Hello Brandon -
You have set the AuthByPolicy ContinueWhileAccept, but your first AuthBy clause has "AuthSelect" to disable authentication.
Why do you have different AuthBy clauses for authentication and accounting?
If you want to keep this structure, you will need to use an AuthBy GROUP and alter the AuthByPolicy inside it:
<Realm DEFAULT>
.....
# AuthByPolicy to do both accounting and authentication
AuthByPolicy ContinueAlways <AuthBy SQL>
.....
# disable authentication
AuthSelect # do accounting
.....
</AuthBy> #define AuthBy GROUP
# use different AuthByPolicy
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
# do authentication
.....
</AuthBy> <AuthBy SQL>
# check time
.....
</AuthBy></AuthBy>
</Realm>
regards
Hugh
On 13/11/2003, at 5:03 PM, Brandon Lehmann wrote:
Hugh,
I just took a look around. Changed it to Time set it correctly in the
SQL database, made it a check item. Set to ContinueWhileAccept. Trace -4
reveals that "Authentication is Disabled"
I'm confused...
Brandon ----- Original Message ----- From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Brandon Lehmann" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems
Hello Brandon -
Thanks for your mail.
Unfortunately I meant "a trace 4 debug from Radiator" (not a trace 4 debug from radpwtst).
In any event, I suspect that at the very least the "TimeOfDay" radius attribute is not defined in your Radiator dictionary.
regards
Hugh
On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote:
Hugh,
Note: I don't care that I left my ip address in there or the "encrypted" password. This is a test server with test data.
Brandon
----- Original Message ----- From: "Brandon Lehmann" <[EMAIL PROTECTED]> To: "Hugh Irvine" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems
Hugh,the
Trace 4 with the config in my original message shows:
--- START---- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 .... Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 121 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 121 Authentic: f>e#O#<156><150>S<239>N<240><234><182><23><229> Attributes:
OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 122 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 20000 Acct-Output-Octets = 30000
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 122 Authentic: 5Y<2>V<137><180>L<2>R<138>vzai<248><184> Attributes:
OK -----END----
Chaning AuthByPolicy to ContinueWhileAccept returns this:
-----START----- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 .... Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
Packet dump: *** Received from 63.148.117.3 port 1645 .... Code: Access-Reject Identifier: 81 Authentic: <201>KV<189>Ao<213><235><254>3<22>z>h<239><4> Attributes: Reply-Message = "Request Denied"
Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 82 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0
Packet dump:
*** Received from 63.148.117.3 port 1646 ....
Code: Accounting-Response
Identifier: 82
Authentic: <237><157><221><24><8><3><11><235><207><167>t<226>SVQ<227>
Attributes:
OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 83 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 20000 Acct-Output-Octets = 30000
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 83 Authentic: <4>\<212>g'`<252><214><23><246>>A]<136><172><174> Attributes:
OK
----END-----
Removing the Authby clause for the profile & timeofday returns this (with ContinueWhileAccept):
----START------ Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 .... Code: Access-Request Identifier: 251 Authentic: 1234567890123456 Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
Packet dump: *** Received from 63.148.117.3 port 1645 .... Code: Access-Reject Identifier: 251 Authentic: <2>I<24> <180>7<222><164><151>k<213><22>O<15><255>N Attributes: Reply-Message = "Request Denied"
Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 252 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 252 Authentic: <203>r<199><16>8<247>G<146><29>fe<135>`<20><133>Q Attributes:
OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 253 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 20000 Acct-Output-Octets = 30000
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 253 Authentic: TZ<243><171><164><236><146>h<14>+<186>)<190><14><<197> Attributes:
OK ----------END---------
And with the authbyclaus for timeofday removed and the policy set to ContinueAlways:
--------START--------- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 .... Code: Access-Request Identifier: 62 Authentic: 1234567890123456 Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = ".<255>x]<205>2><212><197><219>Sj<143><221><224><129>"
Packet dump: *** Received from 63.148.117.3 port 1645 .... Code: Access-Accept Identifier: 62 Authentic: 9<165>Y<201><211><140><2>u<210><251><161><200>3<149><179><1> Attributes: Service-Type = Framed-User Session-Timeout = 18000 Idle-Timeout = 1740 Framed-IP-Netmask = 255.255.255.255 Port-Limit = 3
OK sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 63 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 63 Authentic: <1>.<245><190>|!.1g<201>0<201><148><229><234>% Attributes:
OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 .... Code: Accounting-Request Identifier: 64 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: User-Name = "brandon" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 20000 Acct-Output-Octets = 30000
Packet dump: *** Received from 63.148.117.3 port 1646 .... Code: Accounting-Response Identifier: 64 Authentic: <237><203>Z_<169><202>Um#&<241><136><29>8<145><23> Attributes:
OK --------END----------
As for a crash course in TimeOfDay, its a radius attribute that is used to define when a user can login. Say 7:30am to 3:30pm etc -> "07:30-15:30" or cannot login "!00:00-02:00" -> midnight to 2am. It is pretty similar toRadiator Time attribute. However I have tried changing the columndeflimit
to
"AuthColumnDef 0,Time,reply" and adding "Al" to the front of the
field to
apply for all days as the radiator manual shows. What I need to do isworka few users to only login during certain hours (at their bosses request). For now I have just added a stored procedure to my SQL server and a job to turn the account on and off at the specified time however that will notforever.
