(RADIATOR) Bug: still problems with AuthLDAP2 and TLS
Hi Hugh or Mike,
short: The second time after starting a StartTLS connection against
an OpenLDAP Server the radiusd crashes, the first time after start
it works well.
The radiusd crashes with the following error message:
Can't call method get_context_handle without a package or object reference
at /radiator/perl/lib/site_perl/5.6.1/IO/Socket/SSL.pm line 602.
the config file loooks as following:
Handler Client-Identifier=localhost, Called-Station-Id=DIALIN
AuthBy LDAP2
Hostasdf.xy.uni-ulm.de
Port
Version 3
UseTLS
SSLVerify none
AuthDN cn=foo,ou=bar,ou=baz,dc=uni-ulm,dc=de
AuthPasswordmysecret
NoDefault
BaseDN ou=foo,dc=uni-ulm,dc=de
Scope one
UsernameAttruid
PasswordAttruserpassword
/AuthBy
/Handler
the debug output for the first and second test with radpwtest looks
like:
FIRST CALL, everything okay
*** Received from 134.60.246.8 port 33376
Code: Access-Request
Identifier: 175
Authentic: 1234567890123456
Attributes:
User-Name = foo
Service-Type = Annex-Framed-Tunnel
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
NAS-Port-Type = Async
Framed-IP-Address = 0.0.0.0
User-Password = 1572261931982t12918889160216}x153
Called-Station-Id = DIALIN
Mon Jul 8 08:41:26 2002: DEBUG: Handling request with Handler 'Client-Identifie
r=localhost, Called-Station-Id=DIALIN'
Mon Jul 8 08:41:26 2002: DEBUG: Deleting session for dialin, 0.0.0.0, 0
Mon Jul 8 08:41:26 2002: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jul 8 08:41:26 2002: INFO: Connecting to asdf.xy.uni-ulm.de, port
Mon Jul 8 08:41:26 2002: DEBUG: Starting TLS
Mon Jul 8 08:41:26 2002: INFO: StartTLS negotiated with cipher mode DES-CBC3-SHA
Mon Jul 8 08:41:26 2002: INFO: Attempting to bind with cn=foo,ou=bar
,ou=baz,dc=uni-ulm,dc=de, mysecret (server asdf.xy.uni-ulm.de:)
Mon Jul 8 08:41:26 2002: DEBUG: LDAP got result for cn=foo,ou=bar,dc=uni-ulm,dc=de
Mon Jul 8 08:41:26 2002: DEBUG: LDAP got userPassword: {CRYPT}.
Mon Jul 8 08:41:26 2002: DEBUG: Radius::AuthLDAP2 looks for match with dialin
Mon Jul 8 08:41:26 2002: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jul 8 08:41:26 2002: DEBUG: Access accepted for dialin
Mon Jul 8 08:41:26 2002: DEBUG: Packet dump:
*** Sending to 134.60.246.8 port 33376
Code: Access-Accept
Identifier: 175
Authentic: 1234567890123456
Attributes:
SECOND CALL, SERVER CRASHES
*** Received from 134.60.246.8 port 33377
Code: Access-Request
Identifier: 180
Authentic: 1234567890123456
Attributes:
User-Name = foo
Service-Type = Annex-Framed-Tunnel
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
NAS-Port-Type = Async
Framed-IP-Address = 0.0.0.0
User-Password = 1572261931982t12918889160216}x153
Called-Station-Id = DIALIN
Mon Jul 8 08:41:31 2002: DEBUG: Handling request with Handler 'Client-Identifie
r=localhost, Called-Station-Id=DIALIN'
Mon Jul 8 08:41:31 2002: DEBUG: Deleting session for foo, 0.0.0.0, 0
Mon Jul 8 08:41:31 2002: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jul 8 08:41:31 2002: INFO: Connecting to asdf.xy.uni-ulm.de, port
Mon Jul 8 08:41:31 2002: DEBUG: Starting TLS
here the server crashes
Used versions:
Radiator 3.1 with current patches
Perl 5.6.1
IO::Socket::SSL 0.80
perl-ldap 0.251
SunOS 5.9
Regards
Charly
--
Karl Gaissmaier Computing Center,University of Ulm,Germany
Email:[EMAIL PROTECTED] Network Administration
Tel.: ++49 731 50-22499
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) problem with multiple realms in one username
Hi Guys, We've got Radiator running on our side. Recently I've found really strange behaviour of Radiator, - the problem comes then username in the incoming RADIUS packet looks like username@realmone@realmtwo (please see the live example from the log file): ... skipped . Mon Jul 8 04:20:39 2002: DEBUG: Packet dump: *** Received from 10.10.10.10 port 51675 Code: Access-Request Identifier: 185 Authentic: 136100so00513008400 Attributes: User-Name = [EMAIL PROTECTED]@SLAVA User-Password = .177238e210203(23518920021226r52419 NAS-Identifier = i-Pass VNAS NAS-IP-Address = 10.10.10.10 NAS-Port = 1 Service-Type = Framed-User Framed-Protocol = PPP Mon Jul 8 04:20:39 2002: DEBUG: Check if Handler Realm=slava.com should be