(RADIATOR) Release 2.13 now available

1999-02-17 Thread Mike McCauley 

We are pleased to announce that Radiator 2.13 is now available.

2.13 includes lots of new features and some bug fixes. Below is an extract from
the history file. (If you think you have seen this before, look again, because
there have been some additions since 2.13beta)

Existing customers and current testers can download the new version
from http://www.open.com.au/radiator/downloads/Radiator-2.13.tar.gz

>From the history file:

Revision 2.13 (17/2/99) Lots of new features, some bug
fixes.
Added SNMP Agent. Now supports SNMP V1
requests as per
draft-ietf-radius-servmib-04.txt. That means that you can get
various types of server statistics, and even reset the server using
SNMP. You might want to use MRTG or similar for monitoring your
server.
Added AuthBy RODOPI and example rodopi.cfg. Rodopi is quite a
mature NT/MS-SQL based billing system with a Java/web GUI.

Added new configurable and subclassable logging modules: Log
FILE, Log SYSLOG and Log SQL. You can now log to any and all
places at the same time, plus easily add your own logging modules.

Simultaneous use check with finger for Portslave, Ascend, Shiva or
Computone now defaults to using an internal perl finger client. You
can still force it to use an external finger program by specifying
FingerProg in the config file. The internal client improves portability
to NT, and will improve performance, since it avoids the cost of
starting an external program.

Rationalised reporting and logging of rejections:
Auth*::handle_request now also returns a reason message, which
can optionally be replied to the user with the new Handler keyword
RejectHasReason.

All AuthBy modules now do their logging through a virtual log()
function in AuthGeneric, which allows you to override with your own
AuthBy specific error logging function. Suggested by Andrea Campi
([EMAIL PROTECTED]). Thanks Andrea.

Added AuthTACACSPLUS to authenticate from Tacacs Plus server.
requires Authen::TacacsPlus module from CPAN. We used the
version in TacacsPlus-0.15.tar.gz. If its not on CPAN, its available
from the author here.

Status-Server message now returns all server and per-client
statistics.

AuthBy NT can now authenticate from an NT domain controller, even
when Radiator is running on Unix. Requires the Authen::Smb package
from CPAN.

Testing with Security Dynamics ACE/Server Radius (also known as
SecurID). Their radius server is very limited, but Radiator can proxy
to it fine, and handles the Access-Challenges that are used to set
and change PINs etc.

Testing with Freeside, a free Unix based ISP billing package.
Example freeside.cfg created.

Forgot to mention previously the addition of several hooks that allow
you to get control with your own perl code during authentication:
PreClientHook, PreHandlerHook and PreAuthHook, PostAuthHook.

Changed the default Framed-IP-Address in radpwtst.

Fixed problem with cached attributes that meant that when a
username was rewritten, it was not actually changed in the packet,
which made the detail file log incorrectly.

Added "delete session" link to radwho.cgi so that bogus sessions
can be manually deleted.

Added AuthBy GROUP, which allows authentication clauses to be
bundled and grouped to any depth. Its intended for experimenters and
early adopters. It only understands AuthByPolicy, StripFromReply,
AddToReply, DefaultReply so far. Feedback is solicited.

Fixed some bugs in radpwtst -gui mode that caused locked
windows, false timeouts etc. Now works with Perl 5.005 and
Tk800.011 on Unix. Still doesnt work on Win95 (looks like Tk file
handlers are still not right on Win95).

Fixed problems with wtmp format on Linux that prevented who and
last from working.

Created mysqlCreate.sql which correctly builds indexes for mysql.

Added indexes to all SQL scripts in goodies

Can now define AuthBy clauses at the top level, and refer to them
and reuse them with the AuthBy parameter. Good for reusing
complicated SQL database definitions (and reducing the number of
SQL licenses required. From a suggeestion by Stephen Roderick
([EMAIL PROTECTED]). Thanks Steve.