Thanks for the help,
Brandon
Note: This is running Radiator 3.7.1 on Windows 2000 SP4, w/ activestate perl 5.6.1 using a 3com total control.
----- Original Message ----- From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Brandon Lehmann" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 12, 2003 5:03 PM Subject: Re: (RADIATOR) Profiles problems
Hello Brandon -
Could you please send me a trace 4 debug showing what is happening, and a bit more detail on what exactly you are wanting to have happen? I am not clear on what the TimeOfDay reply item is meant to do.
regards
Hugh
On 13/11/2003, at 7:10 AM, Brandon Lehmann wrote:
Hi List,
I cannot get the radius server to return the profile while using the following configuration:
------START----- LogStdout c:/radiator/stdout.txt LogDir c:/radiator DbDir c:/radiator.
<Client DEFAULT> Secret !removed for my protection! DupInterval 0 </Client>
<Realm DEFAULT>
AuthByPolicy ContinueAlways
<AuthBy SQL> Identifier ACCT1 DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection!
AuthSelect
AccountingTable radacct1
AcctColumnDef UserName,User-Name
AcctColumnDef LogDateTime,Timestamp,integer-date
AcctColumnDef AcctStatusType,Acct-Status-Type
AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef AcctInputPackets,Acct-Input-Packets,integer
AcctColumnDef
AcctOutputPackets,Acct-Output-Packets,integer
AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause
AcctColumnDef NasIPAddress,NAS-IP-Address
AcctColumnDef NasIdentifier,NAS-Identifier
AcctColumnDef NasPortId,NAS-Port,integer
AcctColumnDef NasPortType,NAS-Port-Type,integer
AcctColumnDef ConnectInfo,Connect-Info
AcctColumnDef ServiceType,Service-Type
AcctColumnDef FramedProtocol,Framed-Protocol
AcctColumnDef FramedAddress,Framed-IP-Address
AcctColumnDef CallingStationId,Calling-Station-Id
</AuthBy>
<AuthBy SQL> Identifier AUTH1 DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection!
AuthSelect select
ClearTextPassword,ServiceType,SessionLimit, \
IdleLimit,StaticIP,IPNetmask,FramedRoute,PortLimit, \
PortLimit,ProfileID from Customers where
CustomerID=%0 \
and Disable is null
AuthColumnDef 0,Password,check
AuthColumnDef 1,Service-Type,reply
AuthColumnDef 2,Session-Timeout,reply
AuthColumnDef 3,Idle-Timeout,reply
AuthColumnDef 4,Framed-IP-Address,reply
AuthColumnDef 5,Framed-IP-Netmask,reply
AuthColumnDef 6,Framed-Route,reply
AuthColumnDef 7,Port-Limit,reply
AuthColumnDef 8,Simultaneous-Use,check
AuthColumnDef 9,Profile,reply
</AuthBy>
<AuthBy SQL>
DBSource dbi:ODBC:!removed for my protection!
DBUsername !removed for my protection!
DBAuth !removed for my protection!
AuthSelect SELECT timeofday FROM profiles WHERE \ [profile]='%{Reply:Profile}' AuthColumnDef 0,TimeOfDay,reply
StripFromReply Profile </AuthBy>
SessionDatabase SDB1
</Realm>
<SessionDatabase SQL> Identifier SDB1 DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection! </SessionDatabase> -------END----
If I change "AuthByPolicy ContinueAlways" to "AuthByPolicy ContinueWhileAccept" then the server always returns "Request Denied". Any input would be greatly appreciated. Note: I have already searched the list archives, nothing seems to work.
Thank you,
Brandon Lehmann Network Administrator Great Lakes Internet Service, LLC. The Computer Loft, Inc. 218 Justice St Fremont, Ohio 43420 419.332.3553 [EMAIL PROTECTED]
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