used to handle this request Mon Jul 8 04:20:39 2002: DEBUG: Handling request with Handler 'Realm=slava.com' ... skipped . In the configuration file we have a handler like Handler Realm=slava.com ... /Handler, so we expect that it satisfies all usernames like [EMAIL PROTECTED].. But, as the reality showed, it matches [EMAIL PROTECTED]@SLAVA too.. Most probably that's expected behaviour of Radiator, but how we should change our Handler Handler Realm=.. to work it properly according to our needs? Thank you so much for your help! sincerely yours, Slava Rimdenok Sviatoslav Rimdenok System Administrator COLT Telecom AG Badenerstrasse 820 CH-8048 Zürich t: +41 1 5 600 900 f: +41 1 5 600 910 e:mailto:[EMAIL PROTECTED] www.colt.ch we make business straight.forward === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Regex Handlers or bits of the attribute in a RewriteUsername?
Hi there,
At present, I'm trying to do some work with some weird L2TP stuff.
Basically, I'm using 2 different wholesalers for ADSL. I want to use
different handlers for each. They both come in from the same client ip
address, so I can't just use different client clauses. I can use the
Tunnel-Client-Endpoint to tell them apart, however for one of the
providers there are an awful lot of these, and it would make it ugly.
However I thought I could use a regex handler, excepting that it would
appear that only Realms support regex (I couldn't find anyhting in the
docs about handlers supporting regex).
I was then hoping that perhaps I could do
RewriteUsername s/$/\@adsl-%{Tunnel-Client-Endpoint}//
then from that I could use a regex Realm, but obviously that doesn't
work... Anyone got any suggestions about something I could try to get
around my problem?
Thanks
Jeremy
---
Jeremy Burton
Developer/SysAdmin/DBA, Netspace Online Systems
[EMAIL PROTECTED]
+61-3-9811-
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problem with multiple realms in one username
Hello Slava - You don't actually say what your requirements are - could you give me some more details on what exactly you want to do? BTW - if you want a handler to match slave.com as different to slava.com@SLAVA, you should do this: Handler User-Name = /slava.com$/ . /Handler which will match slava.com only at the end of the User-Name string. regards Hugh On Mon, 8 Jul 2002 18:13, [EMAIL PROTECTED] wrote: Hi Guys, We've got Radiator running on our side. Recently I've found really strange behaviour of Radiator, - the problem comes then username in the incoming RADIUS packet looks like username@realmone@realmtwo (please see the live example from the log file): ... skipped . Mon Jul 8 04:20:39 2002: DEBUG: Packet dump: *** Received from 10.10.10.10 port 51675 Code: Access-Request Identifier: 185 Authentic: 136100so00513008400 Attributes: User-Name = [EMAIL PROTECTED]@SLAVA User-Password = .177238e210203(23518920021226r52419 NAS-Identifier = i-Pass VNAS NAS-IP-Address = 10.10.10.10 NAS-Port = 1 Service-Type = Framed-User Framed-Protocol = PPP Mon Jul 8 04:20:39 2002: DEBUG: Check if Handler Realm=slava.com should be used to handle this request Mon Jul 8 04:20:39 2002: DEBUG: Handling request with Handler 'Realm=slava.com' ... skipped . In the configuration file we have a handler like Handler Realm=slava.com ... /Handler, so we expect that it satisfies all usernames like [EMAIL PROTECTED].. But, as the reality showed, it matches [EMAIL PROTECTED]@SLAVA too.. Most probably that's expected behaviour of Radiator, but how we should change our Handler Handler Realm=.. to work it properly according to our needs? Thank you so much for your help! sincerely yours, Slava Rimdenok Sviatoslav Rimdenok System Administrator COLT Telecom AG Badenerstrasse 820 CH-8048 Zürich t:+41 1 5 600 900 f:+41 1 5 600 910 e:mailto:[EMAIL PROTECTED] www.colt.ch we make business straight.forward === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) problem with multiple realms in one username
