worked. Thank you. What did -i do?

Adam


-- 
Adam Gerson
Assistant Director of Technology
Columbia Grammar and Prep School
phone. 212-749-6200 ex. 321
fax.  212-428-6806
ager...@cgps.org
http://www.cgps.org

On 6/24/10 5:10 AM, Hugh Irvine wrote:
>
> Hello Adam -
>
> Try this:
>
>
>   /opt/local/bin/perl -I /usr/local/src/Radiator/Radiator-Locked-4.6 
> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>
>
> regards
>
> Hugh
>
>
> On 24 Jun 2010, at 03:46, Adam Gerson wrote:
>
>> I have figured out that MacPorts installs its own copy of perl into 
>> /opt/local/bin
>>
>> I need to use that perl, which includes the mysql packages. When I call that 
>> perl explicitly I get this error:
>>
>> sidekick:~ sadmin$ /opt/local/bin/perl 
>> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
>> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>>
>> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
>> /opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
>> /opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
>> /opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
>> /opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
>> /opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) at 
>> (eval 8) line 20,<_>  line 575.
>> BEGIN failed--compilation aborted at (eval 8) line 20,<_>  line 575.
>>  ...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
>> 2,<_>  line 575.
>>
>>
>>
>>
>> --
>> Adam Gerson
>> Assistant Director of Technology
>> Columbia Grammar and Prep School
>> phone. 212-749-6200 ex. 321
>> fax.  212-428-6806
>> ager...@cgps.org
>> http://www.cgps.org
>>
>> On 6/22/10 3:21 PM, Hugh Irvine wrote:
>>>
>>> Hello Adam -
>>>
>>> The error message you show below indicates your database is not running (or 
>>> is unreachable for some reason).
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 22 Jun 2010, at 15:03, Adam Gerson wrote:
>>>
 Well, nothing has changed in my config file and my database is still up
 and working. I have not used Radiator for a week or two. I started it
 today to test it and now it cannot contact the database. I got an email
 saying my trail had experienced, but at startup Radiator reports its
 good until 2011 or 1000 connections.





 Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
 '/etc/radiator/radius.cfg'
 This Radiator license will expire on 2011-02-01
 This Radiator license will stop operating after 1000 requests
 To purchase an unlimited full source version of Radiator, see
 http://www.open.com.au/ordering.html
 To extend your license period, contact ad...@open.com.au

 Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file
 '/etc/radiator/dictionary'
 Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
 Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
 Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on
 sidekick.cgps.org (LOCKED)
 Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
 *** Received from 192.168.1.92 port 52380 
 Code:   Access-Request
 Identifier: 144
 Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
 Attributes:
User-Name = "adam"
User-Password =<175><244>t<214>bP0<25>+6c?<237><196><137>K
NAS-IP-Address = 192.168.1.92
Service-Type = Login-User
Framed-IP-Address = 10.93.3.23
Called-Station-Id = "00:19:92:02:B4:3A"
Calling-Station-Id = ""
NAS-Identifier = "Bluesocket"
Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
NAS-Port-Type = Wireless-IEEE-802-11

 Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler
 'Realm=DEFAULT'
 Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
 DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
 Request is ignored. Backing off for 600 seconds
 Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
 database access error
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
 DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
 Request is ignored. Backing off for 600 seconds
 Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, 

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Hugh Irvine]

Hello Adam -

Try this:


/opt/local/bin/perl -I /usr/local/src/Radiator/Radiator-Locked-4.6 
/usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
/etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid


regards

Hugh


On 24 Jun 2010, at 03:46, Adam Gerson wrote:

> I have figured out that MacPorts installs its own copy of perl into 
> /opt/local/bin
> 
> I need to use that perl, which includes the mysql packages. When I call that 
> perl explicitly I get this error:
> 
> sidekick:~ sadmin$ /opt/local/bin/perl 
> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
> 
> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
> /opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
> /opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
> /opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
> /opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
> /opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) at 
> (eval 8) line 20, <_> line 575.
> BEGIN failed--compilation aborted at (eval 8) line 20, <_> line 575.
>   ...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
> 2, <_> line 575.
> 
> 
> 
> 
> -- 
> Adam Gerson
> Assistant Director of Technology
> Columbia Grammar and Prep School
> phone. 212-749-6200 ex. 321
> fax.  212-428-6806
> ager...@cgps.org
> http://www.cgps.org
> 
> On 6/22/10 3:21 PM, Hugh Irvine wrote:
>> 
>> Hello Adam -
>> 
>> The error message you show below indicates your database is not running (or 
>> is unreachable for some reason).
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 22 Jun 2010, at 15:03, Adam Gerson wrote:
>> 
>>> Well, nothing has changed in my config file and my database is still up
>>> and working. I have not used Radiator for a week or two. I started it
>>> today to test it and now it cannot contact the database. I got an email
>>> saying my trail had experienced, but at startup Radiator reports its
>>> good until 2011 or 1000 connections.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
>>> '/etc/radiator/radius.cfg'
>>> This Radiator license will expire on 2011-02-01
>>> This Radiator license will stop operating after 1000 requests
>>> To purchase an unlimited full source version of Radiator, see
>>> http://www.open.com.au/ordering.html
>>> To extend your license period, contact ad...@open.com.au
>>> 
>>> Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file
>>> '/etc/radiator/dictionary'
>>> Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
>>> Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
>>> Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on
>>> sidekick.cgps.org (LOCKED)
>>> Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
>>> *** Received from 192.168.1.92 port 52380 
>>> Code:   Access-Request
>>> Identifier: 144
>>> Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
>>> Attributes:
>>> User-Name = "adam"
>>> User-Password =<175><244>t<214>bP0<25>+6c?<237><196><137>K
>>> NAS-IP-Address = 192.168.1.92
>>> Service-Type = Login-User
>>> Framed-IP-Address = 10.93.3.23
>>> Called-Station-Id = "00:19:92:02:B4:3A"
>>> Calling-Station-Id = ""
>>> NAS-Identifier = "Bluesocket"
>>> Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> 
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>>> Request is ignored. Backing off for 600 seconds
>>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>>> database access error
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>>> Request is ignored. Backing off for 600 seconds
>>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>>> database access error
>>> ^C
>>> 
>>> --
>>> Adam Gerson
>>> Assistant Director of Technology
>>> Columbia Grammar and Prep School
>>> phone. 212-749-6200 ex. 321
>>> fax.  212-428-6806
>>> ager...@cgps.org
>>> http://www.cgps.org
>>> 
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Adam Gerson]

I have figured out that MacPorts installs its own copy of perl into 
/opt/local/bin

I need to use that perl, which includes the mysql packages. When I call 
that perl explicitly I get this error:

sidekick:~ sadmin$ /opt/local/bin/perl 
/usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
/etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid

Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
/opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
/opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
/opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
/opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
/opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) 
at (eval 8) line 20, <_> line 575.
BEGIN failed--compilation aborted at (eval 8) line 20, <_> line 575.
...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
2, <_> line 575.




-- 
Adam Gerson
Assistant Director of Technology
Columbia Grammar and Prep School
phone. 212-749-6200 ex. 321
fax.  212-428-6806
ager...@cgps.org
http://www.cgps.org

On 6/22/10 3:21 PM, Hugh Irvine wrote:
>
> Hello Adam -
>
> The error message you show below indicates your database is not running (or 
> is unreachable for some reason).
>
> regards
>
> Hugh
>
>
> On 22 Jun 2010, at 15:03, Adam Gerson wrote:
>
>> Well, nothing has changed in my config file and my database is still up
>> and working. I have not used Radiator for a week or two. I started it
>> today to test it and now it cannot contact the database. I got an email
>> saying my trail had experienced, but at startup Radiator reports its
>> good until 2011 or 1000 connections.
>>
>>
>>
>>
>>
>> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> This Radiator license will expire on 2011-02-01
>> This Radiator license will stop operating after 1000 requests
>> To purchase an unlimited full source version of Radiator, see
>> http://www.open.com.au/ordering.html
>> To extend your license period, contact ad...@open.com.au
>>
>> Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary'
>> Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
>> Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on
>> sidekick.cgps.org (LOCKED)
>> Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
>> *** Received from 192.168.1.92 port 52380 
>> Code:   Access-Request
>> Identifier: 144
>> Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
>> Attributes:
>>  User-Name = "adam"
>>  User-Password =<175><244>t<214>bP0<25>+6c?<237><196><137>K
>>  NAS-IP-Address = 192.168.1.92
>>  Service-Type = Login-User
>>  Framed-IP-Address = 10.93.3.23
>>  Called-Station-Id = "00:19:92:02:B4:3A"
>>  Calling-Station-Id = ""
>>  NAS-Identifier = "Bluesocket"
>>  Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
>>  NAS-Port-Type = Wireless-IEEE-802-11
>>
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>> Request is ignored. Backing off for 600 seconds
>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>> database access error
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>> Request is ignored. Backing off for 600 seconds
>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>> database access error
>> ^C
>>
>> --
>> Adam Gerson
>> Assistant Director of Technology
>> Columbia Grammar and Prep School
>> phone. 212-749-6200 ex. 321
>> fax.  212-428-6806
>> ager...@cgps.org
>> http://www.cgps.org
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>

___
radiator m

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Hugh Irvine]

Hello Adam -

The error message you show below indicates your database is not running (or is 
unreachable for some reason).

regards

Hugh


On 22 Jun 2010, at 15:03, Adam Gerson wrote:

> Well, nothing has changed in my config file and my database is still up 
> and working. I have not used Radiator for a week or two. I started it 
> today to test it and now it cannot contact the database. I got an email 
> saying my trail had experienced, but at startup Radiator reports its 
> good until 2011 or 1000 connections.
> 
> 
> 
> 
> 
> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file 
> '/etc/radiator/radius.cfg'
> This Radiator license will expire on 2011-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact ad...@open.com.au
> 
> Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file 
> '/etc/radiator/dictionary'
> Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on 
> sidekick.cgps.org (LOCKED)
> Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
> *** Received from 192.168.1.92 port 52380 
> Code:   Access-Request
> Identifier: 144
> Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
> Attributes:
>   User-Name = "adam"
>   User-Password = <175><244>t<214>bP0<25>+6c?<237><196><137>K
>   NAS-IP-Address = 192.168.1.92
>   Service-Type = Login-User
>   Framed-IP-Address = 10.93.3.23
>   Called-Station-Id = "00:19:92:02:B4:3A"
>   Calling-Station-Id = ""
>   NAS-Identifier = "Bluesocket"
>   Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
>   NAS-Port-Type = Wireless-IEEE-802-11
> 
> Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with 
> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database. 
> Request is ignored. Backing off for 600 seconds
> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User 
> database access error
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with 
> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database. 
> Request is ignored. Backing off for 600 seconds
> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User 
> database access error
> ^C
> 
> -- 
> Adam Gerson
> Assistant Director of Technology
> Columbia Grammar and Prep School
> phone. 212-749-6200 ex. 321
> fax.  212-428-6806
> ager...@cgps.org
> http://www.cgps.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: (RADIATOR) AuthBy SQL problem

[Hugh Irvine]

Hello Adam -

All you really need to do is use a RewriteUsername and a 
CaseInsensitivePasswords with a single AuthBy SQL.

regards

Hugh

On Thursday, Oct 16, 2003, at 00:27 Australia/Melbourne, Adam 
Pogorzelski wrote:

Hello,
I have such a problem. I have users in mysql database, and few so 
called
multilogin users. These multilogins have simple passwords created by
username, for example ppp/ppp. Problem is, that i need to authenticate
these combination as the same user:
ppp/ppp, PPP/PPP, ppp/PPP, PPP/ppp.
For now i am including to one Handler two authby's config files,
one with normal AuthSelect, and second with Authselect 'select
ucase(PASSWORD)'.
Because i have many Handlers, and for each Handler is two configs, i 
want
to minimize all configuration.
So my question is: is it possible to put in AuthBy clause two 
AuthSelect's ?
Similiar to AuthByPolicy ?

