Re: (RADIATOR) CHAP-Password / User-Password
Thank you Hugh, I fixed that goddam problem (the funny thing is, I don't know how!) now I have a new problem: in the request (from client) I have to include, besides username/psw/service-type, also other 2 fields, the 2 names (row1 and row2, stored in the db) of the client which is authenticated, with this syntax: [EMAIL PROTECTED]@row2 (or [EMAIL PROTECTED]). Of course, the DB already 'knows' the client, because his IP/Hostname is stored in the client table, but I have to do this to ensure maximum security (and accessibility) to all the clients of my net. The question is, how can I extract from the full string the fields row1 and row2? (I do not include the trace 4 log, only the radius.cfg) --- --- Matteo Jurman SYAC SpA Area Science Park Ed. E3 Tel.: +39 40 3755336 Fax: +39 40 9220044 --- - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Matteo Jurman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:55 AM Subject: Re: (RADIATOR) CHAP-Password / User-Password If CHAP works and PAP doesn't, I would suspect the shared secret between the client device and Radiator. radius.cfg Description: Binary data
(RADIATOR) Accounting Local and forwarding using rewriteusername problems
Hi everybody, I have problems using Local and forwarding accounting. First of all here you have a piece of mi cfg file for the 'test' realm: AuthBy SQL Identifier authBySQL_InsertCallAcct DBSource dbi:ODBC:radius_databasex DBUsername testuser DBAuth testpass AccountingTable TestCalls AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NasPort,NAS-Port,integer AcctColumnDef AcctSessionID,Acct-Session-Id AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef UserName,User-Name AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef NASPortDNIS,Called-Station-Id AcctColumnDef CallingStationId,Calling-Station-Id /AuthBy AuthBy RADIUS Identifier authByRADIUS_Realm_Test #IgnoreAccountingResponse Host111.111.111.111 Secret testsecret AuthPort1812 AcctPort1813 Retries 3 RetryTimeout10 /AuthBy Handler Request-Type=Access-Request,Service-Type=Framed-User,Realm=test AcctLogFileName %L/radiusd_auth-%Y%m%d.log RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy authByRADIUS_Realm_Test /Handler Handler Request-Type=Accounting-Request,Realm=test AuthByPolicyContinueAlways AuthBy authBySQL_InsertCallAcct AcctLogFileName %L/radiusd_acct-%Y%m%d.log RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy authByRADIUS_Realm_Test /Handler I have a DB where I want to store all accounting as my cisco gives me, but my client wants to recieve Auth and Acct forwarding without realm in the usernames. When I use this configuration, the username field in my DB is stored without realm... I don't know why... Please I need HELP Thanks to all, Sergio Gómez de Travesedo Rojas. Baytechnologies === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) NULL usernames in Radius Packets
Just a followup. We indeed were ignoring those types of packets since we don't have a handler where username is NULL (we check based on realms). So we added: Handler RejectHasReason AuthBy INTERNAL DefaultResult REJECT AcctResult ACCEPT /AuthBy /Handler And this seems to have helped. From what I can tell, others have also had problems with TNT sending NULL usernames. Thanks again, mahesh -Original Message- From: Hugh Irvine [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 10:27 PM To: Mahesh Neelakanta Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) NULL usernames in Radius Packets Hello Mahesh - Yes it does look like the NAS has been trying to send this accounting for a long time. What does the trace 4 debug from Radiator show? Perhaps your configuration file is not processing the request and it is simply being being ignored and retried forever. regards Hugh On Thursday, Oct 2, 2003, at 02:20 Australia/Melbourne, Mahesh Neelakanta wrote: Elias and Hugh, Thanks for your responses. We had though about this but what we are getting is a Start Accounting packet (captured from radstock): NAS-IP-Address Len 6 XX.XX.XX.XX NAS-Port-IdLen 6 111 NAS-Port-Type Len 6 Async Acct-Status-Type Len 6 Start Acct-Delay-TimeLen 6 75841 Acct-Session-IdLen 12 432625102* Acct-Authentic Len 6 Local Idle-Timeout Len 6 0 Ascend-Modem-PortNoLen 6 21 Ascend-Modem-SlotNoLen 6 7 Ascend-Modem-ShelfNo Len 6 1 Calling-Station-Id Len 12 2122859024 Called-Station-Id Len 6 What is strange is the Acct-Autentic (Local?) and the Acct-Delay-Time (over 21 hours). We believe this is definitely a local RAS issue but are not sure what it could be. It's almost as if the RAS has a HUGE backlog of old accounting which it is trying to re-send but only sends a portion of the full information. We did set