Added support for binary data type in dictionaries. Especially for use
in Proxy-State which can otherwise get trailing NULs stripped off.
radwho.cgi now shows the total number of users online, and
optionally presents a hotlink to force a user off a NAS, by calling an
external progam you specify (not supplied).

Added NoForwardAuthentication and NoForwardAccounting to
AuthBy RADIUS. From patches supplied by Vincent Gillet
([EMAIL PROTECTED]). Thanks Vincent.

Makefile.PL can now do installation on Win95 hosts. No need to use
make any more on Win95 (many people don't have it).

Added LocalAddress to AuthRADIUS, which forces the proxy
forwarding port to bind to a particular address. Defaults to the same
as BindAddress. Useful for multi-homed hosts. Patch supplied by
Lars Marowsky-Brée ([EMAIL PROTECTED]). Thanks Lars.

Improved performance of all Hooks by precompiling the code. From a
suggestion by

(RADIATOR) PM3 Dictionary

1999-02-17 Thread admin 

I'm getting this in my trace4 output from my PM3s.  The attribute is 
not defined in the dictionary.livingston that I can find.  What do I 
need to add to my dictionary to get it to be quiet?

Thanks,
John Kicklighter
Internet 2xtreme

ERR: Attribute number 2 (vendor 307) is not defined

Code:   Accounting-Request
Identifier: 36
Authentic:  
H{E+<202><156><173><138><10><213><173><150>ZD;<201>
Attributes:
Acct-Session-Id = "0362"
User-Name = "myuser
Client-Id = 555.555.555.555
NAS-Port = 8
NAS-Port-Type = Async
Acct-Status-Type = Stop
Acct-Session-Time = 1  
Acct-Authentic = RADIUS
Connect-Info = "49333 LAPM/V42BIS"
Acct-Input-Octets = 10
Acct-Output-Octets = 8
Acct-Terminate-Cause = ACCT_TERM_USER_REQUEST
User-Service = Framed-User
Framed-Protocol = PPP
Framed-Address = 666.666.666.666
Acct-Delay-Time = 0



===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) PM3 Dictionary

1999-02-17 Thread Mike McCauley 

Well, we have this in a newer dictionary:

# Vendor-specific attributes for Livingston
VENDORATTR  307 Livingston2   string

But just what it means I dont know. Anyone else?


On Feb 16,  9:10pm, [EMAIL PROTECTED] wrote:
> Subject: (RADIATOR) PM3 Dictionary
> I'm getting this in my trace4 output from my PM3s.  The attribute is
> not defined in the dictionary.livingston that I can find.  What do I
> need to add to my dictionary to get it to be quiet?
>
> Thanks,
> John Kicklighter
> Internet 2xtreme
>
> ERR: Attribute number 2 (vendor 307) is not defined
>
> Code:   Accounting-Request
> Identifier: 36
> Authentic:
> H{E+<202><156><173><138><10><213><173><150>ZD;<201>
> Attributes:
> Acct-Session-Id = "0362"
> User-Name = "myuser
> Client-Id = 555.555.555.555
> NAS-Port = 8
> NAS-Port-Type = Async
> Acct-Status-Type = Stop
> Acct-Session-Time = 1
> Acct-Authentic = RADIUS
> Connect-Info = "49333 LAPM/V42BIS"
> Acct-Input-Octets = 10
> Acct-Output-Octets = 8
> Acct-Terminate-Cause = ACCT_TERM_USER_REQUEST
> User-Service = Framed-User
> Framed-Protocol = PPP
> Framed-Address = 666.666.666.666
> Acct-Delay-Time = 0
>
>
>
> ===
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from [EMAIL PROTECTED]



-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) PM3 Dictionary

1999-02-17 Thread admin 

I put that in and I get:

Livingston = "User Request - PPP Term Req"

Look familiar?

