(RADIATOR) Attribute number 39051
Hi. I am getting a lot of these at the moment: Tue Apr 4 12:32:20 2000: ERR: Attribute number 39051 (vendor 429) is not defined in your dictionary Can anyone tell me what the correct Attribute should be? Cheers John -- John Vorstermans ||In the confrontation between the stream and the Technical Manager ||rock, The stream always wins - not through Actrix Networks ||strength but through perseverance. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Expiration date passed!
Hi Hugh. Updating AuthRADIUS.pm made no diffderence. I ran the following select statement mSQL: select DateAdd(Day, ma.extension, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft, sa.LoginLimit ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = 'adsleyework' or sa.shell = 'adsleyework') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0 Here is the result: AccountID AccountType password login shell TimeLeftLoginLimit LoginLimit -- --- --- --- -- - --- -- -- 1999-12-31 00:00:00.000 2037-01-01 00:00:00.000 8903PPP adsleyework NULL1 1 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Expiration date passed!
Sorry for the repost. Not all the message went through the first time. Hi Hugh. Updating AuthRADIUS.pm made no diffderence. I ran the following select statement mSQL: select DateAdd(Day, ma.extension, maExpireDate), DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType, sa.password, sa.login, sa.shell, sa.TimeLeft, sa.LoginLimit ,sa.LoginLimit from masteraccounts ma, subaccounts sa where (sa.login = 'adsleyework' or sa.shell = 'adsleyework') and ma.customerid = sa.customerid and sa.active 0 and ma.active 0 Here is the result: AccountID AccountType password login shell TimeLeftLoginLimit LoginLimit -- --- --- --- -- - --- -- -- 1999-12-31 00:00:00.000 2037-01-01 00:00:00.000 8903PPP adsleyework NULL1 1 === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy Emerald Platypus
Here is what we use: Realm DEFAULT # If Platypus rejects the login, forward it to the old Radius server AuthByPolicy ContinueUntilAccept ExcludeFromPasswordLog AuthBy EMERALD # You can use this to force Radiator to limit # maximum session times to how many minutes # are left in subaccounts.timeleft TimeBanking # Change DBSource, DBUsername, DBAuth for your database # See the reference manual DBSourcedbi:ODBC:LocalServer DBUsername xx DBAuth xx # You can add to or change these if you want. AccountingTable Calls AcctColumnDef UserName,User-Name AcctColumnDef CallDate,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctSessionId,Acct-Session-Id AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Ascend-Disconnect-Cause,int eger # AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause,intege r # AcctColumnDef NASIdentifier,NAS-Identifier AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NASPort,NAS-Port,integer AddATDefaults AuthSelect ,sa.LoginLimit AuthColumnDef 0,Simultaneous-Use,check /AuthBy AuthBy FILE Filename %D/users /AuthBy # Log all accounting into daily log files AcctLogFileName /local/etc/radius/log/%Y%m%d.act /Realm At 11:59 15-11-99 -0500, Todd Knaus wrote: Dear Radiator Platypus users, Could someone share their .cfg file with me ? In particular I am curious about the line that reads; AcctColumnDef AcctTerminateCause, ?, integer When using Platypus what should the read ? I have it set to the default setting which is Acct-Terminate-Cause. I am having problems with users not getting disconnected and I am wondering if this may be part of the problem. Thanks for any help of input. Todd === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- John Vorstermans||We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Static IP's and Assigned Pools, and Platypus