acct-drop-stop-on-auth-fail = no to no avail. mahesh -Original Message- From: Elias [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 11:10 PM To: Mahesh Neelakanta Cc: Hugh Irvine Subject: Re: (RADIATOR) NULL usernames in Radius Packets *** Your mail has been scanned by TMnet VirusWall. *** Hi Mahesh, We've had the same thing happen to us before. Its actually a configuration on the tnt boxes. If I remember correctly it will send an Stop accounting packet with a blank username if the line gets dropped prematurely (before a proper connection gets established). - Elias - - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Mahesh Neelakanta [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 6:41 AM Subject: Re: (RADIATOR) NULL usernames in Radius Packets *** Your mail has been scanned by TMnet VirusWall. *** Hello Mahesh - Unless you are using a RewriteUsername, Radiator does not do anything with the username. I suspect that the NAS is sending an empty username, but without seeing a copy of your configuration file (no secrets) and a trace 4 debug from Radiator showing what is happening it is not possible to say any more. regards Hugh On Wednesday, Oct 1, 2003, at 07:02 Australia/Melbourne, Mahesh Neelakanta wrote: Hello, We are seeing the following error in radiator.log: Tue Sep 30 16:56:20 2003: ERR: do failed for 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT,ACCTSESSIONID, TIMESTAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE,CALLERID,CLIENTPORTDNIS) values ('', 'XX.XX.XX.XX', 01071,'432626086', to_date('30 09 2003 16:56:20', 'DD MM HH24:MI:SS'), '','Async', '','2126823450','5000')': ORA-01400: cannot insert NULL into (RADIUS.RADONLINE.USERNAME) (DBD ERROR: OCIStmtExecute) From what we can tell, the RAS XX.XX.XX.XX is sending us start or stop packets with no username. Is there something in the configuration (on the radiator side or the ras, which is a lucent tnt) which could cause this. My guess is that it is a RAS issue but we are not sure what/why this is occuring. mahesh === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
Re: (RADIATOR) cisco-avpair accounting
Hello Jesus - If you are receiving multiple attributes with the same name (ie: cisco-avpair = .) then yes you will need to use a Hook to parse them into seperate differently named attributes. Then you can use the AcctColumnDef's in your AuthBy SQL clause. regards Hugh On Friday, Oct 10, 2003, at 05:01 Australia/Melbourne, Jesus Rodriguez wrote: Hello, Is still needed to use a PreClientHook to make mysql accounting of multiple cisco-avpair attributes? Thanks. --- Jesus Rodriguez Endercom Comunicaciones, S.L. [EMAIL PROTECTED] http://www.endercom.com Tel. +34 934424293 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting Local and forwarding using rewriteusername problems
Hello Sergio - You will need to use an AuthBy GROUP with the RewriteUsername inside: Handler Request-Type=Accounting-Request,Realm=test AuthByPolicy ContinueAlways AuthBy authBySQL_InsertCallAcct AcctLogFileName %L/radiusd_acct-%Y%m%d.log AuthBy GROUP RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy authByRADIUS_Realm_Test /AuthBy /Handler regards Hugh On Friday, Oct 10, 2003, at 01:57 Australia/Melbourne, Sergio Gómez ((E-mail)) wrote: Hi everybody, I have problems using Local and forwarding accounting. First of all here you have a piece of mi cfg file for the 'test' realm: AuthBy SQL Identifier authBySQL_InsertCallAcct DBSource dbi:ODBC:radius_databasex DBUsername testuser DBAuth testpass AccountingTable TestCalls AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NasPort,NAS-Port,integer AcctColumnDef AcctSessionID,Acct-Session-Id AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef UserName,User-Name AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef NASPortDNIS,Called-Station-Id AcctColumnDef CallingStationId,Calling-Station-Id /AuthBy AuthBy RADIUS Identifier authByRADIUS_Realm_Test #IgnoreAccountingResponse Host111.111.111.111 Secret testsecret AuthPort1812 AcctPort1813 Retries 3 RetryTimeout10 /AuthBy Handler Request-Type=Access-Request,Service-Type=Framed-User,Realm=test AcctLogFileName %L/radiusd_auth-%Y%m%d.log RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy authByRADIUS_Realm_Test /Handler Handler Request-Type=Accounting-Request,Realm=test AuthByPolicyContinueAlways AuthBy authBySQL_InsertCallAcct AcctLogFileName %L/radiusd_acct-%Y%m%d.log RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy authByRADIUS_Realm_Test /Handler I have a DB where I want to store all accounting as my cisco gives me, but my client wants to recieve Auth and Acct forwarding without realm in the usernames. When I use this configuration, the username field in my DB is stored without realm... I don't know why... Please I need HELP Thanks to all, Sergio Gómez de Travesedo Rojas. Baytechnologies === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) CHAP-Password / User-Password