John Kicklighter
Internet 2xtreme

From:   "Mike McCauley" <[EMAIL PROTECTED]>
Date sent:  Wed, 17 Feb 1999 17:28:44 -0500
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject:Re: (RADIATOR) PM3 Dictionary

> Well, we have this in a newer dictionary:
> 
> # Vendor-specific attributes for Livingston
> VENDORATTR  307 Livingston2   string
> 
> But just what it means I dont know. Anyone else?
> 
> 
> On Feb 16,  9:10pm, [EMAIL PROTECTED] wrote:
> > Subject: (RADIATOR) PM3 Dictionary
> > I'm getting this in my trace4 output from my PM3s.  The attribute is
> > not defined in the dictionary.livingston that I can find.  What do I
> > need to add to my dictionary to get it to be quiet?
> >
> > Thanks,
> > John Kicklighter
> > Internet 2xtreme
> >
> > ERR: Attribute number 2 (vendor 307) is not defined
> >
> > Code:   Accounting-Request
> > Identifier: 36
> > Authentic:
> > H{E+<202><156><173><138><10><213><173><150>ZD;<201>
> > Attributes:
> > Acct-Session-Id = "0362"
> > User-Name = "myuser
> > Client-Id = 555.555.555.555
> > NAS-Port = 8
> > NAS-Port-Type = Async
> > Acct-Status-Type = Stop
> > Acct-Session-Time = 1
> > Acct-Authentic = RADIUS
> > Connect-Info = "49333 LAPM/V42BIS"
> > Acct-Input-Octets = 10
> > Acct-Output-Octets = 8
> > Acct-Terminate-Cause = ACCT_TERM_USER_REQUEST
> > User-Service = Framed-User
> > Framed-Protocol = PPP
> > Framed-Address = 666.666.666.666
> > Acct-Delay-Time = 0
> >
> >
> >
> > ===
> > To unsubscribe, email '[EMAIL PROTECTED]' with
> > 'unsubscribe radiator' in the body of the message.
> >-- End of excerpt from [EMAIL PROTECTED]
> 
> 
> 
> -- 
> Mike McCauley[EMAIL PROTECTED]
> Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
> Phone, Fax: +61 3 9598-0985  http://www.open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
> 



===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Test

1999-02-17 Thread Kevin Wormington 




Test, please disregard.
 
Kevin
Sofnet, Inc.

(RADIATOR) v2.13 report: Errors trying to use ascend dictionary

1999-02-17 Thread Ricardo Freire 

Hi Mike and all,

I just installed version 2.13.
When I set "DictionaryFile" to the dictionary.ascend, I have this log:

Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
Framed_Protocol in file '/Radiator-2.13/dictionary.ascend' before line 450
Ignored
Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
Framed_Protocol in file '/Radiator-2.13/dictionary.ascend' before line 451
Ignored
Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
Ascend-Temporary-Rtes in file '/Radiator-2.13/dictionary.ascend' before line
895 Ignored
Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
Ascend-Temporary-Rtes in file '/Radiator-2.13/dictionary.ascend' before line
896 Ignored
Wed Feb 17 18:17:52 1999: INFO: Server started

Also, when I use radpwtst, I get this:

Wed Feb 17 18:21:30 1999: ERR: do failed for 'insert into Calls
  ()
  values
  ()': [Microsoft][ODBC SQL Server Driver][SQL Server]The column
NASIdentifier in table Calls may not be null. (SQL-23000)(DBD:
st_execute/SQLExecute err=-1)
(Why radpwtst doesn't supply NasIdentifier when I use ascend dictionary?)

If I comment the line regarding "DictionaryFile", everything works fine.

Best Regards,

Ricardo Freire


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Radiator and MSSQL 7

1999-02-17 Thread Kevin Wormington 




Just wondering if anyone has had success using 
Radiator under Linux going against MSSQL 7 server using DBD::Sybase?  I am 
currently running MSSQL 6.5 and am thinking of going to 7 if it's 
supported.
 