Hi Kelly. You can configure static IPs or ranges within Platypus. Go to Maintenance, External Systems, Radius NT and User Attributes. Simply enter the Users "Account ID" and add whatever attributes you require. These will over-ride the defaults you set in "Acct Attributes" Tab. You can set here IP's, Netmasks or the Pool the account should use, plus of course any other attributes you might choose to defined. Cheers John At 10:17 12-11-99 -0500, Kelly Hamlin wrote: Im using the AuthBy Emerald and my config is attached below. Right now the only thing stopping me from making the final switch to radiator is the fact that i can not find a "clear" solution on how to assign static ips to users. Do i do this from inside Platypus somewhere? Also we have customers in which we assign a block of say 32 ips and some like my personal account at home where i get 6. Im a lil confused cause in Livingston radius i would add those to the users file and i had a default entry to authenticate from password file. Thanks in advance --Config-- Foreground LogStdout LogDir . DbDir . # You will probably want to change this to suit your site. Client DEFAULT Secret *** DupInterval 0 /Client Client 209.xx.xxx.138 Secret /Client Client 209.xx.xx.130 Secret /Client Realm DEFAULT AuthBy EMERALD DBSourcedbi:ODBC:Platypus DBUsername neoxx DBAuth * AccountingTable Calls AcctColumnDef UserName,User-Name AcctColumnDef CallDate,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type,integer AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctSessionId,Acct-Session-Id AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Ascend-Disconnect-Cause ,integer AcctColumnDef NASIdentifier,NAS-Identifier AcctColumnDef NASIdentifier,NAS-IP-Address AcctColumnDef NASPort,NAS-Port,integer TimeBanking # AuthSelect ,sa.maxsessions # AuthColumnDef 0,Simultaneous-Use,check /AuthBy /Realm --/Config-- Kelly Hamlin [EMAIL PROTECTED] Network Administrator (941) 332.4900 http://www.neosmart.com -- John Vorstermans||We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) TimeLeft
Hi Hugh. Yes, thanks for that, the TimeBanking option helps and I can confirm that the customer now does get cut off when their time goes into the negative. However they can then dial-in again and get connected without a problem and stay on-line for as long as they like. That is, if the Timeleft is a negative number. Is this the correct action for Radiator? That is, to accept authentication when Timeleft is a negative number or are you not concerned with this and only use this as a method of when to disconnect a user? It seems to me that it would be useful to not allow authentication when the number is a minus/negative and return an error message to that effect but perhaps I have missed a point? I'd be keen to here your point of view Hugh? Cheers and thanks for your help so far. John At 14:00 28/10/99 +1000, you wrote: Hi John - On Tue, 26 Oct 1999, John Vorstermans wrote: We have "Block User" set to Y in Platypus and the time gets subtracted just fine from the users total after a disconnect. However we are using AuthBy EMERALD rather then AuthBy Platypus which may be the problem? A - of course, that changes things. AuthBy Emerald is what Platypus recommend when running Radiator as this allows us to manage the User Attributed easily from within Platypus. Does this mean I should look at a change in Emerald.pm? I've checked the code, and as you say, AuthEMERALD decrements the time left correctly. The code also respects the "TimeBanking" parameter to restrict user time limits - have you tried that? Handler ... AuthBy EMERALD TimeBanking /AuthBy /Handler hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody -- John Vorstermans||We are what we repeatedly do. Technical Manager || - Aristotle Actrix Networks === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) TimeLeft
Hi Hugh.
Thanks for your response.
We have "Block User" set to Y in Platypus and the time gets subtracted just
fine from the users total after a disconnect. However we are using AuthBy
EMERALD rather then AuthBy Platypus which may be the problem?
AuthBy Emerald is what Platypus recommend when running Radiator as this
allows us to manage the User Attributed easily from within Platypus. Does
this mean I should look at a change in Emerald.pm?
Cheers
John
At 14:49 26/10/99 +1000, Hugh Irvine wrote:
Hi John -
On Tue, 26 Oct 1999, John Vorstermans wrote:
Hi.
I have been experimenting with the TimeLeft option. I seem to have it
working correctly where Rediator picks up the Time the User has left on
their account and I can see it coming through the logfile below as
sa.TimeLeft.
I set this to -5 which I would thought would have been no time left but
the
user is still able to login. That is Radiator authorises the
connection. I
would have thought it would NOT authorise the connection if this was a
negative number? Am I seeing this from a different perspective than I
should?