Btw, for each failed Radius::AuthSQL i have one insert to database with
info about it, and if i have four login/pass combination, i can have 
three
inserts to database with fail info.

ps. I may be wrong, but does Radiator isn't sql injection aware ?
Sat Oct 11 06:51:57 2003: ERR: do failed for 'insert into radauthlog
values (1065847917,'~}#','[EMAIL PROTECTED]'} }4',1,'No such
user','DNIS','CLID')': You have an error in your SQL syntax near '}
}4',1,'No such user','DNIS','CLID')' at line 1
S
--
"For proper viewing, take red pill now"
   Futurama
AdamP.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL problem

[Robert Blayzor]

On 10/15/03 10:27 AM, "Adam Pogorzelski" <[EMAIL PROTECTED]> wrote:

> I have such a problem. I have users in mysql database, and few so called
> multilogin users. These multilogins have simple passwords created by
> username, for example ppp/ppp. Problem is, that i need to authenticate
> these combination as the same user:
> ppp/ppp, PPP/PPP, ppp/PPP, PPP/ppp.
> For now i am including to one Handler two authby's config files,
> one with normal AuthSelect, and second with Authselect 'select
> ucase(PASSWORD)'.

Seems like it's more work than it's worth.  You have some options...

Add the directive in Radiator to ignore the case of passwords.  So that
"PaSSwoRD" would match "PASSWORD".  You can also rewrite the username with a
regex to force the username to lowercase before handling it in an authby..

> Because i have many Handlers, and for each Handler is two configs, i want
> to minimize all configuration.
> So my question is: is it possible to put in AuthBy clause two AuthSelect's ?
> Similiar to AuthByPolicy ?

For what reason if you just "IgnoreCase" on the password... ?

> ps. I may be wrong, but does Radiator isn't sql injection aware ?
> Sat Oct 11 06:51:57 2003: ERR: do failed for 'insert into radauthlog
> values (1065847917,'~}#','[EMAIL PROTECTED]'} }4',1,'No such
> user','DNIS','CLID')': You have an error in your SQL syntax near '}
> }4',1,'No such user','DNIS','CLID')' at line 1
> S

Tell Radiator what characters are valid in Usernames and you won't see
this...

ie:  UsernameCharset [EMAIL PROTECTED]

Or you could do something like:

RewriteUsername s/[EMAIL PROTECTED]/\?/g

Which strips out any bogus characters we don't except and replaces they with
a "?" Which should be SQL friendly...

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Mac OS X. Because making Unix user-friendly is easier than debugging
Windows.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) AuthBy SQL help- Resolved

[Greg 'Rafiq' Clarkson]

Hi Hugh et al

Thank you for forcing me to run radiator in the foreground.

>From the errors generated I managed to fix both problems.

They were both problem with the attributes assigned to particular column's
in the database.

In my first configuration I couldn't insert 'start' records as the table
expected non-null values for fields such as 'Acct-Session-Time,
Acct-Input-Octets and Acct-Output-Octetes' which were always going to be
null for a 'start' record!

So, I had to change one column's modifier from 'not-null=true' to
'not-null=false' to fix it.

The other configuration had a similar problem which prevented the 'stop'
records being inserted.

I am only new to radiator and I am sure I will have some more questions

Regards,

Greg


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL help

[Hugh Irvine]

Hello Greg -

I will need to see a complete copy of your configuration file, together  
with a trace 4 debug from Radiator showing what is happening.

regards

Hugh


On Saturday, September 28, 2002, at 10:58 AM, Greg 'Rafiq' Clarkson  
wrote:

> Hi everybody,
>
> I need some clarification for setting up .  I am using
> Radiator-3.3.1. and any help will be greatly appreciated.
>
> I am experimenting with different accounting tables with different
> AcctColumnDef.
>
> The problem is that one configuration only writes records where
> "Acct-Status-Type = Start" and the other configuration only writes  
> records
> where "Acct-Status-Type = Stop"!
>
> All other records are written to the FailedLog.
>
> My question is:
> Do I need to define *all* fields sent from the NAS for both Start and  
> Stop
> records in the one table to successfully write the record to SQL?
>
> I thought if I didn't define the field it would drop that particular  
> field
> but insert all the other fields.
>
> For example one of my configurations uses the default setup as detailed
> below:
>
> 
> IdentifierLocalDbAuth
> IgnoreAuthentication
> DBSource  %{GlobalVar:dbSpec}
> DBUsername%{GlobalVar:dbUser}
> DBAuth%{GlobalVar:dbPass}
> #AccountingStartsOnly
> #AccountingStopsOnly
> HandleAcctStatusTypes Start,Stop
> DateFormat%Y-%m-%d %H:%M:%S
>
> AccountingTable   accounting
> AcctColumnDef username,User-Name
> AcctColumnDef time_stamp,Timestamp,integer
> AcctColumnDef acctstatustype,Acct-Status-Type
> AcctColumnDef acctdelaytime,Acct-Delay-Time,integer
> AcctColumnDef acctinputoctets,Acct-Input-Octets,integer
> AcctColumnDef acctoutputoctets,Acct-Output-Octets,integer
> AcctColumnDef acctsessionid,Acct-Session-Id
> AcctColumnDef acctsessiontime,Acct-Session-Time,integer
> AcctColumnDef acctterminatecause,Acct-Terminate-Cause
> AcctColumnDef nasidentifier,NAS-Identifier
> AcctColumnDef nasport,NAS-Port,integer
> AcctColumnDef framedipaddress,Framed-IP-Address
>
> AcctFailedLogFileName %L/detail.newdb
>
> 
> Only "Start" records are written. And this is the record written to the
> FailedLog:
>
>
> root@echelon:radius: # head -50 detail.newdb
> Fri Sep 27 12:33:21 2002
> Acct-Session-Id = "0002BA2F"
> Framed-Protocol = PPP
> Framed-IP-Address = 203.220.179.32
> Acct-Terminate-Cause = Lost-Carrier
> Ascend-Disconnect-Cause = 816
> Ascend-Connect-Progress = prLanSessionUp
> Ascend-PreSession-Time = 21
> Ascend-Xmit-Rate = 26400
> Ascend-Data-Rate = 26400
> Acct-Session-Time = 334
> Connect-Info = "26400 V34/V42bis/LAPM (28800)"
> Acct-Input-Octets = 75662
> Acct-Output-Octets = 305795
> Ascend-Pre-Input-Octets = 118
> Ascend-Pre-Output-Octets = 114
> Acct-Input-Packets = 465
> Acct-Output-Packets = 397
> Ascend-Pre-Input-Packets = 5
> Ascend-Pre-Output-Packets = 5
> Acct-Authentic = RADIUS
> Acct-Status-Type = Stop
> NAS-Port = 7315
> Called-Station-Id = "142320198333015"
> Calling-Station-Id = "357213687"
> NAS-Port-Type = Async
> Service-Type = Framed-User
> NAS-IP-Address = 203.220.246.113
> Event-Timestamp = 1033093991
> Acct-Delay-Time = 10
> User-Name = "kph"
> Proxy-State =
> BSP2ims01-syd/ 
> FEDEB6CC27A3A223FA1BF8E5C5231E60B56504FF7E0D088FB185BF15044FE4
> EA88F6C7EF7E0D08AC7A5949EC0221F87B432A74AF7E1F0BF280F6CBF26276B02ECFC7B 
> 4FB11
> 6B31BAE6C2D4ED6C
> Timestamp = 1033093991
>
>
>
> Whereas in a more complex setup:
>
> 
> IdentifierOldDbAuth
> IgnoreAuthentication
> DBSource  %{GlobalVar:dbSpec}
> DBUsername%{GlobalVar:dbUser}
> DBAuth%{GlobalVar:dbPass}
> #AccountingStartsOnly
> #AccountingStopsOnly
> HandleAcctStatusTypes Start,Stop
> DateFormat%Y-%m-%d %H:%M:%S
>
> AccountingTable   sessions
> AcctColumnDef username,User-Name
> AcctColumnDef time,Timestamp,integer-date
> AcctColumnDef calledstation,Called-Station-Id
> AcctColumnDef callingstation,Calling-Station-Id
> AcctColumnDef nas,NAS-IP-Address
> AcctColumnDef port,NAS-Port,integer
> AcctColumnDef sessionid,Acct-Session-Id
> AcctColumnDef ipaddress,Framed-IP-Address
> AcctColumnDef duration,Acct-Session-Time,integer
> AcctColumnDef upload,Acct-Input-Octets,integer
> AcctColumnDef download,Acct-Output-Octets,integer
> AcctColumnDef rx,Ascend-Xmit-Rate,integer
> AcctColumnDef tx,Ascend-Data-Rate,integer
> AcctColumnDef terminatecause,Ascend-Disconnect-Cause
> AcctColumnDef  

RE: (RADIATOR) AuthBy SQL and / or AuthLog SQL

[Frank Danielson]

AuthLog SQL records access-requests to a database.
AuthBy SQL w /an empty AuthSelect records accounting-requests to a database.

-Frank

-Original Message-
From: radiator [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 12:06 AM
To: '[EMAIL PROTECTED]'
Subject: (RADIATOR) AuthBy SQL and / or AuthLog SQL



What's the difference between AuthBy SQL w/ and empty AuthSelect and AuthLog
SQL??


Regards,

Virgil

-- 
WebCentral Pty Ltd   Australia's #1 Internet Web Hosting Company
Level 5, 100 Wickham St.   Network Operations - Systems Engineer
PO Box 930, Fortitude Valley.email: [EMAIL PROTECTED]
Queensland, Australia 4006.   phone: +61 7 3230 7176 
 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Authby SQL checking multi-value attributes

[Hugh Irvine]

Hello Julio -

You should use regular expressions to check multiple values:

NASPORTYPE = "NAS-Port-type = '/Sync|Async/'"

regards

Hugh


On Thu, 7 Mar 2002 22:27, [EMAIL PROTECTED] wrote:
> hi all,
>
> I'm using Radiator 2.18.1 with AuthbySQL over MySQL.
>
> I've defined several fields in SUBSCRIBERS table to check them.
>
> I'm interested in checking NAS-Port-Type in a multi-value way, so for
> example,
>
>   user1@domain
>
> will be accepted if its NAS-Port-Type matches 'Sync' or 'Async' values, so
> in case this user sends 'ISDN-Sync' nasport-type, he will be rejected.
>
> As a workaround I try to define a column NASPORTTYPE char(200) in
> SUBSCRIBERS table in that way:
>
>   NASPORTYPE = "NAS-Port-type = 'Sync',NAS-Port-type = 'Async'"
>
> and in Authby SQL
>
>   AuthColumnDef N GENERIC, check
>
> but this idea does not work because it only checks first item.
>
> Any workaround about checking multivalue attributes with AuthSQL?
>
> thanks,
> jules
>
>
> Si quiere más información de BT puede solicitarla en nuestra revista online
> http://www.ignite.com/realise
>
> **
> Noticia legal
> Este mensaje electrónico contiene información de BT Ignite España S.A.U.
> que es privada y confidencial, siendo para el uso exclusivo de la persona
> (s) o entidades arriba mencionadas. Si usted no es el destinatario
> señalado, le informamos que cualquier divulgación, copia, distribución o
> uso de los contenidos está prohibida. Si usted ha recibido este mensaje por
> error, por favor borre su contenido lo antes posible.
> Gracias.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL and PostgreSQL

[tdn]

Hello Hugh,

I had compiled the DBD and DBI from source, I have used the FreeBSD ports
collection and now it works fine.
Well, can't figure out why, but it works

Thanks
TDN
- Original Message -
From: Hugh Irvine <[EMAIL PROTECTED]>
To: tdn <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, February 06, 2002 2:31 AM
Subject: Re: (RADIATOR) AuthBy SQL and PostgreSQL