Kevin
Sofnet, Inc.

(RADIATOR) v2.13 report II: missing info in trace 3

1999-02-17 Thread Ricardo Freire 

Hi Mike and all,

In version 2.13, logging is *very* improved!
It's GREAT to get this:

Wed Feb 17 18:37:44 1999: INFO: Access rejected for ricardo: Bad Password
Wed Feb 17 18:38:02 1999: INFO: Access rejected for mikem: No such user

But when I test simultaneous-use (against radonline table), I get just:

Wed Feb 17 18:39:01 1999: INFO: Access rejected: MaxSessions exceeded

It would be great to know WHO is trying this access...

Cheers,

Ricardo Freire


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Hmmm

1999-02-17 Thread Stephen Roderick 


I have


 continuewhileaccept
 
 
 
AuthSelect
# Just logging
 


The second AuthBy causes a reject.


Steve



===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Hmmm

1999-02-17 Thread Mike McCauley 

On Feb 17,  1:56pm, Stephen Roderick wrote:
> Subject: (RADIATOR) Hmmm
>
> I have
>
> 
>  continuewhileaccept
>  
>  
>  
> AuthSelect
> # Just logging
>  
> 
>
> The second AuthBy causes a reject.
Yes, thats the defined behaviour of AuthBy SQL when authenticaiton is disabled.


I would do it round the other way:
 
  AuthByPolicy ContinueAlways
  
 AuthSelect
 # Just logging
  

  
  
 

That will make it always log to SQL, and then always proxy.

Hope that helps.

Cheers.


-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) v2.13 report II: missing info in trace 3

1999-02-17 Thread Mike McCauley 

On Feb 17,  6:41pm, Ricardo Freire wrote:
> Subject: (RADIATOR) v2.13 report II: missing info in trace 3
> Hi Mike and all,
>
> In version 2.13, logging is *very* improved!
> It's GREAT to get this:
>
> Wed Feb 17 18:37:44 1999: INFO: Access rejected for ricardo: Bad Password
> Wed Feb 17 18:38:02 1999: INFO: Access rejected for mikem: No such user
>
> But when I test simultaneous-use (against radonline table), I get just:
>
> Wed Feb 17 18:39:01 1999: INFO: Access rejected: MaxSessions exceeded
>
> It would be great to know WHO is trying this access...

OK, Ive added it for the next release.

In the meantime here is a patch:

*** Handler.pm.orig Thu Feb 18 09:02:33 1999
--- Handler.pm  Thu Feb 18 09:03:05 1999
***
*** 235,241 
  {
# Issue a denial and bomb out
my $reason = "MaxSessions exceeded";
!   &main::log($main::LOG_INFO, "Access rejected: $reason");
$rp->set_code('Access-Reject');
$rp->addAttrByNum($Radius::Radius::REPLY_MESSAGE,
  'Request Denied');
--- 235,241 
  {
# Issue a denial and bomb out
my $reason = "MaxSessions exceeded";
!   &main::log($main::LOG_INFO, "Access rejected for $name: $reason");
$rp->set_code('Access-Reject');
$rp->addAttrByNum($Radius::Radius::REPLY_MESSAGE,
  'Request Denied');

-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) v2.13 report: Errors trying to use ascend dictionary

1999-02-17 Thread Mike McCauley 

On Feb 17,  6:27pm, Ricardo Freire wrote:
> Subject: (RADIATOR) v2.13 report: Errors trying to use ascend dictionary
> Hi Mike and all,
>
> I just installed version 2.13.
> When I set "DictionaryFile" to the dictionary.ascend, I have this log:
>
> Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
> Framed_Protocol in file '/Radiator-2.13/dictionary.ascend' before line 450
> Ignored
> Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
> Framed_Protocol in file '/Radiator-2.13/dictionary.ascend' before line 451
> Ignored

Those 2 are typos in the file. Note underscore instead of dash in
Framed_Protocol. Fixed for next release.

> Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
> Ascend-Temporary-Rtes in file '/Radiator-2.13/dictionary.ascend' before line
> 895 Ignored
> Wed Feb 17 18:17:52 1999: WARNING: There is no attribute named
> Ascend-Temporary-Rtes in file '/Radiator-2.13/dictionary.ascend' before line
> 896 Ignored

These are VALUE definitions without a corresponding ATTRIBUTE.
Hmmm, dont know what the ATTRIBUTE def for Ascend-Temporary-Rtes should be.
Anyone?

> Wed Feb 17 18:17:52 1999: INFO: Server started
>
> Also, when I use radpwtst, I get this:
>
> Wed Feb 17 18:21:30 1999: ERR: do failed for 'insert into Calls
>   ()
>   values
>   ()': [Microsoft][ODBC SQL Server Driver][SQL Server]The column
> NASIdentifier in table Calls may not be null. (SQL-23000)(DBD:
> st_execute/SQLExecute err=-1)
> (Why radpwtst doesn't supply NasIdentifier when I use ascend dictionary?)
>
> If I comment the line regarding "DictionaryFile", everything works fine.
The problem is that dictionary.ascend defines NAS-Identifier different to
everyone else. It defines it to be what everyone else calls NAS-IP-Address.





-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Two questions...

1999-02-17 Thread Andrew 

Radiator continues to perform very nicely, but I'm at a loss on two little
things.

First, we're seeing duplicate ID errors, but what's odd is that they come
in bursts.  Things will be just fine for a long time, then suddenly I'll
see a bevy duplicate request errors from several different NASs within
about ten seconds of each other.  Any ideas?

The other thing is more easily explainable.  We're using our own SQL
stanzas for accounting (using AcctSQLStatement in the config file), but
I'm relatively frequently seeing errors like this one:

Wed Feb 17 16:09:23 1999: ERR: do failed for 'UPDATE CallsOnline SET
acctinputoctets = , acctoutputoctets = , acctsessiontime = ,
acctterminatecause = 0 WHERE acctsessionid = '284842146' AND nasidentifier
= '209.16.18.34'': ORA-00936: missing expression (DBD: error possibly near
<*> indicator at char 42 in 'UPDATE CallsOnline SET acctinputoctets = <*>,
acctoutputoctets = , acctsessiontime = , acctterminatecause = 0 WHERE
acctsessionid = '284842146' AND nasidentifier = '209.16.18.34'')

Now, it's obvious from looking at the SQL statement that it's lacking
several variables, but these variables are definitely in the stanza in the
config file.  It looks like this:

  AcctSQLStatement  UPDATE CallsOnline SET acctinputoctets = \
 %{Acct-Input-Octets}, acctoutputoctets = %{Acct-Output-Octets}, \
 acctsessiontime = %{Acct-Session-Time}, acctterminatecause = \
 0 WHERE acctsessionid = '%{Acct-Session-Id}' \
 AND nasidentifier = '%{NAS-Identifier}'

First of all, does anyone know why some accounting packets are lacking
these variables?  My rather uneducated guess is that it's someone who
logged on and right back off again, but I'm really just pulling that idea
out of thin air.

Failing an explanation for the missing variables, does anyone have any
suggestions on how to deal with these errors appropriately?  The result of
the error is that we end up with a start record in our CallsOnline table,
but no stop record, so for all intents and purposes, this user is
indefinitely logged on.

Any explanations and/or ideas are greatly appreciated!

-- 
Andrew O. Smith - <[EMAIL PROTECTED]>
Sysadmin, Insync Internet Services
Houston, Texas, USA


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Two questions...

