RE: (RADIATOR) profiles
Hi Fred, Have you considered using ServerChecksPassword? By using that, you can remove the admin password from the config file (and network traffic :). /Ingvar -Original Message- From: Fred Albrecht [mailto:[EMAIL PROTECTED]] Sent: den 4 september 2001 16:24 To: '[EMAIL PROTECTED]' Subject: RE: (RADIATOR) profiles Thanx Hugh and Rob I actually got the config working about an hour after I sent my email. I just had to look very carefully at the profiles file in the goodies directory. Here's my solution: Handler Realm=the_realm AcctLogFileName %L/the_realm/%d-%m-%Y.log RewriteUsername s/^([^@]+).*/$1/ RewriteUsername s/^.*\/(.*)/$1/ RewriteUsername s/^.*\\(.*)/$1/ AuthByPolicy ContinueWhileAccept AuthBy LDAP2 Hosthost HoldServerConnection NoDefaultIfFound AuthDN uid=. AuthPassword . BaseDN ou=... UsernameAttruid PasswordAttruserPassword AuthAttrDef accountname,Class,reply AuthAttrDef radiusauthentication,Profile,reply /AuthBy AuthBy FILE Filename ./profiles StripFromReply Profile /AuthBy /Handler In LDAP the user's profile gets returned with the first authby clause. The profile then gets used in the ./profiles file with the Reply: keyword as follows: DEFAULT Reply:Profile=ISDN Service-Type = Framed-User, Framed-Protocol = PPP, Port-Limit = 1 DEFAULT NAS-Port-Type=Async, Reply:Profile=WEB DEFAULT NAS-Port-Type=Async, Reply:Profile=BEACH Filter-Id = filter.in DEFAULT NAS-Port-Type=Async, Reply:Profile=DEFAULT hehehehehehheheheheheee :) fred === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Calling-Station-Id
Hi Vadim, It's either a Cisco or a telco issue, Radiator has no control over this. Cheers, Ingvar -Original Message- From: Vadim Isakov [mailto:[EMAIL PROTECTED]] Sent: den 5 september 2001 05:03 To: [EMAIL PROTECTED] Subject: (RADIATOR) Calling-Station-Id Hi all, We are testing Radiator-Demo now and have problem to get Calling-Station-ID from our Cisco 5200. I set all necessary Atribbutes in AcctLogFileFormat. They all appear in details file except Calling-Station-Id. Cisco debug shows sent atrributes, but there are no attribuite 31. Is it Radiator or Cisco issue? Did anyone have such kind of problem ? Thank you in advance Vadim === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) PostAuthHook Stopped Working
Hello Jason -
I note that the accounting request that you show below is an
Accounting-On, probably due to ewong running some command on the
NAS. I don't know whether your hook deals with this? Note that the
easiest way to test hook code is by putting print commands in the
code and running Radiator from the command line with -foreground
-log_stdout and -trace 4 so you can see immediately on the console
output what is going on. You should also make sure that the hook code
is being compiled properly at startup by looking at the startup
messages in the same manner.
hth
Hugh
At 11:18 +1000 01/9/5, Separovic, Jason wrote:
Hi,
I had radiator working with my PostAuthHook just how I wanted.
Then I made some changes to the PostAuthHook. All I did (I think?) was
create a new user in my database and then I updated the new
username/password in the config files. Now My PostAuthHook does not work.
And I'm at a loss to realise why??
Here is an Accounting Request that should be inserted into my database
through the PostAuthHook.
But now the Hook is not even being called. I'm pretty confident in saying
that because I added a 'write to file' at the beginning of the hook to test
it. But to no success.
I noticed some talk about a patch for the PostAuthHook but I'm not sure if I
need it.
Weird.
It was working...
Now it's not.
Help!
I'm using Radiator 2.17.1
I have another problem to. My auth log is logging successes but not
failures.