>
> Hello -
>
> Could you please send me a copy of your configuration file (no secrets)
> together with a trace 4 debug from Radiator showing what is happening.
>
> thanks
>
> Hugh
>
>
> On Tue, 5 Feb 2002 19:53, tdn wrote:
> > Hi Hugh
> >
> > > The correct syntax for the DBSource line is this:
> > >
> > > DBSourcedbi:Pg:dbname=radius
> >
> > I actually noticed that and rectified, however the problem still occurs
> > when auth by SQL.
> > Authenticating by flat file works OK.
> >
> > > And of course you must install the DBI and DBD modules first.
> >
> > I have pgsql_perl5-1.9.0 for the DBD and DBI-1.201 for the DBI
> >
> >
> >
> > Rgds
> > TDN
> >
> >
> > - Original Message -
> > From: Hugh Irvine <[EMAIL PROTECTED]>
> > To: tdn <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Tuesday, February 05, 2002 1:38 AM
> > Subject: Re: (RADIATOR) AuthBy SQL and PostgreSQL
> >
> > > Hello TDN -
> > >
> > > > Hi,
> > > >
> > > > I'd like to have radiator authenticate users from a Postgres SQL
> >
> > database.
> >
> > > > I get the following error whenever I try to test it using radpwtst.
> > > >
> > > > Can't read $DBI::errstr, last handle unknown or destroyed at
> > > > /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 136
> > > >
> > > > Am running Radiator 2.19 and PostgreSQL 7.1
> > > >
> > > > see part of my radius.cfg
> > > >
> > > > 
> > > > #
> > > > #   # The filename defaults to %D/users
> > > > #   
> > > > # Log accounting to the detail file in LogDir
> > > > #   AcctLogFileName %L/detail/detail.%Y%m%d
> > > > 
> > > > DBSourcedbi:pg:dbname=radius
> > > > DBUsername  xxx
> > > > DBAuth  xxx
> > > > AuthSelect select CLEARTEXTPASSWORD from USERS where
> > > > USERID='%n';
> > > > 
> > > > 
> > >
> > > The correct syntax for the DBSource line is this:
> > >
> > > DBSourcedbi:Pg:dbname=radius
> > >
> > > And of course you must install the DBI and DBD modules first.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > --
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > > -
> > > Nets: internetwork inventory and management - graphical, extensible,
> > > flexible with hardware, software, platform and database independence.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL and PostgreSQL

[Mike McCauley]

--  Forwarded Message  --

Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["tdn" 
<[EMAIL PROTECTED]>]
Date: Thu, 7 Feb 2002 02:48:30 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

>From [EMAIL PROTECTED] Thu Feb  7 02:48:30 2002
Received: from mx1.uunet.co.ke (mx1.uunet.co.ke [195.202.64.8])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g178mP311640;
Thu, 7 Feb 2002 02:48:27 -0600
Received: from [195.202.85.31] (helo=spider)
by mx1.uunet.co.ke with smtp (Exim 3.21 #2)
id 16YmzV-0007ji-00; Thu, 07 Feb 2002 11:45:25 +
Message-ID: <00dc01c1afb3$ce093040$[EMAIL PROTECTED]>
From: "tdn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>
 <014801c1ae22$976feb60$[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]> Subject: Re: (RADIATOR)
 AuthBy SQL and PostgreSQL
Date: Thu, 7 Feb 2002 11:45:24 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200

Hello Hugh,

> Could you please send me a copy of your configuration file (no secrets)
> together with a trace 4 debug from Radiator showing what is happening.

below find my radius.cfg and trace 4 debug output..

also note that i connect to the SQL database manually OK.

radius=# select * from users;
 userid | cleartextpassword | encryptedpassword
+---+---
 dthaba | test  |
(1 row)



Radius.cfg
--
LogDir /usr/local/radiator
DbDir /usr/local/radiator/raddb
LogFile %L/logfile/logfile.%Y%m%d
Trace   4


Secret xxx
DupInterval 0




   DBSourcedbi:Pg:dbname=radius
   DBUsername  radius
   DBAuth  xxx
   AuthSelect select CLEARTEXTPASSWORD from USERS where
USERID='%n';
   


Trace 4 debug
---
*** Received from 127.0.0.1 port 1046 
Code:   Access-Request
Identifier: 67
Authentic:  1234567890123456
Attributes:
User-Name = "dthaba"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<141><238>,<217><150>e<4><246><188>8<9><160><216>}x<153>"

Thu Feb  7 11:18:53 2002: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Feb  7 11:18:53 2002: DEBUG:  Deleting session for dthaba, 203.63.154.1,
1234
Thu Feb  7 11:18:53 2002: DEBUG: Handling with Radius::AuthSQL
Thu Feb  7 11:18:53 2002: DEBUG: Handling with Radius::AuthSQL:
Thu Feb  7 11:18:53 2002: ERR: Could not connect to SQL database with
DBI->connect dbi:Pg:dbname=radius, radius, rad99:
Thu Feb  7 11:18:53 2002: ERR: Could not connect to any SQL database.
Request is ignored. Backing off for 600 seconds
Thu Feb  7 11:18:58 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1046 
Code:   Accounting-Request
Identifier: 68
Authentic:  <235><6><132><205><27><219><224><1><3><1><149><134><215>#O<175>
Attributes:
User-Name = "dthaba"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "1234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"

Thu Feb  7 11:18:58 2002: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Feb  7 11:18:58 2002: DEBUG:  Adding session for dthaba, 203.63.154.1,
1234
Thu Feb  7 11:18:58 2002: DEBUG: Handling with Radius::AuthSQL
Thu Feb  7 11:18:58 2002: DEBUG: Handling accounting with Radius::AuthSQL
Thu Feb  7 11:18:58 2002: DEBUG: Accounting accepted
Thu Feb  7 11:18:58 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1046 
Code:   Accounting-Response
Identifier: 68
Authentic:  <235><6><132><205><27><219><224><1><3><1><149><134><215>#O<175>
Attributes:

Thu Feb  7 11:18:58 2002: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1046 
Code:   Accounting-Request
Identifier: 69
Authentic:  <212><234><11><131><216><236><180>]<1><147><148>~<27>X<148><194>
Attributes:
User-Name = "dthaba"
Service-Type = Framed-User
NAS-IP-Address

Re: (RADIATOR) AuthBy SQL and PostgreSQL

[Hugh Irvine]

Hello -

Could you please send me a copy of your configuration file (no secrets) 
together with a trace 4 debug from Radiator showing what is happening.

thanks

Hugh


On Tue, 5 Feb 2002 19:53, tdn wrote:
> Hi Hugh
>
> > The correct syntax for the DBSource line is this:
> >
> > DBSourcedbi:Pg:dbname=radius
>
> I actually noticed that and rectified, however the problem still occurs
> when auth by SQL.
> Authenticating by flat file works OK.
>
> > And of course you must install the DBI and DBD modules first.
>
> I have pgsql_perl5-1.9.0 for the DBD and DBI-1.201 for the DBI
>
>
>
> Rgds
> TDN
>
>
> - Original Message -
> From: Hugh Irvine <[EMAIL PROTECTED]>
> To: tdn <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Tuesday, February 05, 2002 1:38 AM
> Subject: Re: (RADIATOR) AuthBy SQL and PostgreSQL
>
> > Hello TDN -
> >
> > > Hi,
> > >
> > > I'd like to have radiator authenticate users from a Postgres SQL
>
> database.
>
> > > I get the following error whenever I try to test it using radpwtst.
> > >
> > > Can't read $DBI::errstr, last handle unknown or destroyed at
> > > /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 136
> > >
> > > Am running Radiator 2.19 and PostgreSQL 7.1
> > >
> > > see part of my radius.cfg
> > >
> > > 
> > > #
> > > #   # The filename defaults to %D/users
> > > #   
> > > # Log accounting to the detail file in LogDir
> > > #   AcctLogFileName %L/detail/detail.%Y%m%d
> > > 
> > > DBSourcedbi:pg:dbname=radius
> > > DBUsername  xxx
> > > DBAuth  xxx
> > > AuthSelect select CLEARTEXTPASSWORD from USERS where
> > > USERID='%n';
> > > 
> > > 
> >
> > The correct syntax for the DBSource line is this:
> >
> > DBSourcedbi:Pg:dbname=radius
> >
> > And of course you must install the DBI and DBD modules first.
> >
> > regards
> >
> > Hugh
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL and PostgreSQL

[Mike McCauley]

--  Forwarded Message  --

Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["tdn" 
<[EMAIL PROTECTED]>]
Date: Tue, 5 Feb 2002 01:21:16 -0600
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

>From [EMAIL PROTECTED] Tue Feb  5 01:21:15 2002
Received: from mx1.uunet.co.ke (mx1.uunet.co.ke [195.202.64.8])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g157Km302454;
Tue, 5 Feb 2002 01:21:02 -0600
Received: from [195.202.85.31] (helo=spider)
by mx1.uunet.co.ke with smtp (Exim 3.21 #2)
id 16Y4A6-0001HF-00; Tue, 05 Feb 2002 11:53:22 +
Message-ID: <014801c1ae22$976feb60$[EMAIL PROTECTED]>
From: "tdn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]> Subject: Re: (RADIATOR)
 AuthBy SQL and PostgreSQL
Date: Tue, 5 Feb 2002 11:53:33 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200

Hi Hugh

> The correct syntax for the DBSource line is this:
>
> DBSourcedbi:Pg:dbname=radius

I actually noticed that and rectified, however the problem still occurs when
auth by SQL.
Authenticating by flat file works OK.

> And of course you must install the DBI and DBD modules first.

I have pgsql_perl5-1.9.0 for the DBD and DBI-1.201 for the DBI



Rgds
TDN


- Original Message -
From: Hugh Irvine <[EMAIL PROTECTED]>
To: tdn <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, February 05, 2002 1:38 AM
Subject: Re: (RADIATOR) AuthBy SQL and PostgreSQL

> Hello TDN -
>
> > Hi,
> >
> > I'd like to have radiator authenticate users from a Postgres SQL

database.

> > I get the following error whenever I try to test it using radpwtst.
> >
> > Can't read $DBI::errstr, last handle unknown or destroyed at
> > /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 136
> >
> > Am running Radiator 2.19 and PostgreSQL 7.1
> >
> > see part of my radius.cfg
> >
> > 
> > #
> > #   # The filename defaults to %D/users
> > #   
> > # Log accounting to the detail file in LogDir
> > #   AcctLogFileName %L/detail/detail.%Y%m%d
> > 
> > DBSourcedbi:pg:dbname=radius
> > DBUsername  xxx
> > DBAuth  xxx
> > AuthSelect select CLEARTEXTPASSWORD from USERS where
> > USERID='%n';
> > 
> > 
>
> The correct syntax for the DBSource line is this:
>
> DBSourcedbi:Pg:dbname=radius
>
> And of course you must install the DBI and DBD modules first.
>
> regards
>
> Hugh
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.

---

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL and PostgreSQL

[Hugh Irvine]

Hello TDN -

>
> Hi,
>
> I'd like to have radiator authenticate users from a Postgres SQL database.
> I get the following error whenever I try to test it using radpwtst.
>
> Can't read $DBI::errstr, last handle unknown or destroyed at
> /usr/local/lib/perl5/site_perl/5.005/Radius/SqlDb.pm line 136
>
> Am running Radiator 2.19 and PostgreSQL 7.1
>
> see part of my radius.cfg
>
> 
> #
> #   # The filename defaults to %D/users
> #   
> # Log accounting to the detail file in LogDir
> #   AcctLogFileName %L/detail/detail.%Y%m%d
> 
> DBSourcedbi:pg:dbname=radius
> DBUsername  xxx
> DBAuth  xxx
> AuthSelect select CLEARTEXTPASSWORD from USERS where
> USERID='%n';
> 
> 
>

The correct syntax for the DBSource line is this:

DBSourcedbi:Pg:dbname=radius

And of course you must install the DBI and DBD modules first.

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Authby SQL

[Hugh Irvine]

Hello Aaron -

On Thu, 24 Jan 2002 06:41, Aaron Collins wrote:
> I'm using Authby SQL and to keep my user list current I recreat it every
> 15 minutes through a script.  This is to insure that I always have a
> acurate list of active and unavtive users  But It appears that when ever
> I do this radiator hangs for about 5 minutes or so.  My question is does
> radiator cache part of the database, or is this just a wierd MySQL
> problem?