There is an additional flag that must be set in Platypus for this to work:
"Block User"
which is retrieved from the database by the following query in
AuthPLATYPUS.pm:
#
# Find a the named user by looking in the database, and constructing
# User object if we found the named user
# This is tailored exactly to Platypus's user database
sub findUser
{
my ($self, $name, $p) = @_;
# (Re)-connect to the database if necessary,
return (undef, 1) unless $self-reconnect;
my $q = "select password, active, timeleft, blockuser, guarantor
$self-{AuthSelect} from customer where username='$name'";
my $sth = $self-prepareAndExecute($q);
return undef unless $sth;
my $user;
my ($password, $active, $timeleft, $blockuser,
$guarantor, @extras);
if (($password, $active, $timeleft, $blockuser,
$guarantor, @extras)
= $sth-fetchrow())
{
$sth-finish;
if ($active ne 'Y')
{
$self-log($main::LOG_DEBUG,
"User $name is deactivated");
return undef;
}
if ($blockuser eq 'G')
{
# They gave a guarantor, so get the guarantor's
# time left and blockuser
$q = "select timeleft, blockuser
from customer where id=$guarantor";
$sth = $self-prepareAndExecute($q);
($timeleft, $blockuser) = $sth-fetchrow();
}
if ($blockuser eq 'Y' $timeleft = 0)
{
# Apply blockuser time
$self-log($main::LOG_DEBUG,
"User $name has no time left");
return undef;
}
As you can see, Block User must be set to either "G" or "Y".
Also, if the user runs out of time while on-line how can we ensure that
the
connection is dropped? Do I need to install the snmp module for this?
Radiator will return a Session-Timeout attribute which is set to the amount of
time left, which will cause the session to end when it runs out of time. Of
course this is entirely NAS dependent, so YMMV.
if ($timeleft 0 $blockuser EQ 'Y')
{
$user-get_reply-add_attr('Session-Timeout', $timeleft * 60);
}
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
--
John Vorstermans||We are what we repeatedly do.
Technical Manager || - Aristotle
Actrix Networks
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) TimeLeft
query is: insert into Calls
(UserName, CallDate, AcctStatusType, AcctDelayTime, AcctSessionId,
NASIdentifier, NASPort)
values
('jjcv2', 'Oct 26, 1999 15:22', 1, 0, '298109374', '203.96.58.17',
2195)
Tue Oct 26 16:43:58 1999: DEBUG: Accounting accepted
Tue Oct 26 16:43:58 1999: DEBUG: Packet dump:
*** Sending to 203.96.58.146 port 32918
Code: Accounting-Response
Identifier: 39
Authentic: 140192e21\159B170192214p164SkU8
Attributes:
--
John Vorstermans||We are what we repeatedly do.
Technical Manager || - Aristotle
Actrix Networks
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) IP Address Assignments
Hi. We are trying to work through a potential security issue at the moment. We have several types of services, some we assign IP addresses to via Radiator and some do dynamic IP (depending on the NAS). So we have configured radiator with some customers that have IP addresses and some that do not and this seems to work fine. When the customer calls in they either get assigned: a: The IPaddress which has been allocated to them via radiator. b An IP address from a pool we have set. However the problem appears to be that a customer who has no IP assigned can call the server which requires a fixed IP. He will normally then get the IP of 10.10.10.1. However if they give themselves an IP and then dialin the NAS will accept whatever IP that they supply, and as long as it will route them then they are away. Is there any way we can stop this and force the user to use the IP that we assign them via radius or a pool or is this something we need to configure on the NAS? We use Ascend TNT, Max and Cisco 2100s. Any advice appreciated. Cheers John -- John Vorstermans || As the mind, so the man; Actrix Networks Limited || bondage or liberation are in Level 1, 282 Wakefield St, Wellington NZ || your own mind. Phone (021) 432-987 || Sanskrit saying. === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