Ciao Matteo - I don't quite understand what you mean below in the request (from client) I have to include ? Can you give me a bit more detail on what you want to do? regards Hugh On Thursday, Oct 9, 2003, at 23:32 Australia/Melbourne, Matteo Jurman wrote: Thank you Hugh, I fixed that goddam problem (the funny thing is, I don't know how!) now I have a new problem: in the request (from client) I have to include, besides username/psw/service-type, also other 2 fields, the 2 names (row1 and row2, stored in the db) of the client which is authenticated, with this syntax: [EMAIL PROTECTED]@row2 (or [EMAIL PROTECTED]). Of course, the DB already 'knows' the client, because his IP/Hostname is stored in the client table, but I have to do this to ensure maximum security (and accessibility) to all the clients of my net. The question is, how can I extract from the full string the fields row1 and row2? (I do not include the trace 4 log, only the radius.cfg) --- --- Matteo Jurman SYAC SpA Area Science Park Ed. E3 Tel.: +39 40 3755336 Fax: +39 40 9220044 --- - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Matteo Jurman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:55 AM Subject: Re: (RADIATOR) CHAP-Password / User-Password If CHAP works and PAP doesn't, I would suspect the shared secret between the client device and Radiator. radius.cfg NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy EXTERNAL Can't pass received attribute to external program via STDIN
Hi Previously i did ask a question regarding test run AuthBy External by using sample configuration (external.cfg) and perl script (testcommand.pl) which can be found in the goodies directory. After read thru all the replied emails and relevant document, i tried to execute this sample configuration and perl scrip again. But i still fail to get the correct respond. Hope you can answer the following question. 1.Follwoing are the console screen display of RADIUS server after receive Accept request from the client ---Console Screen- Thu Oct 9 22:54:02 2003: DEBUG: Reading dictionary file 'c:/Program Files/Radia tor/dictionary' Thu Oct 9 22:54:02 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Thu Oct 9 22:54:02 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Thu Oct 9 22:54:02 2003: NOTICE: Server started: Radiator 3.7 on man (EVALUATIO N) Thu Oct 9 22:54:04 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3330 Code: Access-Request Identifier: 199 Authentic: 1234567890123456 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 159249:201175\424618889160216}x153 Thu Oct 9 22:54:04 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Oct 9 22:54:04 2003: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Thu Oct 9 22:54:04 2003: DEBUG: Running command: c:/perl/bin/perl ./goodies/tes tcommand.pl Above information has shown that radius server received all the attribute value from client, and it called the external program which has been define in AuthBy External. But somehow radius server didn't pass those attributes to external program via STDIN after executed the external program. My question do we need to configure radius configuration file in order to direct radius server pass those attributes to external program via STDIN ? 2.From the above console screen, i also discovered that radius server was halt after calling external program testcommand.pl. I found there is a endless while loop in the testcommand.pl which is shown as following while () { chomp; if ($_ =~ /^\s*([^\s=]+)\s*=\s*((\\|[^])*)/) { # Quoted value $input{$1} = $2; } elsif ($_ =~ /^([^\s=]+)\s*=\s*(.*)/) { # Unquoted value $input{$1} = $2; } } : : My question is can it be the root to cause the radius server halt ? thank you MAN MENG FEI while ($counter 4) { print while\n; chomp; if ($_ =~ /^\s*([^\s=]+)\s*=\s*((\\|[^])*)/) { # Quoted value print Quoted value\n; $input{$1} = $2; } elsif ($_ =~ /^([^\s=]+)\s*=\s*(.*)/) { # Unquoted value print Unquoted value\n; $input{$1} = $2; } $counter++; } : : === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy EXTERNAL Can't pass received attribute to external program via STDIN