Hi Hugh, thank you for your quick response! I'd like to have handler that matches only [EMAIL PROTECTED], and do not match [EMAIL PROTECTED]@SLAVA, [EMAIL PROTECTED]@BLABLABLA nor username@[EMAIL PROTECTED] and so on.. that means : to match the rule it must be only one realm name (for example [EMAIL PROTECTED]@SLAVA has 2 realms inside) and that realm must be slava.com thanks again for your help! see you, Slava -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Montag, 8. Juli 2002 11:28 To: Rimdenok, Sviatoslav; [EMAIL PROTECTED] Subject: Re: (RADIATOR) problem with multiple realms in one username Hello Slava - You don't actually say what your requirements are - could you give me some more details on what exactly you want to do? BTW - if you want a handler to match slave.com as different to slava.com@SLAVA, you should do this: Handler User-Name = /slava.com$/ . /Handler which will match slava.com only at the end of the User-Name string. regards Hugh On Mon, 8 Jul 2002 18:13, [EMAIL PROTECTED] wrote: Hi Guys, We've got Radiator running on our side. Recently I've found really strange behaviour of Radiator, - the problem comes then username in the incoming RADIUS packet looks like username@realmone@realmtwo (please see the live example from the log file): ... skipped . Mon Jul 8 04:20:39 2002: DEBUG: Packet dump: *** Received from 10.10.10.10 port 51675 Code: Access-Request Identifier: 185 Authentic: 136100so00513008400 Attributes: User-Name = [EMAIL PROTECTED]@SLAVA User-Password = .177238e210203(23518920021226r52419 NAS-Identifier = i-Pass VNAS NAS-IP-Address = 10.10.10.10 NAS-Port = 1 Service-Type = Framed-User Framed-Protocol = PPP Mon Jul 8 04:20:39 2002: DEBUG: Check if Handler Realm=slava.com should be used to handle this request Mon Jul 8 04:20:39 2002: DEBUG: Handling request with Handler 'Realm=slava.com' ... skipped . In the configuration file we have a handler like Handler Realm=slava.com ... /Handler, so we expect that it satisfies all usernames like [EMAIL PROTECTED].. But, as the reality showed, it matches [EMAIL PROTECTED]@SLAVA too.. Most probably that's expected behaviour of Radiator, but how we should change our Handler Handler Realm=.. to work it properly according to our needs? Thank you so much for your help! sincerely yours, Slava Rimdenok Sviatoslav Rimdenok System Administrator COLT Telecom AG Badenerstrasse 820 CH-8048 Zürich t:+41 1 5 600 900 f:+41 1 5 600 910 e:mailto:[EMAIL PROTECTED] www.colt.ch we make business straight.forward === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) which attribute?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 i am working on a wifi project where several carriers proxy their radius packets to me. i need to be able to process some of these packets differently. unfortunately, every request, no matter what carrier it originates from, will have the same realm. i was going to (attempt) to write a preprocessing hook and assign a custom attribute based on the ip address of the radius server that proxied the requests to me, however i am not confident that i can do so. the nas-ipaddress attribute in my situation, is the address of the wifi access point, and the nas-identifier is a code associated with said access point. what attribute would the ip address of the proxying radius server be. i know that in my client statement i just put the address in there, without an attriubute name. thanks, shon -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPSmmlherBYVUKJeKEQJYjQCgis2p2qdzHNncjwRTPnMeE77JVoQAoOk7 vPxGWACilXojpHIVebNRi5Gu =EJAF -END PGP SIGNATURE- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Selecting domain stripping in AuthBySQLRADIUS
Hello, I am trying to come up with a config where we can store the bulk of our roaming configurations in an SQL table. There is one question that does not seem to be obvious from the configuration. Is it possible to have to strip the domain (or not) based on the (domain, host) key? Here's the scenario: [EMAIL PROTECTED] - [EMAIL PROTECTED] sent to host1 - [EMAIL PROTECTED] sent to host2 [EMAIL PROTECTED] - user sent to host1 - user sent to host2 [EMAIL PROTECTED] - [EMAIL PROTECTED] sent to host1 - user sent to host2 Any ideas? Jim Wiegand, BSEE, MSE Supervisor, Infrastructure Operations Fiberlink Communications 215 793 6554 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) User auths if in the users file only?