If you are using an SQL database, you should simply modify the user 
definitions directly in the database, not reload the entire database every 15 
minutes.

I suspect what is happening is that the database is unreachable during the 
time you reload it and Radiator marks the connection as down.

Have a look at a trace 4 debug from Radiator to see what is going on.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL problem

[Hugh Irvine]

Hello Sam -

Just specify a suitable AuthSelect:

AuthSelect select PASSWORD where USERNAME = '%n' and STATUS = 'T'
AuthColumnDef 0, User-Password, check

regards

Hugh


On Tue, 8 Jan 2002 12:09, Sam Cheung wrote:
> Hi genius,
>
> I am using  to authenticate users. However, I would like to
> verifiy the user's username, password and status=T. So, How, can I
> rewrite the statement in sq.cfg to make it works.
> Thanks so much for paying attention.
>
> ---
> Regards,
>
> Sam Cheung
> E-mail: [EMAIL PROTECTED]
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL and Passwords ..

[Zebaulon Kansal]

Robert,

Most likely. :)  *Hits self upside head with large UNIX manual.*

Sadly enough, I *did* search/look through the documentation in
search of such, wondering WHY ON EARTH there was one for User-Name but
not Password.  Guess it was a bit too late in the evening to be trying
to figure that out.  But yep, that's what I needed.  Thanks :)

Unless the network is lying to me again, Robert Blayzor said:
> > So I got the bright idea to add a "AND PASS='%{Password}'" to
> > the AuthSelect line.  But the query ends up AND PASS='' 
> > (nothing is put
> > in there.)  So, obviously RADIUS either 1) can't pass it like 
> > that or 2)
> > can but I'm doing it wrong.
> 
> 
> Perhaps you want "AND PASS='%P'"   ???
> 
> --
> Robert Blayzor, BOFH
> INOC, LLC
> [EMAIL PROTECTED]
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) AuthBy SQL and Passwords ..

[Robert Blayzor]

>   So I got the bright idea to add a "AND PASS='%{Password}'" to
> the AuthSelect line.  But the query ends up AND PASS='' 
> (nothing is put
> in there.)  So, obviously RADIUS either 1) can't pass it like 
> that or 2)
> can but I'm doing it wrong.


Perhaps you want "AND PASS='%P'"   ???

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby sql

[Hugh Irvine]

Hello Rick -

Your configuration file has a Realm clause for "xx.com" and another Realm 
clause for any other realm, however you don't have a clause to match just a 
username by itself.

# define a Realm for username only


.



regards

Hugh


>
> could someon tell me what I am missing here or doing wrong  thanks
>
>
> Sun Dec 23 19:20:28 2001: DEBUG: Rewrote user name to test
> Sun Dec 23 19:20:28 2001: DEBUG: Check if Handler Realm=mynet.com should be
> used to handle this request
> Sun Dec 23 19:20:28 2001: WARNING: Could not find a handler for qwtest:
> request is ignored
> Sun Dec 23 19:20:30 2001: DEBUG: Packet dump:
> *** Received from 0.0.0.0 port 58682 
> Code:   Access-Request
> Identifier: 52
> Authentic:  ka<197><219><24>@\Os<23>'<184>bs<253>z
> Attributes:
>  User-Name = "test"
>  CHAP-Password = <1><130><199><195>P<13>(<209><130><223>zJ<242>zc<15><191>
>  NAS-IP-Address = 0.0.0.0
>  NAS-Port = 7190
>  Service-Type = Framed-User
>  Framed-Protocol = PPP
>  Cisco-NAS-Port = "Async4/43*Serial7/0:1:22"
>  Acct-Session-Id = "0A"
>  NAS-Port-Type = Async
>
> Sun Dec 23 19:20:30 2001: DEBUG: Rewrote user name to test
> Sun Dec 23 19:20:30 2001: DEBUG: Check if Handler Realm=mynet.com should be
> used to handle this request
> Sun Dec 23 19:20:30 2001: WARNING: Could not find a handler for test:
> request is ignored
> Sun Dec 23 19:21:13 2001: DEBUG: Packet dump:
> *** Received from 0.0.0.0 port 58684 
> Code:   Access-Request
> Identifier: 53
> Authentic:  <194>7<127>dZ>its<23>'<184><137>[r<254>
> Attributes:
>  User-Name = "test"
>  CHAP-Password = <1><141>{<247><199><186>Q<130>#h#<31>a<228><150>IN
>  NAS-IP-Address = 0.0.0.0
>  NAS-Port = 7190
>  Service-Type = Framed-User
>  Framed-Protocol = PPP
>  Cisco-NAS-Port = "Async4/44*Serial7/0:1:22"
>  Acct-Session-Id = "0B"
>  NAS-Port-Type = Async
>
> Sun Dec 23 19:21:13 2001: DEBUG: Rewrote user name to test
> Sun Dec 23 19:21:13 2001: DEBUG: Check if Handler Realm=mynet.com should be
> used to handle this request
> Sun Dec 23 19:21:13 2001: WARNING: Could not find a handler for test:
> request is ignored
> Sun Dec 23 19:21:15 2001: DEBUG: Packet dump:
> *** Received from 0.0.0.0 port 58684 
> Code:   Access-Request
> Identifier: 53
> Authentic:  <194>7<127>dZ>its<23>'<184><137>[r<254>
> Attributes:
>  User-Name = "test"
>  CHAP-Password = <1><141>{<247><199><186>Q<130>#h#<31>a<228><150>IN
>  NAS-IP-Address = 0.0.0.0
>  NAS-Port = 7190
>  Service-Type = Framed-User
>  Framed-Protocol = PPP
>  Cisco-NAS-Port = "Async4/44*Serial7/0:1:22"
>  Acct-Session-Id = "2B"
>  NAS-Port-Type = Async
>
> Sun Dec 23 19:21:15 2001: DEBUG: Rewrote user name to test
> Sun Dec 23 19:21:15 2001: DEBUG: Check if Handler Realm=mynet.com should be
> used to handle this request
> Sun Dec 23 19:21:15 2001: WARNING: Could not find a handler for test:
> request is ignored
>
> # Radiator configuration file.
> # Produced by /cgi-bin/radconfig.cgi Sun Dec 23 16:57:37 2001
> #REMOTE_USER: , REMOTE_ADDR:
> AcctPort 1646
> AuthPort 1645
> DbDir /usr/local/etc/raddb
> DictionaryFile /usr/local/etc/raddb/dictionary
> Foreground
> LogDir /var/log/radius
> LogFile %L/logfile
> LogStdout
> PidFile /var/run/radiusd.pid
> Trace 4
>
> 
>   AccountingStartsOnly
>   AccountingStopsOnly
>   AccountingTable radius.ACCOUNTING
>   AcctColumnDef USERNAME, '%{User-Name}'
>   AcctColumnDef TIME_STAMP, %{Timestamp}, integer
>   AcctColumnDef ACCTSTATUSTYPE, '%{Acct-Status-Type}'
>   AcctColumnDef ACCTDELAYTIME, %{Acct-Delay-Time}
>   AcctColumnDef ACCTINPUTOCTETS, %{Acct-Input-Octets}, integer
>   AcctColumnDef ACCTOUTPUTOCTETS, %{Acct-Output-Octets}, integer
>   AcctColumnDef ACCTSESSIONID, '%{Acct-Session-Id}'
>   AcctColumnDef ACCTSESSIONTIME, %{Acct-Session-Time}, integer
>   AcctColumnDef ACCTTERMINATECAUSE, %{Acct-Terminate-Cause}
>   AcctColumnDef NASIDENTIFIER, '%{NAS-Identifier}'
>   AcctColumnDef NASPORT, %{NAS-Port}, integer
>   AcctColumnDef FRAMEDIPADDRESS, '%{Framed-IP-Address}'
>   AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME='%n'
>   DBAuth xx
>   DBSource dbi:mysql:radius
>   DBUsername 
>   DefaultSimultaneousUse 1
>   Description global access
>   Identifier auth_0
> 
>
> 
>   Description testing
>   DupInterval 2
>   IdenticalClients 
>   IgnoreAcctSignature
>   NasType Livingston
>   Secret 
> 
>
> 
>   AccountingHandled
>   AcctLogFileName /var/log/radius/accounting
>   AuthBy auth_0
>   AuthByPolicy ContinueUntilAccept
>   Description Global Dial
>   RejectHasReason
>   RewriteUsername s/^([^@]+).*/$1/
>   RewriteUsername tr/[A-Z]/[a-z]/
>   SessionDatabase intdb
> 
>
>
> 
>   AccountingHandled
>   AcctLogFileName /var/log/radius/accounting
>   AuthBy auth_0
>   AuthByPolicy ContinueUntilAccept
>   RejectHasReason
>   RewriteUsername s/^([^@]+).*/$1/
>   SessionDatabase intdb
> 
>
> 
>   Description dont know
>   Identifier intdb
> 
>
> 

Re: (RADIATOR) AuthBy SQL

[Hugh Irvine]

Hello Quintin -

My first question is what is Radiator meant to do with authentication 
requests? The answer will determine what the best approach will be in the 
configuration file. Please give me a clear explanation of what you are trying 
to achieve and I will suggest a suitable means to configure it.

regards

Hugh


On Monday 24 September 2001 21:25, Quintin wrote:

> > Hi,
>
> I have a problem on AuthBy SQL, I don't want to be authenticated using SQL
> Database but I just want to insert a value into another self-defined
> database when the Radiator receives the accouting start.
>
> Trace result
> ---
> Mon Sep 24 19:07:54 2001: DEBUG: Handling with Radius::AuthSQL
> Mon Sep 24 19:07:54 2001: INFO: Access rejected for wtlam: Authentication
> disabled Mon Sep 24 19:07:54 2001: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 37203 
> Code:   Access-Reject
> Identifier: 9
> Authentic:  1234567890123456
> Attributes:
>
> Configuration
> 
> 
> Identifier MarkAlert
> DBSource DBI:mysql:radius
> DBUsername xx
> DBAuth  xx
> FailureBackoffTime  60
> AuthSelect
> AcctSQLStatement insert into RADALERT (USERNAME) values ('%u')
> 
>
>
> In the configuration above, I have put the empty string at AuthSelect cause
> but I don't know why the Radiator rejected my request.
>
> Please help.
>
> Thanks!
>
> Quintin


Content-Type: text/html; charset="big5"; name="Attachment: 1"
Content-Transfer-Encoding: quoted-printable
Content-Description: 


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Authby Sql

[Ujwol]

Hi again,
  We worked it out. Thanks for the 
support. But that thing works fine with both 
AuthColumnDef 0, 
Encrypted-Password, check&
AuthColumnDef 0, 
User-Password, check
 
Thanks
Ujwol 
ManandharMercantile CommunicationsP.O.Box 876DurbarMarg Kathmandu, 
NepalTel : +977-1-240920Fax :+977-1-225407

  - Original Message - 
  From: 
  Hugh Irvine 

  To: Ujwol ; [EMAIL PROTECTED] 
  Cc: [EMAIL PROTECTED] 
  Sent: Friday, March 16, 2001 5:06 
AM
  Subject: Re: (RADIATOR) Authby Sql
  Hello Ujwol -Please say hello to everyone at MOS 
  for me, and please tell Sanjib that I am planning on coming to visit Nepal 
  in October this year.On Thursday 15 March 2001 23:21, Ujwol 
  wrote:> > Hi,> We're trying to 
  use Authby Sql, after converting linux 6.2 shadow> password file into 
  MSSQL table by buildsql. But the problem is, we couldn't> get the users 
  authenticated with this Linux MD5 password encryption. We get> bad 
  encrypted password result. But it works fine with Standard Unix crypt> 
  format. Here is the authby clause.>> > 
  Identifier  
  SQL> 
  DBSource    
  dbi:Sybase:RADIATOR> 
  DBUsername 
  abc> 
  DBAuth  
  pwd> 
  AuthSelect select PASSWORD from SUBSCRIBERS where 
  USERNAME=%0> 
  AuthColumnDef 0, Encrypted-Password, 
  check> 
  FailureBackoffTime  10> 
  The above will not work because you are not using a 
  Unix crypt password with the "Encrypted-Password" directive.As 
  long as the Linux MD5 password has the standard prefix ("$1$"), you should 
  just use the 
  following: 
  AuthColumnDef 0, User-Password, checkRadiator understands all the 
  standard prefixes for passwords.Have a look at section 13.1.1 in the 
  Radiator 2.18 reference manual.regardsHugh-- 
  Radiator: the most portable, flexible and configurable RADIUS server 
  anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS 
  X.-Nets: internetwork inventory and management - graphical, 
  extensible,flexible with hardware, software, platform and database 
  independence.===Archive at http://www.starport.net/~radiator/Announcements 
  on [EMAIL PROTECTED]To 
  unsubscribe, email '[EMAIL PROTECTED]' 
  with'unsubscribe radiator' in the body of the 
message.