Wed Sep 5 10:47:43 2001: DEBUG: Packet dump:
*** Received from 192.168.0.9 port 1445
Code: Accounting-Request
Identifier: 60
Authentic: 180189mBY157156X1521471801501@174
Attributes:
Acct-Status-Type = Accounting-On
Acct-Session-Id = 0
Acct-Authentic = RADIUS
Acct-Authentic = RADIUS
User-Name = ewong
Command-Code = Command-Code (level: 10): system show ac
NAS-IP-Address = 192.168.0.9
Wed Sep 5 10:47:43 2001: DEBUG: Check if Handler Realm=SSR should be used
to handle this requestWed Sep 5 10:47:43 2001: DEBUG: Handling request with
Handler 'Realm=SSR'
Wed Sep 5 10:47:43 2001: DEBUG: Deleting all sessions for 192.168.0.9
Wed Sep 5 10:47:43 2001: DEBUG: got On/Off from 192.168.0.9
Wed Sep 5 10:47:43 2001: DEBUG: Handling with Radius::AuthSQL
Wed Sep 5 10:47:43 2001: DEBUG: Handling accounting with Radius::AuthSQL
Wed Sep 5 10:47:43 2001: DEBUG: Accounting accepted
Wed Sep 5 10:47:43 2001: DEBUG: Packet dump:
*** Sending to 192.168.0.9 port 1445
Code: Accounting-Response
Identifier: 60
Authentic: 180189mBY157156X1521471801501@174
Attributes:
# radius configuration file
Foreground yes
LogStdout no
Trace 4
LogDir /opt/radiator/log
DbDir /usr/local/mysql/var/radiusdb
DictionaryFile /opt/radiator/dictionary
AuthPort1812
AcctPort1813
BindAddress 192.168.0.10
ClientListSQL
DBSourcedbi:mysql:radiusdb
DBUsername radiator
DBAuth password
GetClientQuery select ip,secret,NULL,NULL,realm from device,model
where modelID=model.ID;
/ClientListSQL
Handler Realm=SSR
PreAuthHook file:/opt/radiator/PreAuthHook
PostAuthHook file:/opt/radiator/SSRAccounting
AuthLog SQL
DBSourcedbi:mysql:radiusdb
DBUsername radiator
DBAuth password
Table authorisation
LogSuccess 1
LogFailure 1
SuccessQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',1)
FailureQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',0)
/AuthLog
AuthBy SQL
DBSourcedbi:mysql:radiusdb
DBUsername radiator
DBAuth password
RejectEmptyPassword
AuthSelect select password from user where username='%U'
AuthColumnDef 0, Password, check
/AuthBy
/Handler
Handler Realm=SS
PreAuthHook file:/opt/radiator/PreAuthHook
AuthLog SQL
DBSourcedbi:mysql:radiusdb
DBUsername radiator
DBAuth password
Table authorisation
LogSuccess 1
LogFailure 1
SuccessQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',1)
FailureQuery insert into
authorisation(date,username,deviceIP,status) values('%Y-%m-%d
%H:%M:%S','%U','%N',0)
/AuthLog
AuthBy SQL
DBSourcedbi:mysql:radiusdb
DBUsername radiator
DBAuth password
RejectEmptyPassword
AuthSelect select password from user where username='%U'
AuthColumnDef 0, Password, check
/AuthBy
/Handler
Handler
Re: (RADIATOR) Calling-Station-Id
Hello Vadim - Have a look at a trace 4 debug from Radiator to see exactly what attributes are being sent in the radius requests sent by the Cisco. You can also look at a debug on the Cisco to see what is being sent. hth Hugh At 12:33 +0930 01/9/5, Vadim Isakov wrote: Hi all, We are testing Radiator-Demo now and have problem to get Calling-Station-ID from our Cisco 5200. I set all necessary Atribbutes in AcctLogFileFormat. They all appear in details file except Calling-Station-Id. Cisco debug shows sent atrributes, but there are no attribuite 31. Is it Radiator or Cisco issue? Did anyone have such kind of problem ? Thank you in advance Vadim === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) PostAuthHook Stopped Working
Hi Jason. I've noticed that PostAuthHooks can be fairly temperamental. You should add to the top of your postauthhook file: use strict; use warnings; Don't forget to do perl -c file.pl to syntax check it. One of the reasons I've noticed for silent failures on PostAuthHooks are undeclared variables. If you've added a new variable somewhere, or used a temporary variable without a my declaration, that could be it. use strict use warnings are always a good idea. Hope this helps. Cheers, Robert Thomson. begin Separovic, Jason quotation: I had radiator working with my PostAuthHook just how I wanted. Then I made some changes to the PostAuthHook. All I did (I think?) was create a new user in my database and then I updated the new username/password in the config files. Now My PostAuthHook does not work. And I'm at a loss to realise why?? Here is an Accounting Request that should be inserted into my database through the PostAuthHook. But now the Hook is not even being called. I'm pretty confident in saying that because I added a 'write to file' at the beginning of the hook to test it. But to no success. I noticed some talk about a patch for the PostAuthHook but I'm not sure if I need it. Weird. It was working... Now it's not. Help! I'm using Radiator 2.17.1 -- Vundan lokon protektis, alian difektis. -- L.L. Zamenhof, Proverbaro Esperanta (1905) === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) IP restriction
I have a set of Netservers. How do I restrict the use of of IP to a particular Netserver within Radius? 'Tunde Ogedengbe Linkserve Limited 22 Akin Adesola Street Victoria Island Lagos - Nigeria Tel: +234 1 2623900 Fax: +234 1 2623906 URL: http://www.linkserve.net === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) 2.18.3 still has bugs ???