1999-02-17 Thread Mike McCauley 

Hi Andrew,

On Feb 17,  4:47pm, Andrew wrote:
> Subject: (RADIATOR) Two questions...
> Radiator continues to perform very nicely, but I'm at a loss on two little
> things.
>
> First, we're seeing duplicate ID errors, but what's odd is that they come
> in bursts.  Things will be just fine for a long time, then suddenly I'll
> see a bevy duplicate request errors from several different NASs within
> about ten seconds of each other.  Any ideas?

Was it auth or accounting requests, or both?

1. A short lived blockage in your network (router reboot?) that causes some of
the Radius replies to get lost, NAS then retransmits and radius server ignores
the duplicate. This could only affect auth requests.

2. If DupInterval is set too long, you might see the identifiers wrapping at
times of peak usage. Try setting DupInterval to say, 30 or less.




>
> The other thing is more easily explainable.  We're using our own SQL
> stanzas for accounting (using AcctSQLStatement in the config file), but
> I'm relatively frequently seeing errors like this one:
>
> Wed Feb 17 16:09:23 1999: ERR: do failed for 'UPDATE CallsOnline SET
> acctinputoctets = , acctoutputoctets = , acctsessiontime = ,
> acctterminatecause = 0 WHERE acctsessionid = '284842146' AND nasidentifier
> = '209.16.18.34'': ORA-00936: missing expression (DBD: error possibly near
> <*> indicator at char 42 in 'UPDATE CallsOnline SET acctinputoctets = <*>,
> acctoutputoctets = , acctsessiontime = , acctterminatecause = 0 WHERE
> acctsessionid = '284842146' AND nasidentifier = '209.16.18.34'')
>
> Now, it's obvious from looking at the SQL statement that it's lacking
> several variables, but these variables are definitely in the stanza in the
> config file.  It looks like this:
>
>   AcctSQLStatement  UPDATE CallsOnline SET acctinputoctets = \
>  %{Acct-Input-Octets}, acctoutputoctets = %{Acct-Output-Octets}, \
>  acctsessiontime = %{Acct-Session-Time}, acctterminatecause = \
>  0 WHERE acctsessionid = '%{Acct-Session-Id}' \
>  AND nasidentifier = '%{NAS-Identifier}'
>
> First of all, does anyone know why some accounting packets are lacking
> these variables?  My rather uneducated guess is that it's someone who
> logged on and right back off again, but I'm really just pulling that idea
> out of thin air.

You wont see those attributes in an accounting Start, or possibly with a shell
or exec session (depending on your NAS)

ON the other hand, if its jyst randomly omitting some of those variables, I
would look to the NAS software.

Perhaps if you run Radiator at trace level 4 for a while, you might be able to
get a packet dump of one of these offending packets, then we can see if there
are any clues in the other attributes?

>
> Failing an explanation for the missing variables, does anyone have any
> suggestions on how to deal with these errors appropriately?  The result of
> the error is that we end up with a start record in our CallsOnline table,
> but no stop record, so for all intents and purposes, this user is
> indefinitely logged on.

You dont say what database you are using, but mysql for example allows you to
have if() clauses in your select so that the select statment could detect the
empty string and replace it with NULL, or 0 or something.

Hope that helps.

Cheers.


-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Easy change

1999-02-17 Thread Mike McCauley 

On Feb 17,  4:41pm, Stephen Roderick wrote:
> Subject: (RADIATOR) Easy change
>
> I propose the following change to radiusd for the next release:

It has been incorporated into the next release.

Thanks for your contribution.

Cheers.

-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) SNMP fails to start..

1999-02-17 Thread Stephen Ollis 

SNMP agent fails to start due to a missing module. Install guide makes
no
mention of additional required libs, although CPAN does have
SNMP_Util-1_x 
available..