I am having the weirdest issue. If I add a user into the users file with the simple line test123 Auth-Type = System They can authenticate and go on thier merry way If the user is not in there and gets caught by the default DEFAULT Auth-Type = System Port-Limit = 2, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Idle-Timeout = 1800, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500 They still auth ok(I see the user/pass combo pass the test), but it does weird things that wont let the user complete logon. What *seems* to be happening is that it is not throwing back an IP for the end user. Anyone seen this happen before? I do not want to have to add every user to the users file. TIA Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radiator performance on various platforms.
Hi All, We are looking at upgrading our radiator / radius server and are considering the various platform options available to us. The radiator reference manual cites various performance measurements using versions of hardware and operating systems which are now several generations out of date. Does anyone have any performance information on radiator running on the likes of Solaris 8/9, Redhat 7 or NT 2000 with modern hardware? If so would they like to share their experiences? Thanks in advance, Brian. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) User auths if in the users file only?
Hi Chris, chris schrieb: I am having the weirdest issue. If I add a user into the users file with the simple line test123 Auth-Type = System They can authenticate and go on thier merry way If the user is not in there and gets caught by the default DEFAULT Auth-Type = System Port-Limit = 2, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Idle-Timeout = 1800, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500 They still auth ok(I see the user/pass combo pass the test), but it does weird things that wont let the user complete logon. What *seems* to be happening is that it is not throwing back an IP for the end user. Anyone seen this happen before? I do not want to have to add every user to the users file. Really, you don't have to do this for every user. If it is not a typo in your e-mail then it is in your users file. You MUST have whitespace in front of your Reply Items. Please always turn debug on and send it as partt of the questions. In the debug we could see what reply items are sent back to the NAS. Regards Charly P.S. is this really a working example with this Framed-IP-Address? -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator performance on various platforms.
Hi Brian, Brian Morris schrieb: Hi All, We are looking at upgrading our radiator / radius server and are considering the various platform options available to us. The radiator reference manual cites various performance measurements using versions of hardware and operating systems which are now several generations out of date. Does anyone have any performance information on radiator running on the likes of Solaris 8/9, Redhat 7 or NT 2000 with modern hardware? If so would they like to share their experiences? you should tell us what Authentication schemes you wil be using. I think the performance is only comparable using the same auth schemes. We have radiator running under Solaris 9. Regards Charly -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) User auths if in the users file only?
There is whitespace in there, its an email glitch - Original Message - From: Karl Gaissmaier [EMAIL PROTECTED] To: chris [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, July 08, 2002 3:57 PM Subject: Re: (RADIATOR) User auths if in the users file only? Hi Chris, chris schrieb: I am having the weirdest issue. If I add a user into the users file with the simple line test123 Auth-Type = System They can authenticate and go on thier merry way If the user is not in there and gets caught by the default DEFAULT Auth-Type = System Port-Limit = 2, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Idle-Timeout = 1800, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500 They still auth ok(I see the user/pass combo pass the test), but it does weird things that wont let the user complete logon. What *seems* to be happening is that it is not throwing back an IP for the end user. Anyone seen this happen before? I do not want to have to add every user to the users file. Really, you don't have to do this for every user. If it is not a typo in your e-mail then it is in your users file. You MUST have whitespace in front of your Reply Items. Please always turn debug on and send it as partt of the questions. In the debug we could see what reply items are sent back to the NAS. Regards Charly P.S. is this really a working example with this Framed-IP-Address? -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator performance on various platforms.