Hi,
I still cannot use Radiator 2.18.3 because it works incorrect with
SessionDatabase SQL I think.
Is anyone else who faced such problem?
How correct it?
Any comments or thoughts?
PAC Hi,
PAC I think Radiator 2.18.3 works incorrect with SessionDatabase SQL.
PAC It seems it does not delete sessions after disconnect from RADONLINE.
PAC As a result RADONLINE grows up and the logfile looks like below.
PAC Version 2.18.2 works fine.
PAC Was Mariano right? :)
PAC *** Received from x.x.x.10 port 1026
PAC Code: Accounting-Request
PAC Identifier: 37
PAC Authentic: 5184245Q148Qj1871522125131731962069
PAC Attributes:
PAC User-Name = user1
PAC NAS-IP-Address = x.x.x.10
PAC Ascend-Owner-IP-Addr = x.x.x.10
PAC NAS-Port = 34
PAC Ascend-NAS-Port-Format = 2_4_5_5
PAC NAS-Port-Type = Async
PAC Service-Type = Framed-User
PAC Acct-Status-Type = Start
PAC Acct-Delay-Time = 0
PAC Acct-Session-Id = 99833012
PAC Acct-Authentic = RADIUS
PAC Ascend-Attr-28 = 2040
PAC Ascend-Multilink-ID = 1091175862
PAC Ascend-Num-In-Multilink = 1
PAC Acct-Link-Count = 1
PAC Acct-Multi-Session-Id = 410a05b6
PAC Ascend-Modem-PortNo = 2
PAC Ascend-Modem-SlotNo = 7
PAC Called-Station-Id =
PAC Framed-Protocol = MP
PAC Framed-IP-Address = y.y.y.162
PAC Fri Aug 31 13:02:27 2001: DEBUG: Check if Handler should be used to handle this
request
PAC Fri Aug 31 13:02:27 2001: DEBUG: Handling request with Handler ''
PAC Fri Aug 31 13:02:27 2001: DEBUG: SessDB Adding session for user1, x.x.x.10, 34
PAC Fri Aug 31 13:02:27 2001: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='user1' and NASPORT=034
PAC Fri Aug 31 13:02:27 2001: DEBUG: do query is: insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('user1',
PAC 'x.x.x.10', 034, '99833012', 999248547, 'y.y.y.162', 'Async', 'Framed-User')
PAC Fri Aug 31 13:02:29 2001: ERR: do failed for 'insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('user1',
PAC 'x.x.x.10', 034, '99833012', 999248547, 'y.y.y.162', 'Async', 'Framed-User')':
ORA-1: unique constraint (RADIUS.RADONLINE_I) violated (DBD ERROR: OCIStmtExecute)
PAC Fri Aug 31 13:02:29 2001: DEBUG: Handling with Radius::AuthPLSQL
PAC Fri Aug 31 13:02:29 2001: DEBUG: Handling accounting with Radius::AuthPLSQL
PAC Fri Aug 31 13:02:29 2001: DEBUG: Entering checkDemo
PAC Fri Aug 31 13:02:29 2001: DEBUG: Exiting checkDemo
PAC Fri Aug 31 13:02:29 2001: DEBUG: Accounting accepted
PAC Fri Aug 31 13:02:29 2001: DEBUG: Packet dump:
PAC *** Sending to x.x.x.10 port 1026
PAC Code: Accounting-Response
PAC Identifier: 37
PAC Authentic: 5184245Q148Qj1871522125131731962069
PAC Attributes:
PAC ...
PAC [skip]
PAC ...