# ./radiusd
Can't locate SNMP_util.pm in @INC (@INC contains: .
/usr/local/lib/perl5/5.00502/sun4-solaris /usr/local/lib/perl5/5.00502
/usr/local/lib/perl5/site_perl/5.005/sun4-solaris
/usr/local/lib/perl5/site_perl/5.005 .) at
/usr/local/lib/perl5/site_perl/5.005/Radius/SNMPAgent.pm line 12, 
chunk 50.
BEGIN failed--compilation aborted at
/usr/local/lib/perl5/site_perl/5.005/Radius/SNMPAgent.pm line 12, 
chunk 50.

# pwd
/export/home/ollis/Radiator-2.13
#  find . -name 'SNMP*' -print
./Radius/SNMPAgent.pm
./blib/lib/Radius/SNMPAgent.pm

--
Stephen Ollis <[EMAIL PROTECTED]>   Ph: +61 2 9911 1606(BH)  
Team Leader, Server Systems - Network Engineering  +61 2 9911 1555(FAX)
AT&T EasyLink Services, Lvl 8, 15 Orion Rd, Lane Cove, NSW 2066
Australia
'There is no traffic jam on the extra mile.' - Zig Ziegler 
 

===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Easy change

1999-02-17 Thread Stephen Roderick 


I propose the following change to radiusd for the next release:

*** 87,92 
--- 87,93 

   't', sub { $time },
   'T', sub { $packet->code },
+  'U', sub { my @n = split(/@/,
$packet->getAttrByNum($Radius::Radius::USER_NAME)); $n[0] },
   'y', sub { $year%100 },
   'Y', sub { $year+1900 }, # Correct Y2K behaviour for perl
   );
***
*** 498,504 
= localtime($time);
  local $packet = $current_packet;

! $s =~ s/%([%acCdDhHLmMNnRtTyY])/&{$main::conversions{$1}}()/egs;
  $s =~ s/%\{([^{]+)\}/{$packet->get_attr($1)}/egs;

  return $s;
--- 499,505 
= localtime($time);
  local $packet = $current_packet;

! $s =~ s/%([%acCdDhHLmMNnRtTUyY])/&{$main::conversions{$1}}()/egs;
  $s =~ s/%\{([^{]+)\}/{$packet->get_attr($1)}/egs;

  return $s;


This is making my SQL life so much easier because I can now log the userid
and realm in separate fields.

I use the following:


   RewriteUsername   s/^([^@]+).*/$1\@proaxis.com/

so that I always have a realm and it is always what I expect. Then I log
all 3 %R, %U, %n and I can do report queries anyway I like. (call me
picky :-)

Steve

---
Steve Roderick  ProAxis Communications, Inc.
[EMAIL PROTECTED]   Internet Access Provider
(541) 757-0248


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Two questions...

1999-02-17 Thread tom minchin 

On Wed, Feb 17, 1999 at 04:47:37PM -0600, Andrew wrote:
> Radiator continues to perform very nicely, but I'm at a loss on two little
> things.
> 
> First, we're seeing duplicate ID errors, but what's odd is that they come
> in bursts.  Things will be just fine for a long time, then suddenly I'll
> see a bevy duplicate request errors from several different NASs within
> about ten seconds of each other.  Any ideas?
> 

CPU load on the machine is another 'duplicate generator'. We have Ciscos
sending RADIUS packets with a 5 second retransmit, when the machine was
being backed up or processing accounts Radiator wasn't able to respond
in time and the Ciscos sent more packets. Increasing the retransmit to
20 seconds decreased duplicates from many thousand a month to a couple of
hundred (still not quite acceptable but not downright awful).

This is especially annoying given that Ciscos generate 'undetectable'
duplicate packets which Radiator cannot distinguish (Accounting Ids
increment with every packet including retransmits).

[EMAIL PROTECTED]

===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) SNMP fails to start..

1999-02-17 Thread Mike McCauley 

On Feb 18, 11:09am, Stephen Ollis wrote:
> Subject: (RADIATOR) SNMP fails to start..
> SNMP agent fails to start due to a missing module. Install guide makes
> no
> mention of additional required libs, although CPAN does have
> SNMP_Util-1_x
> available..