From: Karl Gaissmaier [EMAIL PROTECTED] you should tell us what Authentication schemes you wil be using. I think the performance is only comparable using the same auth schemes. We have radiator running under Solaris 9. Charly, I am hoping to use Solaris 9 / MySql to authenticate around 20,000 users on a Sun Enterprise 250 (2x400Mhz UltraSparc CPU's with 2Gb RAM) We currently run on 2000 Server with MSSQL7 and 512Mb RAM. The current accounting database is around 2Gb in size. Performance is currently fine, but I have doubts about it handling anticipated growth over the next 12 months. Regards, Brian. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) User auths if in the users file only?
Hello Chris - It looks to me like your DEFAULT entry is not correct. It should look like this (there *must* be white space at the beginning of the second and subsequent lines): DEFAULT Auth-Type = System Port-Limit = 2, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Idle-Timeout = 1800, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500 regards Hugh On Tue, 9 Jul 2002 07:57, chris wrote: I am having the weirdest issue. If I add a user into the users file with the simple line test123 Auth-Type = System They can authenticate and go on thier merry way If the user is not in there and gets caught by the default DEFAULT Auth-Type = System Port-Limit = 2, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Idle-Timeout = 1800, Framed-Compression = Van-Jacobson-TCP-IP, Framed-MTU = 1500 They still auth ok(I see the user/pass combo pass the test), but it does weird things that wont let the user complete logon. What *seems* to be happening is that it is not throwing back an IP for the end user. Anyone seen this happen before? I do not want to have to add every user to the users file. TIA Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) problem with multiple realms in one username
Hello Slava - # Handler for [EMAIL PROTECTED] Handler User-Name = /\@slava.com$/ . /Handler # Handler for [EMAIL PROTECTED]@whatever Handler User-Name = /\@slava.com\@/ . /Handler regards Hugh On Mon, 8 Jul 2002 20:17, [EMAIL PROTECTED] wrote: Hi Hugh, thank you for your quick response! I'd like to have handler that matches only [EMAIL PROTECTED], and do not match [EMAIL PROTECTED]@SLAVA, [EMAIL PROTECTED]@BLABLABLA nor username@[EMAIL PROTECTED] and so on.. that means : to match the rule it must be only one realm name (for example [EMAIL PROTECTED]@SLAVA has 2 realms inside) and that realm must be slava.com thanks again for your help! see you, Slava -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED]] Sent: Montag, 8. Juli 2002 11:28 To: Rimdenok, Sviatoslav; [EMAIL PROTECTED] Subject: Re: (RADIATOR) problem with multiple realms in one username Hello Slava - You don't actually say what your requirements are - could you give me some more details on what exactly you want to do? BTW - if you want a handler to match slave.com as different to slava.com@SLAVA, you should do this: Handler User-Name = /slava.com$/ . /Handler which will match slava.com only at the end of the User-Name string. regards Hugh On Mon, 8 Jul 2002 18:13, [EMAIL PROTECTED] wrote: Hi Guys, We've got Radiator running on our side. Recently I've found really strange behaviour of Radiator, - the problem comes then username in the incoming RADIUS packet looks like username@realmone@realmtwo (please see the live example from the log file): ... skipped . Mon Jul 8 04:20:39 2002: DEBUG: Packet dump: *** Received from 10.10.10.10 port 51675 Code: Access-Request Identifier: 185 Authentic: 136100so00513008400 Attributes: User-Name = [EMAIL PROTECTED]@SLAVA User-Password = .177238e210203(23518920021226r52419 NAS-Identifier = i-Pass VNAS NAS-IP-Address = 10.10.10.10 NAS-Port = 1 Service-Type = Framed-User Framed-Protocol = PPP Mon Jul 8 04:20:39 2002: DEBUG: Check if Handler Realm=slava.com should be used to handle this request Mon Jul 8 04:20:39 2002: DEBUG: Handling request with Handler 'Realm=slava.com' ... skipped . In the configuration file we have a handler like Handler Realm=slava.com ... /Handler, so we expect that it satisfies all usernames like [EMAIL PROTECTED].. But, as the reality showed, it matches [EMAIL PROTECTED]@SLAVA too.. Most probably that's expected behaviour of Radiator, but how we should change our Handler Handler Realm=.. to work it properly according to our needs? Thank you so much for your help! sincerely yours, Slava Rimdenok Sviatoslav Rimdenok System Administrator COLT Telecom AG Badenerstrasse 820 CH-8048 Zürich t: +41 1 5 600 900 f: +41 1 5 600 910 e:mailto:[EMAIL PROTECTED] www.colt.ch we make business straight.forward === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) which attribute?