PAC *** Received from x.x.x.10 port 1026
PAC Code: Accounting-Request
PAC Identifier: 48
PAC Authentic: 201253243251K219922219M19128)157322
PAC Attributes:
PAC User-Name = user2
PAC NAS-IP-Address = x.x.x.10
PAC Ascend-Owner-IP-Addr = 0.0.0.0
PAC NAS-Port = 33
PAC Ascend-NAS-Port-Format = 2_4_5_5
PAC NAS-Port-Type = Async
PAC Service-Type = Framed-User
PAC Acct-Status-Type = Start
PAC Acct-Delay-Time = 0
PAC Acct-Session-Id = 99833018
PAC Acct-Authentic = RADIUS
PAC Ascend-Attr-28 = 130
PAC Ascend-Modem-PortNo = 14
PAC Ascend-Modem-SlotNo = 7
PAC Called-Station-Id =
PAC Framed-Protocol = PPP
PAC Framed-IP-Address = y.y.y.161
PAC Fri Aug 31 13:08:06 2001: DEBUG: Check if Handler should be used to handle this
request
PAC Fri Aug 31 13:08:06 2001: DEBUG: Handling request with Handler ''
PAC Fri Aug 31 13:08:06 2001: DEBUG: SessDB Adding session for user2, x.x.x.10, 33
PAC Fri Aug 31 13:08:06 2001: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='user2' and NASPORT=033
PAC Fri Aug 31 13:08:06 2001: DEBUG: do query is: insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('user2',
PAC 'x.x.x.10', 033, '99833018', 999248886, 'y.y.y.161', 'Async', 'Framed-User')
PAC Fri Aug 31 13:08:07 2001: ERR: do failed for 'insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('user2',
PAC 'x.x.x.10', 033, '99833018', 999248886, 'y.y.y.161', 'Async', 'Framed-User')':
ORA-1: unique constraint (RADIUS.RADONLINE_I) violated (DBD ERROR: OCIStmtExecute)
PAC Fri Aug 31 13:08:07 2001: DEBUG: Handling with Radius::AuthPLSQL
PAC Fri Aug 31 13:08:07 2001: DEBUG: Handling accounting with Radius::AuthPLSQL
PAC Fri Aug 31 13:08:07 2001: DEBUG: Entering checkDemo
(RADIATOR) remote radiator restart
Hi, I am running Radiator 2.18.2 on a couple of Sun Netras (Solaris 8) authenticating against an Oracle database (on yet another Netra). We developed a web based front end for administration of the users in the Oracle database on a Sun Ultra 10 (also Solaris 8) with Apache and embedded Perl. The point is that, for instance, when I try to invoke a restart script through ssh, I get the following error: Doing it so through rsh, it works but it locks the connection (and anyway, I'd rather not have rshd running on the server. On the other hand, the manual states that through the SNMP agent I can restart Radiator, but I don't know how. Am I missing something? (I think this would be the cleanest method to do it). -- Mariano Absatz El Baby -- Stack Error: Lost on a cluttered desk... === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) 2.18.3 EAP
If you set the EAPType parameter in the AuthBy clause to something like 'notpermitted', it will reject EAP authentication requests. AuthBy FILE Filename xxx # Prevent authentication of any EAP requests EAPType notpermitted /AuthBy I just obtained the demo 2.18.3, and have been reading the HTML docs that came with it. I can't find a mention of EAPType anywhere in my documentation. As per my description when I requested the evaluation copy, I am trying to set up a wireless network with Cisco Aironet; we need a Unix-based RADIUS server that can speak LEAP to the ACS box, which proxies the requests from the access points. I was told that this is supported, but I can't find anything in the docs. Help? Anne. -- Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8 [EMAIL PROTECTED]+1 514 848-7606 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Internet phone
Hello Ganbold - Radiator can be used for any application that uses the radius protocol. The question to ask is what protocol does the NAS use to authenticate Voice-Over-IP?. As you rightly point out, Radiator is not a billing system, so you will still have to address that aspect, either by developing it yourself or by purchasing something. regards Hugh On Thursday 06 September 2001 04:02, ganbold wrote: Hi, We want to use Radiator for Internet phone. Is it possible to use Radiator in this purpose? If possible how will be difficult to write Internet phone billing software for Radiator? Also I would like to know about compatibility issue with Radiator if we buy some other Internet phone billing software. thanks in advance, Ganbold Ts. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) 2.18.3 still has bugs ???
Hello Pavel -
Radiator 2.18.3 was reissued several days ago - please download the new
distribution and reinstall.
