(RADIATOR) dictionary question
Hi guys, I was just wondering, whether someone knows, whether you can have some kinds of "aliases", in your dictionary? For example, if you'ld want to support: ATTRIBUTE attname1999 ipaddr BUT you'ld also want another attribute, to point to the same one: ATTRIBUTE attname2999 ipaddr In the end, you'ld turn up like: ATTRIBUTE attname1999 ipaddr ATTRIBUTE attname2999 ipaddr in your dictionary. Would the dictionary still be valid, and will Radiator support this? Cheers, -Andy -- "For nothing can seem foul to those that win." - Henry IV, Pt1, Act 5, Sc 1 *** DISCLAIMER *** This e-mail and any attachments thereto may contain information, which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) DEFAULT User or Profiles with AuthBY LDAP2
I am trying to configure a DEFAULT user with AuthBy LDAP2. I want to to authenticate the Access-Request via LDAP2, then retrieve a DEFAULT user with LDAP2 which contains the necessary reply items. This is on my way to using account profiles matched by LDAP request items. The only problem is that AuthBy LDAP2 always expects to authenticate the user with a password. The documentation (6.33.9) states that PasswordAttr or EncryptedPasswordAttr are required in the LDAP configuration. I did try it without PasswordAttr, but I get an LDAP_PARAM_ERROR. Obviously this won't let me lookup a DEFAULT user record. I think I remember some talk of how to do this with other AuthBy methods? My question is: How can I use LDAP2 to append profiled (or DEFAULT) reply items to an Access-Accept? Here is what my config looks like right now: AuthBy LDAP2 # Authenticate the Access-Request from LDAP # (This all works fine) Identifier LDAP-login ... /AuthBy AuthBy LDAP2 # Fetch the DEFAULT user's reply items Identifier LDAP-DEFAULT ... SearchFilter ((objectclass=radiusAccount)([EMAIL PROTECTED])) UsernameAttrmailLocalAddress AuthAttrDef radiusReplyItem,GENERIC,reply /AuthBy AuthBy GROUP Identifier genericLDAP AuthByPolicyContinueWhileAccept AuthBy LDAP-login AuthBy LDAP-DEFAULT /AuthBy Thanks, Carl Litt Network Administrator Execulink Internet === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Latest Dictonary file
Hey, Could someone send me the latest dictionary file for Radiator or tell me where I can DL it from. The one that I have is from 2000/11/21. --Keith === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
IMPORTANT - Re: (RADIATOR) dictionary question
Hi Andy - At 10:31 +0200 01/3/27, Andy De Petter wrote: Hi guys, I was just wondering, whether someone knows, whether you can have some kinds of "aliases", in your dictionary? For example, if you'ld want to support: ATTRIBUTE attname1999 ipaddr BUT you'ld also want another attribute, to point to the same one: ATTRIBUTE attname2999 ipaddr In the end, you'ld turn up like: ATTRIBUTE attname1999 ipaddr ATTRIBUTE attname2999 ipaddr in your dictionary. Would the dictionary still be valid, and will Radiator support this? Yes you can do this, however you need to keep in mind how the dictionary is used. Basically there are two tables built in memory inside Radiator, one is for translating attribute names to the numeric equivalent and the other is to translate from the numeric representation to the attribute name. The dictionary file is parsed sequentially from start to finish, with any later definition replacing the previous definition for any identical attribute name or value. This being the case, you can use one or the other or both attribute names in your configuration file and user definitions, however only the last definition will be used for the decoding of the numeric attribute representations in the inbound packets. hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Latest Dictonary file
Hello Keith - At 9:50 -0600 01/3/27, Keith Olmstead wrote: Hey, Could someone send me the latest dictionary file for Radiator or tell me where I can DL it from. The one that I have is from 2000/11/21. You can download the latest version of Radiator (whcih includes the dictionary) from the web site: www.open.com.au/radiator/downloads hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) RewriteUsername in AuthBy ?
Subject says it all. The docs say you can specify RewriteUsername Globally, in Client clauses, and in Realms. (It might be worth mentioning that it appears to work in non-realm Handlers, too.) But anyway... I'm wondering if it can work in AuthBy clauses? The reason we'd like that is as follows. We do a RewriteUsername to strip out garbled characters before passing requests onto LDAP, since it will hang LDAP (and sometimes Radiator :-( ). We don't know which Clients will end up using the AuthBy LDAP, and the requests may arrive via other Handlers, too. So the logical place to put it is in the AuthBy. Otherwise, we'll have to make sure to specify it in each Handler, which is less than elegant. Does this make sense? Thanks! Dave NetCarrier === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RewriteUsername in AuthBy ?