Hello Shon - You would do something like this: Client .. Identifier Carrier1 . /Client Client .. Identifier Carrier1 . /Client Client .. Identifier Carrier2 . /Client Client .. Identifier Carrier3 . /Client ... Handler Client-Identifier = Carrier1 .. /Handler Handler Client-Identifier = Carrier2 .. /Handler Handler Client-Identifier = Carrier3 .. /Handler If you have any other questions, please ask. regards Hugh On Tue, 9 Jul 2002 00:44, Shon Stephens wrote: i am working on a wifi project where several carriers proxy their radius packets to me. i need to be able to process some of these packets differently. unfortunately, every request, no matter what carrier it originates from, will have the same realm. i was going to (attempt) to write a preprocessing hook and assign a custom attribute based on the ip address of the radius server that proxied the requests to me, however i am not confident that i can do so. the nas-ipaddress attribute in my situation, is the address of the wifi access point, and the nas-identifier is a code associated with said access point. what attribute would the ip address of the proxying radius server be. i know that in my client statement i just put the address in there, without an attriubute name. thanks, shon === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator performance on various platforms.
Hello Brian - The largest installation that we are aware of currently runs on multiple SUN servers (each with multi-processors and each running two instances of Radiator). These servers have a load-balancer in front of them and on the backend there is an enterprise class SUN server running Oracle. This installation has tested throughput up to 1200 radius requests per second. On any modern hardware you will see throughput in the several hundreds per second. However you need to be aware that the performance limitations are almost always due to external factors such as the database. Most of the people on the mailing list seem to use Linux, followed by Solaris and *BSD. There are also many smaller installations running Windows and MacOS (BTW - MacOS X is *really* nice...). regards Hugh On Tue, 9 Jul 2002 08:38, Brian Morris wrote: Hi All, We are looking at upgrading our radiator / radius server and are considering the various platform options available to us. The radiator reference manual cites various performance measurements using versions of hardware and operating systems which are now several generations out of date. Does anyone have any performance information on radiator running on the likes of Solaris 8/9, Redhat 7 or NT 2000 with modern hardware? If so would they like to share their experiences? Thanks in advance, Brian. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Selecting domain stripping in AuthBySQLRADIUS
Hello James - In Radiator 3.1, you can use the AuthBy SQLRADIUS clause with HostColumnDef's to supply a RewriteUsername (or not). Note that you will need the patched version of AuthBy SQLRADIUS from the Radiator 3.1 patches area. See section 6.45 in the Radiator 3.1 reference manual (doc/ref.html). regards Hugh On Tue, 9 Jul 2002 06:31, James Wiegand wrote: Hello, I am trying to come up with a config where we can store the bulk of our roaming configurations in an SQL table. There is one question that does not seem to be obvious from the configuration. Is it possible to have to strip the domain (or not) based on the (domain, host) key? Here's the scenario: [EMAIL PROTECTED] - [EMAIL PROTECTED] sent to host1 - [EMAIL PROTECTED] sent to host2 [EMAIL PROTECTED] - user sent to host1 - user sent to host2 [EMAIL PROTECTED] - [EMAIL PROTECTED] sent to host1 - user sent to host2 Any ideas? Jim Wiegand, BSEE, MSE Supervisor, Infrastructure Operations Fiberlink Communications 215 793 6554 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) User auths if in the users file only?