We apologise for the inconvenience.
regards
Hugh
On Wednesday 05 September 2001 23:54, Pavel A Crasotin wrote:
Hi,
I still cannot use Radiator 2.18.3 because it works incorrect with
SessionDatabase SQL I think.
Is anyone else who faced such problem?
How correct it?
Any comments or thoughts?
PAC Hi,
PAC I think Radiator 2.18.3 works incorrect with SessionDatabase SQL.
PAC It seems it does not delete sessions after disconnect from RADONLINE.
PAC As a result RADONLINE grows up and the logfile looks like below.
PAC Version 2.18.2 works fine.
PAC Was Mariano right? :)
PAC *** Received from x.x.x.10 port 1026
PAC Code: Accounting-Request
PAC Identifier: 37
PAC Authentic: 5184245Q148Qj1871522125131731962069
PAC Attributes:
PAC User-Name = user1
PAC NAS-IP-Address = x.x.x.10
PAC Ascend-Owner-IP-Addr = x.x.x.10
PAC NAS-Port = 34
PAC Ascend-NAS-Port-Format = 2_4_5_5
PAC NAS-Port-Type = Async
PAC Service-Type = Framed-User
PAC Acct-Status-Type = Start
PAC Acct-Delay-Time = 0
PAC Acct-Session-Id = 99833012
PAC Acct-Authentic = RADIUS
PAC Ascend-Attr-28 = 2040
PAC Ascend-Multilink-ID = 1091175862
PAC Ascend-Num-In-Multilink = 1
PAC Acct-Link-Count = 1
PAC Acct-Multi-Session-Id = 410a05b6
PAC Ascend-Modem-PortNo = 2
PAC Ascend-Modem-SlotNo = 7
PAC Called-Station-Id =
PAC Framed-Protocol = MP
PAC Framed-IP-Address = y.y.y.162
PAC Fri Aug 31 13:02:27 2001: DEBUG: Check if Handler should be used to
handle this request PAC Fri Aug 31 13:02:27 2001: DEBUG: Handling request
with Handler '' PAC Fri Aug 31 13:02:27 2001: DEBUG: SessDB Adding session
for user1, x.x.x.10, 34 PAC Fri Aug 31 13:02:27 2001: DEBUG: do query is:
delete from RADONLINE where NASIDENTIFIER='user1' and NASPORT=034
PAC Fri Aug 31 13:02:27 2001: DEBUG: do query is: insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('user1', PAC
'x.x.x.10', 034, '99833012', 999248547, 'y.y.y.162', 'Async',
'Framed-User')
PAC Fri Aug 31 13:02:29 2001: ERR: do failed for 'insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('user1', PAC
'x.x.x.10', 034, '99833012', 999248547, 'y.y.y.162', 'Async',
'Framed-User')': ORA-1: unique constraint (RADIUS.RADONLINE_I) violated
(DBD ERROR: OCIStmtExecute) PAC Fri Aug 31 13:02:29 2001: DEBUG: Handling
with Radius::AuthPLSQL PAC Fri Aug 31 13:02:29 2001: DEBUG: Handling
accounting with Radius::AuthPLSQL PAC Fri Aug 31 13:02:29 2001: DEBUG:
Entering checkDemo
PAC Fri Aug 31 13:02:29 2001: DEBUG: Exiting checkDemo
PAC Fri Aug 31 13:02:29 2001: DEBUG: Accounting accepted
PAC Fri Aug 31 13:02:29 2001: DEBUG: Packet dump:
PAC *** Sending to x.x.x.10 port 1026
PAC Code: Accounting-Response
PAC Identifier: 37
PAC Authentic: 5184245Q148Qj1871522125131731962069
PAC Attributes:
PAC ...
PAC [skip]
PAC ...
