(RADIATOR) Storing entire radius packet in SQL
Hi! Is it posible to store the entire radius accounting packet in a single sql blob field like a comma or new-line separated list? thanks. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Cisco NAS, IP address Pool
Khurram Shahzad wrote: I have used "cisco-avpair="ip:addr_pool=my-own-pool", but after enabling authorization at Cisco NAS, as aaa authorization network radius it gives me Authorization Error Message. Also I have used non-standard option with radius host command on Cisco NAS to enable , options I think that you need virtual profiles in order to support pool attributes. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting requests and online sessions.
Hola Antonio, Antonio Coloma wrote: Hi everybody, We have detected that a session is added to the DatabaseSession only when Radiator gets an Start accounting-request, not when it receives an Access Request and this request is accepted. Why? Shouldn't add to session database when user is accepted? Accepting an Access Request is not a warranty of a started session, and this is because in Radius there isn't a clear difference between authentication and authorization phases. The information that NAS will use for some authorization check is received in the Radius Access Request ACK, and with this information NAS can deny the access because an authorization fault. A very common example: NAS sends access-request after LCP authentication ( pap, chap or ms-chap ), but before IPCP negotiation. Radius server acks this user-password and includes peer IP address information in the packet. This isn't authentication information, it's authorization info. In this moment NAS starts IPCP negotiation, but if there is no agree about the peer ip address negotiated, it's considered an authorization error and the user refused, and the session has never started. The only thing that NAS can do in this situation is to send an Stop-without-previous-Start accounting record for the Radius server information. This stop-without-start accounting record is VERY important for Radius server if the server is managing ip address pools or it can't free the asigned ip address for the failed session. What happens If the start accounting-request arrives later than the stop accounting request? I suppose this is a intrinsic danger of Radius stateless orientation. :( Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) PostAuthHook assigning IP Address.. Please Help!!
Hola Antonio, Antonio Navarro Navarro wrote: The problem is that if I assign an IP address to the user in the PreAuthHook (using a control file with the status of the IP addresses of the pool) and the user is not accepted by the Auth procedure of radiator, the user will be rejected but the IP address will remain in the control file. No if the NAS sends "STOP-without-previous-START" records for authentication/authorization errors. Your code can free the IP address when this "STOP-without-previous-START" record arrives. There are many NAS with this behaviour. For Cisco users: it was introduced as default in 12.0( 6 )T. In 12.0( = 6 )T the default is to not send the stop record, but it's posible to configure it with "aaa accounting stop-record authentication failure". I think to remember that the 3com NAS that your are using has this behaviour. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Help needed with hooking up to MySQL database!
Danny Whitesel wrote: If I understand the issue correctly, the next step for me to do is remove the RPM install of Perl from that machine and compile/install Perl from a tarball, making sure the Makefile specifies GCC as the compiler? Has anyone else run into this before? Does anyone have any other suggestions or input? I am really not looking forward to re-compiling Perl. It's an old problem and I don't know other solution. You must to compile all the perl and mysql stuff in the same system and with the same compiler. If not, you can have problems not only with mysql, but also with any other perl modules. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Multiple SessionDatabase question
Hello! If I have defined multiple SessionDatabase DBM, how can I know what database is Radiator using as default for Realms/Handlers where it's not specified? Thanks. Félix __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Password Expiration
About this issue... would be very interesting to support in future releases system native password expirations in AuthBy SYSTEM. getspnam() funcion in Shadowf can get this information from /etc/shadow file or any other method in nsswitch. Cheers. Félix Ferhat DILMAN wrote: Hi, Is there a workaround/solution for password expiration in radiator? What we basically would like to do is to enable password changing in the black terminal script screen or another way just after user gets the authentication. Thanks, Ferhat -- __ DATAGRAMA SERVICIOS GLOBALES IP C/ Acer 30 Pho: +34 93 223 00 98 08038 Barcelona ( SPAIN )Fax: +34 93 223 12 66 mailto:[EMAIL PROTECTED] http://www.datagrama.net __ ÿ Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