Apologies.

It requires SNMP_Session-0.62.tar.gz from
ftp://ftp.switch.ch/software/sources/network/snmp/perl/


-- 
Mike McCauley[EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 AustraliaConsulting and development
Phone, Fax: +61 3 9598-0985  http://www.open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Two questions...

1999-02-17 Thread Andrew 

On Thu, 18 Feb 1999, Mike McCauley wrote:

> Was it auth or accounting requests, or both?

These are just auth requests.  Accounting requests go to a different
server, and we see virtually no duplicates there.

> 1. A short lived blockage in your network (router reboot?) that causes
> some of the Radius replies to get lost, NAS then retransmits and
> radius server ignores the duplicate. This could only affect auth
> requests.

Always a possibility, but I'd like to think our network is reasonably
healthy.  :)  I'll be sure to look at some throughput stats next time I
see a burst.

> 2. If DupInterval is set too long, you might see the identifiers
> wrapping at times of peak usage. Try setting DupInterval to say, 30 or
> less.

That may very well be the case.  I've noticed that the majority of the
duplicates come from our Portmaster 4, which has something like 24 PRIs
plugged into it.  It's definitely sending *lots* of RADIUS requests during
peak hours.

I'll decrease that interval and see what happens.

> You wont see those attributes in an accounting Start, or possibly with
> a shell or exec session (depending on your NAS)

These are only the stop packets generating the errors, and we've got only
about three accounts that are shell or exec sessions, and they're almost
never used.

> ON the other hand, if its jyst randomly omitting some of those
> variables, I would look to the NAS software.

That was my initial thought as well, but we're seeing these errors from
both our Ascend Maxen and our PM4.  Both platforms certainly have more
than their fair share of bugs, but I'd be kinda surprised to see the exact
same problem pop up from both of them.

> Perhaps if you run Radiator at trace level 4 for a while, you might be
> able to get a packet dump of one of these offending packets, then we
> can see if there are any clues in the other attributes?

I'll do that.

> You dont say what database you are using, but mysql for example allows
> you to have if() clauses in your select so that the select statment
> could detect the empty string and replace it with NULL, or 0 or
> something.

That's a good idea, at least as a band-aid of sorts.  The SQL DB is
Oracle 7, which I strongly suspect can do what you're describing (at the
price, it better!).  I don't claim to be an SQL guru, so I really don't
know, but I'll do some digging.

> Hope that helps.

Definitely got me on the right track.  :)

-Andrew
-- 
Andrew O. Smith - <[EMAIL PROTECTED]>
Sysadmin, Insync Internet Services
Houston, Texas, USA


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) Detail logging by Realm name

1999-02-17 Thread Stephen Ollis 

I've got multiple realms configured that authenticate via a single
flatfile. The reason for the multiple realms is due to multiple 
customer types to allow them to dial in for different functions - 
i.e. DVS tunnelling on BAY 5399's, IPASS, etc. I have a single
flatfile with basic authentication details, and use 
RewriteUsername s/^([^@]+).*/$1/
in each  pair to strip out the realm.

I want to have separate detail files for each realm for accounting
purpose so I setup:-
# Where do we write the accounting file
AcctLogFileName %L/detail.%R-%Y%m%d
in each realm file.. but it is creating the detail file as
%L/detail.-19990218 instead of %L/detail.realmname-19990218

Putting the AcctLogFileName entry before or after the Rewrite 
has no effect.

--
Stephen Ollis <[EMAIL PROTECTED]>   Ph: +61 2 9911 1606(BH)  
Team Leader, Server Systems - Network Engineering  +61 2 9911 1555(FAX)
AT&T EasyLink Services, Lvl 8, 15 Orion Rd, Lane Cove, NSW 2066
Australia
'There is no traffic jam on the extra mile.' - Zig Ziegler 
 

===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.