Re: (RADIATOR) Authby Sql

[Ujwol]

Hi Hugh, 
    Nice to 
hear from you. Please let us know the exact date, when you'll be visiting Nepal. 
We're gald to welcome you in Nepal.
    

    About 
the Authby Sql thing, we still couldn't work it out.
Authby Clause
    
Identifier  
SQL    
DBSource    
dbi:Sybase:RADIATOR    
DBUsernameaaa 
DBAuth   
pwd
    
AuthSelect  select PASSWORD from SUBSCRIBERS where 
USERNAME="%n"    AuthColumnDef 0, 
User-Password, check    
FailureBackoffTime  
10
 
The username and password 
in sql table is in this format

 
ujwol    
$1$isuP4v7R$dAFqUFLqhdg0iQ7OQa
 
And the trace4 debug
 
Fri Mar 16 09:47:28 2001: INFO: Server started: Radiator 2.18 
onchautari.mos.com.npFri Mar 16 09:47:36 2001: DEBUG: Packet 
dump:*** Received from 127.0.0.1 port 1037 
Code:   Access-RequestIdentifier: 
212Authentic:  1234567890123456Attributes:User-Name = 
"ujwol"Service-Type = Framed-UserNAS-IP-Address = 
203.63.154.1NAS-Port = 1234Called-Station-Id = 
"123456789"Calling-Station-Id = "987654321"NAS-Port-Type = 
AsyncUser-Password 
="<140><225>(<194><195>\<4><246><188>8<9><160><216>}x<153>"Fri 
Mar 16 09:47:36 2001: DEBUG: Handling request with Handler 'Realm='Fri Mar 
16 09:47:36 2001: DEBUG:  Deleting session for ujwol,203.63.154.1, 
1234Fri Mar 16 09:47:36 2001: DEBUG: Handling with Radius::AuthSQLFri 
Mar 16 09:47:36 2001: DEBUG: Handling with Radius::AuthSQLFri Mar 16 
09:47:36 2001: DEBUG: Query is: select PASSWORD fromSUBSCRIBERS where 
USERNAME="ujwol"Fri Mar 16 09:47:36 2001: DEBUG: Radius::AuthSQL looks 
for match withujwolFri Mar 16 09:47:37 2001: DEBUG: Radius::AuthSQL 
REJECT: Bad PasswordFri Mar 16 09:47:37 2001: DEBUG: Query is: select 
PASSWORD fromSUBSCRIBERS where USERNAME="DEFAULT"Fri Mar 16 09:47:37 
2001: INFO: Access rejected for ujwol: Bad PasswordFri Mar 16 09:47:37 2001: 
DEBUG: Packet dump:*** Sending to 127.0.0.1 port 1037 
Code:   Access-RejectIdentifier: 
212Authentic:  1234567890123456Attributes:Reply-Message = 
"Request Denied"Regards
Ujwol ManandharMercantile CommunicationsP.O.Box 876DurbarMarg 
Kathmandu, NepalTel : +977-1-240920Fax :+977-1-225407

  - Original Message - 
  From: 
  Hugh Irvine 

  To: Ujwol ; [EMAIL PROTECTED] 
  Cc: [EMAIL PROTECTED] 
  Sent: Friday, March 16, 2001 5:06 
AM
  Subject: Re: (RADIATOR) Authby Sql
  Hello Ujwol -Please say hello to everyone at MOS 
  for me, and please tell Sanjib that I am planning on coming to visit Nepal 
  in October this year.On Thursday 15 March 2001 23:21, Ujwol 
  wrote:> > Hi,> We're trying to 
  use Authby Sql, after converting linux 6.2 shadow> password file into 
  MSSQL table by buildsql. But the problem is, we couldn't> get the users 
  authenticated with this Linux MD5 password encryption. We get> bad 
  encrypted password result. But it works fine with Standard Unix crypt> 
  format. Here is the authby clause.>> > 
  Identifier  
  SQL> 
  DBSource    
  dbi:Sybase:RADIATOR> 
  DBUsername 
  abc> 
  DBAuth  
  pwd> 
  AuthSelect select PASSWORD from SUBSCRIBERS where 
  USERNAME=%0> 
  AuthColumnDef 0, Encrypted-Password, 
  check> 
  FailureBackoffTime  10> 
  The above will not work because you are not using a 
  Unix crypt password with the "Encrypted-Password" directive.As 
  long as the Linux MD5 password has the standard prefix ("$1$"), you should 
  just use the 
  following: 
  AuthColumnDef 0, User-Password, checkRadiator understands all the 
  standard prefixes for passwords.Have a look at section 13.1.1 in the 
  Radiator 2.18 reference manual.regardsHugh-- 
  Radiator: the most portable, flexible and configurable RADIUS server 
  anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS 
  X.-Nets: internetwork inventory and management - graphical, 
  extensible,flexible with hardware, software, platform and database 
  independence.===Archive at http://www.starport.net/~radiator/Announcements 
  on [EMAIL PROTECTED]To 
  unsubscribe, email '[EMAIL PROTECTED]' 
  with'unsubscribe radiator' in the body of the 
message.

Re: (RADIATOR) Authby Sql

[Hugh Irvine]

Hello Ujwol -

Please say hello to everyone at MOS for me, and please tell Sanjib that I am 
planning on coming to visit Nepal in October this year.

On Thursday 15 March 2001 23:21, Ujwol wrote:

> > Hi,
> We're trying to use Authby Sql, after converting linux 6.2 shadow
> password file into MSSQL table by buildsql. But the problem is, we couldn't
> get the users authenticated with this Linux MD5 password encryption. We get
> bad encrypted password result. But it works fine with Standard Unix crypt
> format. Here is the authby clause.
>
> 
> Identifier  SQL
> DBSourcedbi:Sybase:RADIATOR
> DBUsername abc
> DBAuth  pwd
> AuthSelect select PASSWORD from SUBSCRIBERS where USERNAME=%0
> AuthColumnDef 0, Encrypted-Password, check
> FailureBackoffTime  10
> 

The above will not work because you are not using a Unix crypt password with 
the "Encrypted-Password" directive.

As long as the Linux MD5 password has the standard prefix ("$1$"), you should 
just use the following:

 AuthColumnDef 0, User-Password, check

Radiator understands all the standard prefixes for passwords.

Have a look at section 13.1.1 in the Radiator 2.18 reference manual.

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby sql and changing passwords

[Hugh Irvine]

Hello Elliot -

On Monday 08 January 2001 10:34, Elliot Finley wrote:
> On Sun, 7 Jan 2001 12:05:24 +1100, Hugh Irvine wrote:
> >On Sunday 07 January 2001 06:09, Elliot Finley wrote:
> >> Hello fellow radiator users,
> >>  I'm in the process of consolidating 4 ISPs into one.  I'm setting
> >> up AuthBy SQL to handle this.  We don't have the passwords to all of
> >> the users, so I'm trying to set up the following.  If the user has a
> >> NULL password in the database, then they can get in using _any_
> >> password.  This should work according to TFM.  The thing that I want
> >> to do that I'm not sure how to do is; if they have a NULL password in
> >> the database, it'll let them in, then it will update the database with
> >> the password that they used.
> >
> >You will need to write a PreAuthHook to do this. There are some example
> > hooks in the Radiator 2.17.1 distribution in the file
> > "goodies/hooks.txt".
> >
> >>  If anyone knows how to do this using AuthBy SQL, I would
> >> appreciate a hint.  If this is not possible, I guess I'll be writing a
> >> new AuthBy module.
> >
> >No need for a complete AuthBy module - just a hook will do fine.
>
> I don't see a way inside of a PreAuthHook to use the existing database
> handle.  Do I need to re-connect to the database each time?

As mentioned previously, there is some example code in the file 
"goodies/hooks.txt", however here it is again:

.

# Get the Identifier for this Realm/Handler
my $identifier = Radius::Util::format_special('%{Handler:Identifier}', 
$p, $rp);
&main::log($main::LOG_DEBUG, "Using Identifier $identifier");
 
# Now find the AuthBy clause with the same Identifier
# and call its handle_request function.
# Set the correct reply code in the reply packet
# or if the AuthBy is not found set to Access-Reject.
my $authby;
if ($authby = Radius::AuthGeneric::find($identifier))
{
&main::log($main::LOG_DEBUG, "Found AuthBy with Identifier 
$identifier");  

$authby->.

.
   

This code is based on having the same Identifier in both the AuthBy clause 
and in the Realm or Handler (which allows you to use the same hook in 
multiple places in the configuration file).

It is used like this:

# configure AuthBy clause with Identifier


Identifier CheckSQL
.


# configure Realm(s) or Handler(s)


Identifier CheckSQL
PreAuthHook file:"%D/YourHook"
.



As shown in the hook code above, once you have the reference to the AuthBy 
($authby), you can use it to call any of the functions in AuthSQL.pm or any 
of the routines that it inherits.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby sql and changing passwords

[Hugh Irvine]

Hello Elliot -

Just for my records, who is the registered Radiator user that you are 
representing?

On Sunday 07 January 2001 06:09, Elliot Finley wrote:
> Hello fellow radiator users,
>  I'm in the process of consolidating 4 ISPs into one.  I'm setting
> up AuthBy SQL to handle this.  We don't have the passwords to all of
> the users, so I'm trying to set up the following.  If the user has a
> NULL password in the database, then they can get in using _any_
> password.  This should work according to TFM.  The thing that I want
> to do that I'm not sure how to do is; if they have a NULL password in
> the database, it'll let them in, then it will update the database with
> the password that they used.
>

You will need to write a PreAuthHook to do this. There are some example hooks 
in the Radiator 2.17.1 distribution in the file "goodies/hooks.txt".

>  If anyone knows how to do this using AuthBy SQL, I would
> appreciate a hint.  If this is not possible, I guess I'll be writing a
> new AuthBy module.
>

No need for a complete AuthBy module - just a hook will do fine.

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL

[pavel]

Hi  Lachlan,

you can use PostAuthHook which allows you to do anything you wish with
reply, strip Framed-Ip-Address attribute for example.
hooks.txt file contains full information how to do it.