P.S. is this really a working example with this Framed-IP-Address? Yes, this is the DEFAULT selection, which is my understanding that is follows some rfc that states this address should be converted to one from a dynamic pool. This was where the problem was.thier setup did not follow this standard and was trying to assign 255.255.255.254 as the IP *sigh* Problem solved. Thanks, Chris P.S.Sorry about the whitespace confusion. -- Karl Gaissmaier Computing Center,University of Ulm,Germany Email:[EMAIL PROTECTED] Network Administration === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Selecting domain stripping in AuthBySQLRADIUS
Just to clarify, because under section 6.30 RewriteUsername is not listed, even though it is shown in section 6.45, is it legal to have a RewriteUsername statement under a Hosts clause? This would be useful. Sorry to be pedantic, but the statement that anything which is legal in a Hosts clause is not clear in the context of a RewriteUsername statement. In 2.18 I seem to remember not being able to include a rewrite statement in a Hosts clause. Is this changed for 3.1? Thanks for the help, Jim Wiegand, BSEE, MSE Supervisor, Infrastructure Operations Fiberlink Communications 215 793 6554 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Hugh Irvine [EMAIL PROTECTED]To: James Wiegand m.au[EMAIL PROTECTED], '[EMAIL PROTECTED]' [EMAIL PROTECTED] 07/08/2002 cc: 07:11 PM Subject: Re: (RADIATOR) Selecting domain Please stripping in AuthBySQLRADIUS respond to hugh Hello James - In Radiator 3.1, you can use the AuthBy SQLRADIUS clause with HostColumnDef's to supply a RewriteUsername (or not). Note that you will need the patched version of AuthBy SQLRADIUS from the Radiator 3.1 patches area. See section 6.45 in the Radiator 3.1 reference manual (doc/ref.html). regards Hugh On Tue, 9 Jul 2002 06:31, James Wiegand wrote: Hello, I am trying to come up with a config where we can store the bulk of our roaming configurations in an SQL table. There is one question that does not seem to be obvious from the configuration. Is it possible to have to strip the domain (or not) based on the (domain, host) key? Here's the scenario: [EMAIL PROTECTED] - [EMAIL PROTECTED] sent to host1 - [EMAIL PROTECTED] sent to host2 [EMAIL PROTECTED] - user sent to host1 - user sent to host2 [EMAIL PROTECTED] - [EMAIL PROTECTED] sent to host1 - user sent to host2 Any ideas? Jim Wiegand, BSEE, MSE Supervisor, Infrastructure Operations Fiberlink Communications 215 793 6554 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radiator performance on various platforms.
I have a question on Trace level. Should that be set to 0 in a configuration file when all is working? Oh and yes OS X is really nice. Bennie On 7/8/02 4:03 PM, Hugh Irvine [EMAIL PROTECTED] wrote: Hello Brian - The largest installation that we are aware of currently runs on multiple SUN servers (each with multi-processors and each running two instances of Radiator). These servers have a load-balancer in front of them and on the backend there is an enterprise class SUN server running Oracle. This installation has tested throughput up to 1200 radius requests per second. On any modern hardware you will see throughput in the several hundreds per second. However you need to be aware that the performance limitations are almost always due to external factors such as the database. Most of the people on the mailing list seem to use Linux, followed by Solaris and *BSD. There are also many smaller installations running Windows and MacOS (BTW - MacOS X is *really* nice...). regards Hugh On Tue, 9 Jul 2002 08:38, Brian Morris wrote: Hi All, We are looking at upgrading our radiator / radius server and are considering the various platform options available to us. The radiator reference manual cites various performance measurements using versions of hardware and operating systems which are now several generations out of date. Does anyone have any performance information on radiator running on the likes of Solaris 8/9, Redhat 7 or NT 2000 with modern hardware? If so would they like to share their experiences? Thanks in advance, Brian. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- ** Bennie Warren LemooreNet 320 West D Street Lemoore, CA 93245 Phone: 559.924.5909 Fax 559.924.9578 [EMAIL PROTECTED] http://www.lemoorenet.com ** === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