Hello Dave - The way to do this is with AuthBy GROUP(s): # configure AuthBy clause AuthBy LDAP Identifier CheckLDAP . /AuthBy # configure AuthBy GROUP AuthBy GROUP Identifier CheckUsers RewriteUsername AuthBy CheckLDAP /AuthBy # configure Realms or Handlers Realm AuthBy CheckUsers /Realm See section 6.21 in the Radiator 2.18 reference manual. cheers Hugh At 16:56 -0500 01/3/27, Kitabjian, Dave wrote: Subject says it all. The docs say you can specify RewriteUsername Globally, in Client clauses, and in Realms. (It might be worth mentioning that it appears to work in non-realm Handlers, too.) But anyway... I'm wondering if it can work in AuthBy clauses? The reason we'd like that is as follows. We do a RewriteUsername to strip out garbled characters before passing requests onto LDAP, since it will hang LDAP (and sometimes Radiator :-( ). We don't know which Clients will end up using the AuthBy LDAP, and the requests may arrive via other Handlers, too. So the logical place to put it is in the AuthBy. Otherwise, we'll have to make sure to specify it in each Handler, which is less than elegant. Does this make sense? Thanks! Dave NetCarrier === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) 3 Simple questions...
Hello, I'm new here, I'm interesed in radiator as our core-radius server (I work in an ISP). I have some questions, if any know the answers (yes/no) please let me know. 1) Can I authenticate an access-request with the built in LDAP support of radiator and then pass the radius packet (an access-accept/reject) to an external script to add some attributes (like session timeout), and/or change the "code" to a reject (if was accepted) ? 2) Can I pass the radius packet to an external binary (not a perl script or module, for example a C compiled program) to do the same as point one ? 3) The external program that can be executed with account/authentication requests, has total control of the radius packet ? It can see all the attributes and the header in the radius packet ? Regards, Ricardo D. Albano [EMAIL PROTECTED] === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Logging multiple access?
Hi All, I have enabled MaxSessions 1, how do I see who is trying to login in twice? All the best, Brett Murphy Director, Alphalink (Australia) PTY LTD ph: +61 3 9495-9000 fax: +61 3 9486-6822 email: [EMAIL PROTECTED] The contents of this message may not be quoted, copied, reproduced or published in part or in whole, without the written authorization of Brett Murphy, Director, Alphalink (Australia) Pty Ltd. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Logging multiple access?
Hello Brett - The log file will show this and you can also set up additional AuthLog ... clauses. See section 6.43 in the Radiator 2.18 reference manual. BTW - I encourage you to read the manual thoroughly at least once. regards Hugh At 11:19 +1000 01/3/28, Brett Murphy wrote: Hi All, I have enabled MaxSessions 1, how do I see who is trying to login in twice? -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Checking the NAS for a user logged in
Hi All, I remember reading somewhere that Radiator can check the NAS if it thinks a user is online, before denying access. Is this still a feature and if so, please tell me it doesnt involve "checkrad.pl" out of the goodies dir! Also, I am receiving 2 copies of every email to this list! any ideas? All the best, Brett Murphy Director, Alphalink (Australia) PTY LTD ph: +61 3 9495-9000 fax: +61 3 9486-6822 email: [EMAIL PROTECTED] The contents of this message may not be quoted, copied, reproduced or published in part or in whole, without the written authorization of Brett Murphy, Director, Alphalink (Australia) Pty Ltd. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) 3 Simple questions...