Hello Man - You are correct, Radiator will stop while the program specified by the AuthBy EXTERNAL command executes. If the program never exits, then Radiator will wait forever. You should add some print ... statements to the code in the external program to see what it is doing. BTW - you can also use hooks in your Radiator configuration file for running your own code. See the examples in goodies/hooks.txt. And of course you can also write your own AuthBy module as another alternative. Could you please tell me what hardware/software platform you are running and what versions of Windows and Perl? regards Hugh On Friday, Oct 10, 2003, at 10:38 Australia/Melbourne, Man Meng Fei wrote: Hi Previously i did ask a question regarding test run AuthBy External by using sample configuration (external.cfg) and perl script (testcommand.pl) which can be found in the goodies directory. After read thru all the replied emails and relevant document, i tried to execute this sample configuration and perl scrip again. But i still fail to get the correct respond. Hope you can answer the following question. 1.Follwoing are the console screen display of RADIUS server after receive Accept request from the client ---Console Screen- Thu Oct 9 22:54:02 2003: DEBUG: Reading dictionary file 'c:/Program Files/Radia tor/dictionary' Thu Oct 9 22:54:02 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Thu Oct 9 22:54:02 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Thu Oct 9 22:54:02 2003: NOTICE: Server started: Radiator 3.7 on man (EVALUATIO N) Thu Oct 9 22:54:04 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 3330 Code: Access-Request Identifier: 199 Authentic: 1234567890123456 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 159249:201175\424618889160216}x153 Thu Oct 9 22:54:04 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Oct 9 22:54:04 2003: DEBUG: Deleting session for mikem, 203.63.154.1, 1234 Thu Oct 9 22:54:04 2003: DEBUG: Running command: c:/perl/bin/perl ./goodies/tes tcommand.pl --- - Above information has shown that radius server received all the attribute value from client, and it called the external program which has been define in AuthBy External. But somehow radius server didn't pass those attributes to external program via STDIN after executed the external program. My question do we need to configure radius configuration file in order to direct radius server pass those attributes to external program via STDIN ? 2.From the above console screen, i also discovered that radius server was halt after calling external program testcommand.pl. I found there is a endless while loop in the testcommand.pl which is shown as following while () { chomp; if ($_ =~ /^\s*([^\s=]+)\s*=\s*((\\|[^])*)/) { # Quoted value $input{$1} = $2; } elsif ($_ =~ /^([^\s=]+)\s*=\s*(.*)/) { # Unquoted value $input{$1} = $2; } } : : My question is can it be the root to cause the radius server halt ? thank you MAN MENG FEI while ($counter 4) { print while\n; chomp; if ($_ =~ /^\s*([^\s=]+)\s*=\s*((\\|[^])*)/) { # Quoted value print Quoted value\n; $input{$1} = $2; } elsif ($_ =~ /^([^\s=]+)\s*=\s*(.*)/) { # Unquoted value print Unquoted value\n; $input{$1} = $2; } $counter++; } : : === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AddToReply
in my SUBSCRIBERS table I have the following entry: Username = ugo Password = Checkattr = (NULL) ReplyAttr = 'Class = 3, Idle-Timeout = 600' TimeLeft = (NULL) WHERE am I supposed to see the replyattr? The access point is not doing what is specified there and radpwtst doesn't show any reply attribute as well. what's wrong? I have to send "Class = 3, Idle-Timeout = 600" to almost anyone. How do I do that? The best solution would be a per-user granularity (so the SUBSCRIBERS table fits) but it doesn't seem to work. Any suggestion? here's radpwtst output: Reading dictionary file '/etc/radiator/dictionary' sending Access-Request... Packet dump: *** Sending to 127.0.0.1 port 1645 Code: Access-Request Identifier: 161 Authentic: 1234567890123456 Attributes: User-Name = "ugo" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "145g172177131203179k1781195]152257136" Packet dump: *** Received from 127.0.0.1 port 1645 Code: Access-Accept Identifier: 161 Authentic: 132|244cP177160148172828kxD144 Attributes: OK sending Accounting-Request Start... Packet dump: *** Sending to 127.0.0.1 port 1646 Code: Accounting-Request Identifier: 162 Authentic: Attributes: User-Name = "ugo" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Packet dump: *** Received from 127.0.0.1 port 1646 Code: Accounting-Response Identifier: 162 Authentic: -203Fc170z~f169192331392232318225 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 127.0.0.1 port 1646 Code: Accounting-Request Identifier: 163 Authentic: Attributes: User-Name = "ugo" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "1234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 127.0.0.1 port 1646 Code: Accounting-Response Identifier: 163 Authentic: 248a136X242233202174164v15219421822A8 Attributes: OK
(RADIATOR) replyattr
sorry, i'm dumb. :-) i've read the manual and changed the authselect accordingly.