MM> --- Forwarded mail from [EMAIL PROTECTED]

MM> Date: Thu, 28 Dec 2000 17:40:13 +1100 (EST)
MM> From: [EMAIL PROTECTED]
MM> To: [EMAIL PROTECTED]
MM> Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from ["Lachlan
MM> Fletcher" <[EMAIL PROTECTED]>]

>>From mikem  Thu Dec 28 17:40:09 2000
MM> Received: by oscar.open.com.au (8.9.0/8.9.0) id RAA10847
MM> for [EMAIL PROTECTED]; Thu, 28 Dec 2000 17:40:09 +1100 (EST)
>>Received: from mail.ausisp.com (mail.ausisp.com [203.2.239.72]) by
MM> perki.connect.com.au with ESMTP id RAA07567
MM>   (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Thu, 28 Dec 2000 17:19:33 +1100
MM> (EST)
MM> Received: from mail.ausisp.com (mail.ausisp.com [203.2.239.72]) by
MM> perki.connect.com.au with ESMTP id RAA07567
MM>   (8.8.8/IDA-1.7 for <[EMAIL PROTECTED]>); Thu, 28 Dec 2000 17:19:33 +1100
MM> (EST)
MM> Received: from lfletcher (nm1.geko.net.au [203.2.239.20])
MM> by mail.ausisp.com (8.9.3/8.9.3) with SMTP id RAA25385
MM> for <[EMAIL PROTECTED]>; Thu, 28 Dec 2000 17:19:32 +1100 (EST)
MM> envelope-from <[EMAIL PROTECTED]>
MM> From: "Lachlan Fletcher" <[EMAIL PROTECTED]>
MM> To: <[EMAIL PROTECTED]>
MM> Subject: AuthBy SQL
MM> Date: Thu, 28 Dec 2000 17:21:30 +1100
MM> Message-ID: <[EMAIL PROTECTED]>
MM> MIME-Version: 1.0
MM> Content-Transfer-Encoding: 7bit
MM> X-Priority: 3 (Normal)
MM> X-MSMail-Priority: Normal
MM> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
MM> In-Reply-To: 
MM> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
MM> Importance: Normal
MM> Content-Type: text/plain;
MM> charset="iso-8859-1"


MM> Hi,

MM> I was wondering if anyone may be able to help here.

MM> I want to use "AuthColumnDef" option with "AuthSelect" in "AuthBy SQL".

MM> My problem is with reply items. Some users need more reply items than
MM> others.

MM> For example, our permanent modem customers get given a single fixed IP
MM> address of their own, where our standard dial-up customers do not, and the
MM> NAS server assigns them one from it's own IP range.

MM> So, we have a field in our database call "IPADDRESS" and every customer has
MM> this field. Normally, the customer does not have an IP, and their field is
MM> NULL, however those with fixed IP's will have a value in this field.

MM> How can we tell radiator to send the reply item ONLY if the field is not
MM> null, and ignore it otherwise? Sending the reply item with no value just
MM> causes a dialup error.

MM> We have several other options like this that we have to use.

MM> Does anyone have any suggestions?



MM> Kind Regards,

MM> Lachlan.

>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
>> Behalf Of Hugh Irvine
>> Sent: Thursday, 28 December 2000 10:36
>> To: Bryn Wm. Moslow; [EMAIL PROTECTED]
>> Subject: Re: (RADIATOR) UNIX groups and NAS restrictions
>>
>>
>>
>> Hello Bryn -
>>
>> At 15:55 -0800 00/12/21, Bryn Wm. Moslow wrote:
>> >I could swear up and down that I once saw an example of this
>> either in the
>> >Radiator reference or the FAQ but I can no longer dig it up:
>> >
>> >I need to refuse logins on certain NAS's for explicit UNIX
>> groups. For the
>> >sake of precision I'll also describe it this way: I need to
>> allow users in
>> >certain UNIX groups to ONLY log in to certain NAS's. Either way works for
>> >me.
>> >
>> >I got the impression that this may be possible using
>> NAS-Address-Port-List
>> >in a creative way but I remember seeing a really simple, direct way of
>> >doing it. Suggestions or directional assistance?
>> >
>>
>> Probably the simplest way to do this is with an AuthBy FILE:
>>
>> # configuration to check NAS and UNIX groups
>>
>> 
>>   Identifier 
>>   .
>> 
>>
>> 
>>   Identifier CheckUnix
>>   .
>> 
>>
>> 
>>   Identifier CheckUsers
>>   Filename %D/users
>>   
>> 
>>
>> 
>>   
>>   AuthBy CheckUsers
>>   
>> 
>>
>>
>> And in the users file:
>>
>> # %D/users
>>
>> someuser  NAS-Identifier = , Auth-Type = CheckUnix, Group = .
>>
>> ..
>>
>>
>> If you have any questions please ask.
>>
>> hth
>>
>> Hugh
>>
>>
>>
>>
>>
>> --
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
>> Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
>>
>> ===
>> Archive at http://www.starport.net/~radiator/
>> Announcements on [EMAIL PROTECTED]
>> To unsubscribe, email '[EMAIL PROTECTED]' with
>> 'unsubscribe radiator' in the body of the message.
>>




MM> --

Re: (RADIATOR) AuthBy SQL

[Hugh Irvine]

Hello Lachlan -
>
> I was wondering if anyone may be able to help here.
>
> I want to use "AuthColumnDef" option with "AuthSelect" in "AuthBy SQL".
>
> My problem is with reply items. Some users need more reply items than
> others.
>
> For example, our permanent modem customers get given a single fixed IP
> address of their own, where our standard dial-up customers do not, and the
> NAS server assigns them one from it's own IP range.
>
> So, we have a field in our database call "IPADDRESS" and every customer has
> this field. Normally, the customer does not have an IP, and their field is
> NULL, however those with fixed IP's will have a value in this field.
>
> How can we tell radiator to send the reply item ONLY if the field is not
> null, and ignore it otherwise? Sending the reply item with no value just
> causes a dialup error.
>
> We have several other options like this that we have to use.
>
> Does anyone have any suggestions?
>

I would suggest you use an SQL field like "REPLYATTR" in which you put all 
for the reply items for each user in the form:

"Framed-IP-Address=x.x.x.x, Framed-IP-Netmask=y.y.y.y, ."

and use the following AuthAttrDef:

AuthColumnDef n, GENERIC, reply

Where "n" is the position descriptor for the AuthSelect.

Have a look at section 6.26.7 in the Radiator 2.17.1 reference manual.

hth

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL doesn't work ?

[Hugh Irvine]

Salut Gildas -

On Sat, 09 Sep 2000, Gildas PERROT wrote:
> Hi,
> 
> I have a problem with that authentification.
> 
> Here is my configuration :
> 
> Foreground
> Trace 4
> AuthPort1645
> AcctPort1646
> LogDir  /var/log/radiator
> DbDir   /usr/local/etc/radiator
> LogFile %L//%Y%m/radiator-%Y%m%d
> DictionaryFile  %D/dictionary
> PidFile /tmp/radiator.pid
> 
> 
> Secret  fxwap
> FramedGroupBaseAddress 10.69.1.30
> 
> 
> 
> AcctLogFileName %L/%Y%m/6642account-%Y%m%d
> 
> DBSource dbi:mysql:radius
> DBUsername *
> DBAuth **
> 
> 
> 
> and the log file says :
> 
> Fri Sep  8 16:05:17 2000: DEBUG: Packet dump:
> *** Received from 10.69.1.1 port 1645 
> 
> Code:   Access-Request
> Identifier: 164
> Authentic:  <155>1<29><187>I<135><252><7><192>F<129><134>]<159><16>I
> Attributes:
> NAS-IP-Address = 10.69.1.1
> NAS-Port = 43
> NAS-Port-Type = Async
> User-Name = "fluxus"
> Called-Station-Id = "6642"
> Calling-Station-Id = "672085196"
> CHAP-Password =
> "<3><189><1><235>Vm#<238>J<204><242><180>@<0><=<203>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> 
> Fri Sep  8 16:05:17 2000: DEBUG: Check if Handler Called-Station-Id = 6642
> should be used to handle this request
> Fri Sep  8 16:05:17 2000: DEBUG: Handling request with Handler
> 'Called-Station-Id = 6642'
> Fri Sep  8 16:05:17 2000: DEBUG: Deleting session for fluxus, 10.69.1.1, 43
> Fri Sep  8 16:05:17 2000: DEBUG: Handling with Radius::AuthSQL
> Fri Sep  8 16:05:17 2000: DEBUG: Handling with Radius::AuthSQL
> Fri Sep  8 16:05:17 2000: DEBUG: Query is: select PASSWORD from SUBSCRIBERS
> where USERNAME='fluxus'
> 
> Fri Sep  8 16:05:17 2000: DEBUG: Radius::AuthSQL looks for match with fluxus
> Fri Sep  8 16:05:17 2000: DEBUG: Radius::AuthSQL ACCEPT:
> Fri Sep  8 16:05:17 2000: DEBUG: Access accepted for fluxus
> Fri Sep  8 16:05:17 2000: DEBUG: Packet dump:
> *** Sending to 10.69.1.1 port 1645 
> Code:   Access-Accept
> Identifier: 164
> Authentic:  <155>1<29><187>I<135><252><7><192>F<129><134>]<159><16>I
> Attributes:
> 
> In the mySQL SUBSCRIBERS, I have :
> 
> mysql> select * from SUBSCRIBERS
> -> ;
> +--+--+---++
> 
> --+
> | USERNAME | PASSWORD | ENCRYPTEDPASSWORD | CHECKATTR  |
> REPLYATTR
> |
> +--+--+---++
> 
> --+
> | mikem| fred | 1xMKc0GIVUNbE | Service-Type = Framed-User |
> Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,cisco-avpair =
> "testing testing" |
> | fluxus   | fred | 1xMKc0GIVUNbE | Service-Type = Framed-User |
> Framed-Protocol = PPP,Framed-IP-Netmask = 255.255.255.0,Framed-Group=0
> |
> +--+--+---++
> 
> --+
> 
> The Reply attibutes should be OK since that worked if defined in a flat
> file.
> 
> Any idea about that problem ?
> 

Please have a look at section 6.26 in the reference manual to find out about
all the options available with AuthBy SQL.

In this case, you are seeing the default behaviour, and if you want to include
check item and reply item handling you will have to change the AuthSelect and
AuthColumnDef parameters to suit. You can find the details in Example 2 in
section 6.26.7 of the Radiator 2.16.3 manual.

Note that you will also have to make some changes for SQL accounting.

> Other questions :
> 
> - is the accounting table RADUSAGE%Y%m%d created automatically ? I want to
> use daily accounting table since I need to do daily statistics. Is it a good
> idea in terms of SQL database behaviour to have one table per day ?

The SQL tables are not created automatically. And keeping the table sizes
relatively small is a good idea - you could also consider weekly or monthly.

> - how could i get the number of max simultaneous PPP sessions per user and
> for all users with SQL accounting ?

You will need to create SQL queries to post-process your accounting logs.

> - how could i get the number of sessions per user in radacct.cgi ?

You will see the session details, but radaact.cgi is not a reporting tool.

> - how could I export the table of radacct.cgi to CVS table to be emailed ?

You will need to create an external SQL report (or use something like Crystal
Reports).