Hello Ricardo - At 21:44 -0300 01/3/27, Ricardo D. Albano wrote: Hello, I'm new here, I'm interesed in radiator as our core-radius server (I work in an ISP). I have some questions, if any know the answers (yes/no) please let me know. OK. 1) Can I authenticate an access-request with the built in LDAP support of radiator and then pass the radius packet (an access-accept/reject) to an external script to add some attributes (like session timeout), and/or change the "code" to a reject (if was accepted) ? Yes. You can also do the same thing in a Radiator hook. 2) Can I pass the radius packet to an external binary (not a perl script or module, for example a C compiled program) to do the same as point one ? Yes. 3) The external program that can be executed with account/authentication requests, has total control of the radius packet ? It can see all the attributes and the header in the radius packet ? Yes. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Checking the NAS for a user logged in
Hello Brett - At 12:03 +1000 01/3/28, Brett Murphy wrote: Hi All, I remember reading somewhere that Radiator can check the NAS if it thinks a user is online, before denying access. Is this still a feature and if so, please tell me it doesnt involve "checkrad.pl" out of the goodies dir! You would use the NasType parameter in your Client clause(s). Section 6.5.5 in the manual. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) (Fwd) Fwd: radiator and compatible systems cs5001
Forwarded to the list on behalf of Jc Reynoso: We are having problems with authentication between the now cisco cs5001 vpn concentrator and the radiator service on nt. I see the packets returning from the radiator box with connect-accept and the 2 attributes populated: attrib 69 vpn pw attrib 77 vpngroupinfo also radiator sends back : framed protocol filter id DO you know of any issues with cs5001 and radiator? OUr livingston server properly authenicates and sends on src port 1645 to dst port 1645 and attribute data is in the clear. The radiator and cs5001 nail up src 2050 to dst 1645. radiator sends back attrib info encrypted. Your assistance is greatly appreciated! Thank you! JC Reynoso TRW Security Architecture [EMAIL PROTECTED] 310-813-5294 voice 310-389-5779 pager -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (Fwd) Fwd: radiator and compatible systems cs5001
Hello Jc - Could you please send me a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator. It would also be helpful to see a packet dump of both the Livingston reply and the Radiator reply. thanks Hugh We are having problems with authentication between the now cisco cs5001 vpn concentrator and the radiator service on nt. I see the packets returning from the radiator box with connect-accept and the 2 attributes populated: attrib 69 vpn pw attrib 77 vpngroupinfo also radiator sends back : framed protocol filter id DO you know of any issues with cs5001 and radiator? OUr livingston server properly authenicates and sends on src port 1645 to dst port 1645 and attribute data is in the clear. The radiator and cs5001 nail up src 2050 to dst 1645. radiator sends back attrib info encrypted. Your assistance is greatly appreciated! Thank you! JC Reynoso TRW Security Architecture [EMAIL PROTECTED] 310-813-5294 voice 310-389-5779 pager -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: IMPORTANT - Re: (RADIATOR) dictionary question
Hello Andy - I think you may have misunderstood my previous message. It is entirely possible to map multiple names to the same numeric attribute number (indeed the latest Radiator dictionary does this). However, the last such definition will be the only one that is used for the mapping from numbers to strings in the inbound requests. hth Hugh At 7:05 +0200 01/3/28, Andy De Petter wrote: Hmm.. okay, so it comes down to the fact it's not possible to map more than 1 attribute name, to an attribute id # .. The reason I asked, in the first place, was for compatibility reasons.. I have a few attributes, that have other names, on different access servers, and I wanted to satisfy all of them.. Thanks anyway for the information Hugh, -a -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hugh Irvine Sent: vrijdag 1 januari 1904 10:02 To: Andy De Petter; Radiator Mailing Subject: IMPORTANT - Re: (RADIATOR) dictionary question Hi Andy - At 10:31 +0200 01/3/27, Andy De Petter wrote: Hi guys, I was just wondering, whether someone knows, whether you can have some kinds of "aliases", in your dictionary? For example, if you'ld want to support: ATTRIBUTE attname1999 ipaddr BUT you'ld also want another attribute, to point to the same one: ATTRIBUTE attname2999 ipaddr In the end, you'ld turn up like: ATTRIBUTE attname1999 ipaddr ATTRIBUTE attname2999 ipaddr in your dictionary. Would the dictionary still be valid, and will Radiator support this? Yes you can do this, however you need to keep in mind how the dictionary is used. Basically there are two tables built in memory inside Radiator, one is for translating attribute names to the numeric equivalent and the other is to translate from the numeric representation to the attribute name. The dictionary file is parsed sequentially from start to finish, with any later definition replacing the previous definition for any identical attribute name or value. This being the case, you can use one or the other or both attribute names in your configuration file and user definitions, however only the last definition will be used for the decoding of the numeric attribute representations in the inbound packets. hth Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.