> - I would like to find a simple Web interface to the administration of
> SUBSCRIBERS table (Freeside administration is too complicate). Does anyone
> know one ?
> 

You could have a look at our RAdmin product for use

Re: (RADIATOR) AuthBy SQL question

[Hugh Irvine]

Hello Froilan -

On Sat, 10 Jun 2000, Froilan Mendoza wrote:
> Hello Hugh,
> 
> Thanks for responding ...
> 
> On Sat, 10 Jun 2000, Hugh Irvine wrote:
> 
> > I notice that your Postgress table definitions are in lower case, and your
> > AuthSelect is in upper case. Is this correct? 
> 
> Postgres is not case-sensitive.  
> 
> radiator=> select PASSWORD from SUBSCRIBERS where USERNAME = 'mikem';
> password
> 
> fred
> (1 row)
> 
> 
> > Also, if you want to use the
> > "checkattr" and "replyattr" fields, you will need to modify your AuthSelect
> > statement together with the corresponding AuthColumnDef's.
> 
> Of course.  Only I would like to do the most simple auth method first
> before complicating things for me :)
> 
> 
> > And does the inbound test packet in fact contain a password of "fred"?
> 
> Of course.  I even tried NULLING the password in the postgres database (as
> it said in the docs that if the password is NULL, it would accept ANY
> password), to no avail.
>  
> > You might try something like this:
> > 
> >  
> > RewriteUsername s/^([^@]+).*/$1/
> > 
> > DBSourcedbi:Pg:dbname=radiator
> > DBUsername  postgres  
> > DBAuth  MYPOSTGRESPASSWORD
> > 
> > AuthSelect  select password from subscribers where \
> > username='%n'
> > AuthColumnDef   0, User-Password, check
> > 
> > AccountingTable accounting
> > AcctColumnDef   USERNAME,User-Name
> > AcctColumnDef   TIME_STAMP,Timestamp,integer
> > AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
> > AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
> > AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
> > AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
> > AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
> > AcctColumnDef   NASIDENTIFIER,NAS-Identifier
> > AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
> > AcctColumnDef   NASPORT,NAS-Port,integer
> > AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> > 
> > 
> > 
> > 
> > 
> > If the field names are indeed case-sensitive, you will have to change the
> > AcctColumnDef's as well.
> 
> 
> I did, however, still tried your config above, changing the case of the
> letters.  I still get this:
> 
> Sat Jun 10 10:44:37 2000: DEBUG: Handling request with Handler
> 'Realm=testroy'
> Sat Jun 10 10:44:37 2000: DEBUG: Rewrote user name to mikem
> Sat Jun 10 10:44:37 2000: DEBUG: Deleting session for mikem@testroy,
> 208.155.152.42, 1025
> Sat Jun 10 10:44:37 2000: DEBUG: Handling with Radius::AuthSQL
> Sat Jun 10 10:44:37 2000: DEBUG: Handling with Radius::AuthSQL
> Sat Jun 10 10:44:37 2000: DEBUG: Query is: select password from
> subscribers where username='mikem'
> 
> Sat Jun 10 10:44:37 2000: DEBUG: Radius::AuthSQL looks for match with
> mikem
> Sat Jun 10 10:44:37 2000: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Sat Jun 10 10:44:37 2000: DEBUG: Query is: select password from
> subscribers where username='DEFAULT'
> 
> Sat Jun 10 10:44:37 2000: INFO: Access rejected for mikem: Bad Password
> Sat Jun 10 10:44:37 2000: DEBUG: Packet dump:
> *** Sending to 208.155.152.42 port 1645 
> 
> 
> Additional question -- Why do I get Query is: select password from
> subscribers where username='DEFAULT'.  This might be the cause ...
> 

Well, the only other thing I can think of is that you are getting the encrypted
password instead of the plaintext password for some reason. You could try:

> > AuthSelect  select password from subscribers where \
> > username='%n'
> > AuthColumnDef   0, Encrypted-Password, check

Just to see what happens.

Radiator will always look for a DEFAULT user unless you disable that feature.

regards

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL question

[Froilan Mendoza]

Hello Hugh,

Thanks for responding ...

On Sat, 10 Jun 2000, Hugh Irvine wrote:

> I notice that your Postgress table definitions are in lower case, and your
> AuthSelect is in upper case. Is this correct? 

Postgres is not case-sensitive.  

radiator=> select PASSWORD from SUBSCRIBERS where USERNAME = 'mikem';
password

fred
(1 row)


> Also, if you want to use the
> "checkattr" and "replyattr" fields, you will need to modify your AuthSelect
> statement together with the corresponding AuthColumnDef's.

Of course.  Only I would like to do the most simple auth method first
before complicating things for me :)


> And does the inbound test packet in fact contain a password of "fred"?

Of course.  I even tried NULLING the password in the postgres database (as
it said in the docs that if the password is NULL, it would accept ANY
password), to no avail.
 
> You might try something like this:
> 
>  
>   RewriteUsername s/^([^@]+).*/$1/
>   
>   DBSourcedbi:Pg:dbname=radiator
>   DBUsername  postgres  
>   DBAuth  MYPOSTGRESPASSWORD
> 
>   AuthSelect  select password from subscribers where \
>   username='%n'
>   AuthColumnDef   0, User-Password, check
> 
>   AccountingTable accounting
>   AcctColumnDef   USERNAME,User-Name
>   AcctColumnDef   TIME_STAMP,Timestamp,integer
>   AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>   AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>   AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>   AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>   AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>   AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>   AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>   AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>   AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>   AcctColumnDef   NASPORT,NAS-Port,integer
>   AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> 
>   
> 
> 
> 
> If the field names are indeed case-sensitive, you will have to change the
> AcctColumnDef's as well.


I did, however, still tried your config above, changing the case of the
letters.  I still get this:

Sat Jun 10 10:44:37 2000: DEBUG: Handling request with Handler
'Realm=testroy'
Sat Jun 10 10:44:37 2000: DEBUG: Rewrote user name to mikem
Sat Jun 10 10:44:37 2000: DEBUG: Deleting session for mikem@testroy,
208.155.152.42, 1025
Sat Jun 10 10:44:37 2000: DEBUG: Handling with Radius::AuthSQL
Sat Jun 10 10:44:37 2000: DEBUG: Handling with Radius::AuthSQL
Sat Jun 10 10:44:37 2000: DEBUG: Query is: select password from
subscribers where username='mikem'

Sat Jun 10 10:44:37 2000: DEBUG: Radius::AuthSQL looks for match with
mikem
Sat Jun 10 10:44:37 2000: DEBUG: Radius::AuthSQL REJECT: Bad Password
Sat Jun 10 10:44:37 2000: DEBUG: Query is: select password from
subscribers where username='DEFAULT'

Sat Jun 10 10:44:37 2000: INFO: Access rejected for mikem: Bad Password
Sat Jun 10 10:44:37 2000: DEBUG: Packet dump:
*** Sending to 208.155.152.42 port 1645 


Additional question -- Why do I get Query is: select password from
subscribers where username='DEFAULT'.  This might be the cause ...

Hoping for your continued support ... Thanks.


Sincerely, 

Froilan C. Mendoza  
Manager - Systems Management
Tridel Technologies, Inc.
http://www.tridel.net



===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL question

[Hugh Irvine]

Hello Froilan -

On Fri, 09 Jun 2000, Froilan Mendoza wrote:
> Hello.
> 
> I am curious with AuthBy SQL and decided to try it out.  After a few
> tries, however, I can't get logged in, using the most basic AuthSelect and
> the tables/data contained in goodies/postgresCreate.sql.  I get this
> error complaining about incorrect password:
> 
> 
> Fri Jun  9 20:42:02 2000: DEBUG: Handling request with Handler
> 'Realm=testroy'
> Fri Jun  9 20:42:02 2000: DEBUG: Rewrote user name to mikem
> Fri Jun  9 20:42:02 2000: DEBUG: Deleting session for mikem@testroy,
> 208.155.152.42, 1025
> Fri Jun  9 20:42:02 2000: DEBUG: Handling with Radius::AuthSQL
> Fri Jun  9 20:42:02 2000: DEBUG: Handling with Radius::AuthSQL
> Fri Jun  9 20:42:02 2000: DEBUG: Query is: select PASSWORD from
> SUBSCRIBERS where USERNAME='mikem'
> 
> Fri Jun  9 20:42:02 2000: DEBUG: Radius::AuthSQL looks for match with
> mikem
> Fri Jun  9 20:42:02 2000: DEBUG: Radius::AuthSQL REJECT: Bad Password
> Fri Jun  9 20:42:02 2000: DEBUG: Query is: select PASSWORD from
> SUBSCRIBERS where USERNAME='DEFAULT'
> 
> 
> Here's my AuthBy SQL config:
> 
> 
> RewriteUsername s/^([^@]+).*/$1/
> 
> DBSourcedbi:Pg:dbname=radiator
> DBUsername  postgres  
> DBAuth  MYPOSTGRESPASSWORD
> AccountingTable accounting
> AuthSelect  select PASSWORD from SUBSCRIBERS where
> USERNAME='%n'
> AuthColumnDef   0, User-Password, check
>AcctColumnDef   USERNAME,User-Name
>AcctColumnDef   TIME_STAMP,Timestamp,integer
>AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>AcctColumnDef   NASPORT,NAS-Port,integer
>AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> 
> 
> 
> 
> 
> My subscribers table (from the goodies directory):
> 
> radiator=> select * from subscribers;
> username|password|encryptedpassword|checkattr |replyattr 
>  
> 
>++-+--+
> mikem   |fred|1xMKc0GIVUNbE|Service-Type = Framed-User|Framed-Protocol = 
>PPP,Framed-IP-Netmask = 255.255.255.0,cisco-avpair = "testing testing" (1 row)
> 
> 
> What am I missing?
> 

I notice that your Postgress table definitions are in lower case, and your
AuthSelect is in upper case. Is this correct? Also, if you want to use the
"checkattr" and "replyattr" fields, you will need to modify your AuthSelect
statement together with the corresponding AuthColumnDef's.

And does the inbound test packet in fact contain a password of "fred"?

You might try something like this:

 
RewriteUsername s/^([^@]+).*/$1/

DBSourcedbi:Pg:dbname=radiator
DBUsername  postgres  
DBAuth  MYPOSTGRESPASSWORD

AuthSelect  select password from subscribers where \
username='%n'
AuthColumnDef   0, User-Password, check

AccountingTable accounting
AcctColumnDef   USERNAME,User-Name
AcctColumnDef   TIME_STAMP,Timestamp,integer
AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef   NASIDENTIFIER,NAS-Identifier
AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
AcctColumnDef   NASPORT,NAS-Port,integer
AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address





If the field names are indeed case-sensitive, you will have to change the
AcctColumnDef's as well.

hth

Hugh

-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, Interbiller, TACACS+, PAM, external, 

Re: (RADIATOR) AuthBY SQL, performance tuning, and system load.

[Mike McCauley]

On Sep 23, 11:34am, tom minchin wrote:
> Subject: Re: (RADIATOR) AuthBY SQL, performance tuning, and system load.
> On Wed, Sep 22, 1999 at 04:42:33PM -0600, Bill wrote:
> >
> > I'm running 2.14 on a Sun Sparc20 that normally has a load between 2 and 3,
> > AuthBy SQL'ing from a seperate machine who's load is usually less
> > than 0.5.  I've been doing some primative stress testing with
> > radpwtest and requests start timing out at about 6-9 requests per
> > second (2-3 sets of auth/start/stop).
> >
> > Fwiw, merit radius kept up with ~20+ request per second.
> >
>
> Was Merit using SQL as well?
>
> One option is to run multiple Radiators on different ports (or same ports
> and multiple interfaces).
>
> However, perl will not be as fast as C - you have to pay for flexibility at
> some stage.

Fair comment, but I would seriously expect to get much better performance than
6-9 per sec on a Sun 20.

Bill, check out the performance tips in the reference manual. Make sure you are
not actually measuring the performance of radpwtst, rather than Radiator (ie
run radpwtst on another, faster host).

I suspect that the most common cause poor performance when authenticating from
SQL is due to incorrect table design, especially with respect to indexes. A
large subscribers table without an index, or a large accounting table with a
too-restrictive index will slow the SQL queries down by orders of magnitude.

I would have a close look at that and see if its not your SQL query performance
thats the rate-determining step.

A look at a radiator log file at trace level 4 while you are hammering it will
help to spot where the holdup is.

Cheers.




-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, 
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBY SQL, performance tuning, and system load.

[John Coy]

I've got Radiator running on two Sun Netra T1125s (ultra 300Mhz processors)
using AuthBy File and a Unix-style password file.
Radiator takes a *minimal* system load and handled hundreds
of requests per second (I've got over 60 terminal servers distributed
across two Radiator servers on two different machines).  

You're probably being bogged down by the SQL overhead -- the Perl
DBD/DBI interface isn't the fastest piece of code.  Is it possible for you
to convert to a Unix style file?  The reason I mention it is that 
Radiator caches the UNIX file in memory, meaning it can quickly 
retrieve information and reply to queries.

I know it's a stretch to move from SQL to a flat file... but if
performance is what you're after, that's the way to go.

John

At 11:34 AM 9/23/99 +1000, tom minchin wrote:
>On Wed, Sep 22, 1999 at 04:42:33PM -0600, Bill wrote:
>> 
>> I'm running 2.14 on a Sun Sparc20 that normally has a load between 2 and 3,
>> AuthBy SQL'ing from a seperate machine who's load is usually less
>> than 0.5.  I've been doing some primative stress testing with 
>> radpwtest and requests start timing out at about 6-9 requests per
>> second (2-3 sets of auth/start/stop).
>> 
>> Fwiw, merit radius kept up with ~20+ request per second.
>> 
>
>Was Merit using SQL as well?
>
>One option is to run multiple Radiators on different ports (or same ports
>and multiple interfaces).
>
>However, perl will not be as fast as C - you have to pay for flexibility at
>some stage.
>
>[EMAIL PROTECTED]
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBY SQL, performance tuning, and system load.

[tom minchin]

On Wed, Sep 22, 1999 at 04:42:33PM -0600, Bill wrote:
> 
> I'm running 2.14 on a Sun Sparc20 that normally has a load between 2 and 3,
> AuthBy SQL'ing from a seperate machine who's load is usually less
> than 0.5.  I've been doing some primative stress testing with 
> radpwtest and requests start timing out at about 6-9 requests per
> second (2-3 sets of auth/start/stop).
> 
> Fwiw, merit radius kept up with ~20+ request per second.
> 

Was Merit using SQL as well?

One option is to run multiple Radiators on different ports (or same ports
and multiple interfaces).

However, perl will not be as fast as C - you have to pay for flexibility at
some stage.

[EMAIL PROTECTED]

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL Accting Tables. (fwd)

[O Stockhammer]

Hugh, here are the ACCOUNTING logs for two identical logins and the
corresponding (by timestamp) RADLOG entries.  One successfully updated and
one did not.  There were no error logs corresponding in the text logfile.
My only guess is that perhaps mysql failed to input the entry, although
there is not any sign of that either.

The PreAuthHook directive worked quite well, and is serving us quite well.
We will be using that solution.  Thanks for your help.

Cheers-
Oliver

On Fri, 13 Aug 1999, Hugh Irvine wrote:

> 
> Hi Oliver -
> 
> On Fri, 13 Aug 1999, O Stockhammer wrote:
> > Hugh,
> > Is there anyway to actually have Radiator append info to the
> > incoming data, so that it only uses on query per request?  
> > I have created an AcctSQLStatement, but it seems because it is an
> > additional query that it doesn't update the row of data in mysql every 
> > time (It misses a few Acct submissions here and there).  Here is what I am
> > using:
> > 
> > AcctSQLStatementUpdate ACCOUNTING set ORIGIN ='Auth-2:
> > local' where TIME_STAMP = %{Timestamp} and NAS_IDENTIFIER = '%N' and
> > NAS_PORT= '%{NAS-Port}'
> > 
> > The purpose of the query is to ID the realm and radiator server
> > which is doing the Authentication(The value of ORIGIN changes for each
> > Realm) . It there anyway to have radiator include this data in the
> > original ACCTING queries, so that it is all in one, so to speak?  Perhaps
> > there is an easy way to modify AcctColumnDef to have a fourth field which
> > is the actual value for the column.
> > 
> 
> Hmmm. I am perplexed to imagine how your configuration could miss any updates,
> given that the insert and the update are executed sequentially with the same
> packet. It would be most enlightening to see a debug at trace level 4 to see
> what is going on.
> 
> But to answer your question, yes you can set up a PreAuthHook to insert a
> pseudo-attribute into the packet and you can even use the special formatting
> character "%h" to set it to the Radiator hostname. Then you can use the
> standard AcctColumnDef to insert the value directly into the original
> accounting record. This is probably a better solution in any case.
> 
> There is an example PreAuthHook in Section 6.13.10 of the Radiator 2.14.1
> reference manual.
> 
> hth
> 
> Hugh
> 
>  --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody
> 


  kaligula  934495962  Aug 12, 1999 18:12  Start  1.2.34.5  1234   Auth-2: 
@inch.com  
  kaligula  934495962  Aug 12, 1999 18:12   Stop  1.2.34.5  1234
  kaligula  934495972  Aug 12, 1999 18:12  Start  1.2.34.5  1234
  kaligula  934495973  Aug 12, 1999 18:12   Stop  1.2.34.5  1234


934495962  4  Handling request with Handler 'Realm=inch.com'  
934495962  4   Rewrote user name to kaligula  
934495962  4   Handling with Radius::AuthSQL  
934495962  4  Handling with Radius::AuthFILE  
934495962  4  Radius::AuthFILE looks for match with kaligula  
934495962  4  Handling with Radius::AuthUNIX  
934495962  4  Radius::AuthUNIX looks for match with kaligula  
934495962  4Radius::AuthUNIX ACCEPT:  
934495962  4Radius::AuthFILE ACCEPT:  
934495962  4Access accepted for kaligula  
934495962  4  Handling request with Handler 'Realm=inch.com'  
934495962  4   Rewrote user name to kaligula  
934495962  4   Handling with Radius::AuthSQL  
934495962  4Handling accounting with Radius::AuthSQL  
934495962  4  do query is: Update ACCOUNTING set ORIGIN = 'Auth-2: @inch.com' where 
TIME_STAMP = 934495962 and NAS_IDENTIFIER = '1.2.34.5' and NAS_PORT= '1234'
  
934495962  4  do query is: insert into ACCOUNTING
(USERNAME, NAS_PORT_TYPE, SERVICE_TYPE, ACCTSTATUSTYPE, 
NAS_IDENTIFIER, NAS_PORT, ACTUAL_TIME, CLIENT_ID, ACCTSESSIONID, TIME_STAMP) 
values 
('kaligula', 'As  
934495962  4 Adding session for kaligula, 1.2.34.5, 1234  
934495962  4  do query is: delete from RADONLINE where USERNAME='kaligula' and 
NAS_IDENTIFIER='1.2.34.5' and NAS_PORT=1234
  
934495962  4  do query is: insert into RADONLINE (USERNAME, NAS_IDENTIFIER, NAS_PORT, 
ACCTSESSIONID, TIME_STAMP, FRAMED_IP_ADDRESS, NAS_PORT_TYPE, 
SERVICE_TYPE,USR_MODULATION_TYPE ,USR_CONNECT_SPEED) values ('kalig  
934495962  4 Accounting accepted  
934495962  4  Handling request with Handler 'Realm=inch.com'  
934495962  4   Rewrote user name to kaligula  



934495973  4 
Handling request with Handler 'Realm='  
934495973  4 

Re: (RADIATOR) AuthBy SQL Accting Tables.

[Hugh Irvine]

Hi Oliver -

On Fri, 13 Aug 1999, O Stockhammer wrote:
> Hugh,
>   Is there anyway to actually have Radiator append info to the
> incoming data, so that it only uses on query per request?  
>   I have created an AcctSQLStatement, but it seems because it is an
> additional query that it doesn't update the row of data in mysql every 
> time (It misses a few Acct submissions here and there).  Here is what I am
> using:
> 
> AcctSQLStatementUpdate ACCOUNTING set ORIGIN ='Auth-2:
> local' where TIME_STAMP = %{Timestamp} and NAS_IDENTIFIER = '%N' and
> NAS_PORT= '%{NAS-Port}'
> 
>   The purpose of the query is to ID the realm and radiator server
> which is doing the Authentication(The value of ORIGIN changes for each
> Realm) . It there anyway to have radiator include this data in the
> original ACCTING queries, so that it is all in one, so to speak?  Perhaps
> there is an easy way to modify AcctColumnDef to have a fourth field which
> is the actual value for the column.
> 

Hmmm. I am perplexed to imagine how your configuration could miss any updates,
given that the insert and the update are executed sequentially with the same
packet. It would be most enlightening to see a debug at trace level 4 to see
what is going on.

But to answer your question, yes you can set up a PreAuthHook to insert a
pseudo-attribute into the packet and you can even use the special formatting
character "%h" to set it to the Radiator hostname. Then you can use the
standard AcctColumnDef to insert the value directly into the original
accounting record. This is probably a better solution in any case.

There is an example PreAuthHook in Section 6.13.10 of the Radiator 2.14.1
reference manual.

hth

Hugh

 --
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL Accting Tables.

[O Stockhammer]

Hugh,
Is there anyway to actually have Radiator append info to the
incoming data, so that it only uses on query per request?  
I have created an AcctSQLStatement, but it seems because it is an
additional query that it doesn't update the row of data in mysql every 
time (It misses a few Acct submissions here and there).  Here is what I am
using:

AcctSQLStatementUpdate ACCOUNTING set ORIGIN ='Auth-2:
local' where TIME_STAMP = %{Timestamp} and NAS_IDENTIFIER = '%N' and
NAS_PORT= '%{NAS-Port}'

The purpose of the query is to ID the realm and radiator server
which is doing the Authentication(The value of ORIGIN changes for each
Realm) . It there anyway to have radiator include this data in the
original ACCTING queries, so that it is all in one, so to speak?  Perhaps
there is an easy way to modify AcctColumnDef to have a fourth field which
is the actual value for the column.

Thanks,
Oliver Stockhammer
Sys Admin
Internet Channel

On Thu, 12 Aug 1999, Hugh Irvine wrote:

> 
> Hello Oliver -
> 
> On Thu, 12 Aug 1999, O Stockhammer wrote:
> > Hi,
> > We were wondering if the AuthBy SQL accting tables and
> > "AcctColumnDef" specifically can be configured to send a line of text
> > specified in the radius.cfg file.
> > Because we have a backup server and a main auth server, we want to
> > set up radiator to send an additional accting line which specifies which
> > radius the request came through.  We will be using a centralized db for
> > all the accting info and so it is important that we can tell which
> > radiator the requests are coming from.  Is there any directive that will
> > do this?
> 
> Yes there is. 
> 
> Have a look at AcctSQLStatement (Section 6.24.11 in the Radiator
> 2.14.1 reference manual). AcctSQLStatement allows you to define one or more
> SQL statements to be executed for every accounting request, so you should be
> able to do what you require.
> 
> > Also, we will need to get a second license from you folks for the
> > backup radiator server.  
> > 
> 
> I've asked Joanne to take care of this.
> 
> cheers
> 
> Hugh
> 
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
> NT, Rhapsody
> 


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL Accting Tables.

[Hugh Irvine]

Hello Oliver -

On Thu, 12 Aug 1999, O Stockhammer wrote:
> Hi,
>   We were wondering if the AuthBy SQL accting tables and
> "AcctColumnDef" specifically can be configured to send a line of text
> specified in the radius.cfg file.
>   Because we have a backup server and a main auth server, we want to
> set up radiator to send an additional accting line which specifies which
> radius the request came through.  We will be using a centralized db for
> all the accting info and so it is important that we can tell which
> radiator the requests are coming from.  Is there any directive that will
> do this?

Yes there is. 

Have a look at AcctSQLStatement (Section 6.24.11 in the Radiator
2.14.1 reference manual). AcctSQLStatement allows you to define one or more
SQL statements to be executed for every accounting request, so you should be
able to do what you require.

>   Also, we will need to get a second license from you folks for the
> backup radiator server.  
> 

I've asked Joanne to take care of this.

cheers

Hugh

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Authby SQL

[Hugh Irvine]

On Sat, 31 Jul 1999, Josh Bressers wrote:
> I remeber posting a while back about sending only logging to another
> radius server.  Right now the problem I have is I need to have an sql
> database only log.  The problem I'm running into then is that the sql
> database entry will deny every time since I don't have any passwords in
> it.  The reason this is so screwy is that I have two files that are
> searched for various bits of information, so I need it to
> ContinueUntilReject, which fails miserably when it hits mysql.  Anyone
> have any ideas?
> 

>From the FAQ at http://www.open.com.au/radiator/faq.html#42.

Use something like this: 

   
   AuthByPolicy ContinueAlways
   
   DBSourcedbi:???
   DBUsername  userfordb1
   DBAuth  authfordb1
   # an empty AuthSelect turns off auth
   AuthSelect

   AccountingTable whatever
   etc, etc, etc.
   
   
   DBSourcedbi:???
   DBUsername  userfordb2
   DBAuth  authfordb2
   # an empty AccountingTable turns off accounting
   
   


hth

Hugh

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.