PAC *** Received from x.x.x.10 port 1026
PAC Code: Accounting-Request
PAC Identifier: 48
PAC Authentic:
201253243251K219922219M19128)157322 PAC
Attributes:
PAC User-Name = user2
PAC NAS-IP-Address = x.x.x.10
PAC Ascend-Owner-IP-Addr = 0.0.0.0
PAC NAS-Port = 33
PAC Ascend-NAS-Port-Format = 2_4_5_5
PAC NAS-Port-Type = Async
PAC Service-Type = Framed-User
PAC Acct-Status-Type = Start
PAC Acct-Delay-Time = 0
PAC Acct-Session-Id = 99833018
PAC Acct-Authentic = RADIUS
PAC Ascend-Attr-28 = 130
PAC Ascend-Modem-PortNo = 14
PAC Ascend-Modem-SlotNo = 7
PAC Called-Station-Id =
PAC Framed-Protocol = PPP
PAC Framed-IP-Address = y.y.y.161
PAC Fri Aug 31 13:08:06 2001: DEBUG: Check if Handler should be used to
handle this request PAC Fri Aug 31 13:08:06 2001: DEBUG: Handling request
with Handler '' PAC Fri Aug 31 13:08:06 2001: DEBUG: SessDB Adding session
for user2, x.x.x.10, 33 PAC Fri Aug 31 13:08:06 2001: DEBUG: do query is:
delete from RADONLINE where NASIDENTIFIER='user2' and NASPORT=033
PAC Fri Aug 31 13:08:06 2001: DEBUG: do query is: insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('user2', PAC
'x.x.x.10', 033, '99833018', 999248886, 'y.y.y.161', 'Async',
'Framed-User')
PAC Fri Aug 31 13:08:07 2001: ERR: do failed for 'insert into RADONLINE
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('user2', PAC
'x.x.x.10', 033, '99833018', 999248886,
Re: (RADIATOR) 2.18.3 EAP
Hello Anne - What you want to do is a simple AuthBy RADIUS proxy set up. Have a look at section 6.27 in the Radiator 2.18.3 reference manual for a discussion of the AuthBy RADIUS clause. Any EAP or LEAP requset will be automatically handled when the request is proxied. Here is part of a configuration file for what you want to do: # define AuthBy RADIUS clause AuthBy RADIUS Identifier ProxyToACS Host the.acs.box Secret .. . /AuthBy # define Realm(s) or Handler(s) Realm AuthBy ProxyToACS . /Realm Note that EAP/LEAP support is being added to Radiator in stages, with EAP/LEAP proxy support being the first. Additional support will be introduced in future revisions. Thanks for the note about the omission from the manual - it will be fixed in the next release. regards Hugh On Thursday 06 September 2001 06:36, Anne Bennett wrote: If you set the EAPType parameter in the AuthBy clause to something like 'notpermitted', it will reject EAP authentication requests. AuthBy FILE Filename xxx # Prevent authentication of any EAP requests EAPType notpermitted /AuthBy I just obtained the demo 2.18.3, and have been reading the HTML docs that came with it. I can't find a mention of EAPType anywhere in my documentation. As per my description when I requested the evaluation copy, I am trying to set up a wireless network with Cisco Aironet; we need a Unix-based RADIUS server that can speak LEAP to the ACS box, which proxies the requests from the access points. I was told that this is supported, but I can't find anything in the docs. Help? Anne. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP-Radiator hangs
Hello Rolando - It sounds like your LDAP server is causing the problem. What version of Radiator are you running? On what hardware/software platform? And what LDAP server are you using? thanks Hugh On Thursday 06 September 2001 07:24, Rolando Riley wrote: I have set auth to LDAP on my config and most of the times alll the authentications goes just fine. Although sometimes Radiator hangs or gets stucked eating 95.0 % of the CPU. At that point no user can auth and I have to do a kill -9 on radiusd to get it working well again. This is the logfile I have from it . I have done some debugging switching the trace to different modes , but I am clueless of what is causing this error. -- Wed Sep 5 11:52:34 2001: WARNING: Unknown reply received in AuthRADIUS for request 157 from 216.219.28.131:1645 Wed Sep 5 11:56:43 2001: WARNING: Unknown reply received in AuthRADIUS for request 204 from 216.219.28.10:11813 Wed Sep 5 12:21:21 2001: WARNING: Unknown reply received in AuthRADIUS for request 197 from 216.219.28.131:1645 Wed Sep 5 12:28:10 2001: WARNING: Unknown reply received in AuthRADIUS for request 163 from 216.219.28.131:1645 Wed Sep 5 12:33:46 2001: WARNING: Unknown reply received in AuthRADIUS for request 73 from 216.219.28.131:1645 Wed Sep 5 12:36:17 2001: WARNING: Unknown reply received in AuthRADIUS for request 161 from 216.219.28.131:1645 Wed Sep 5 12:36:22 2001: WARNING: Unknown reply received in AuthRADIUS for request 165 from 216.219.28.131:1646 Wed Sep 5 12:57:06 2001: ERR: ldap search failed with error LDAP_PARAM_ERROR. Disconnecting from LDAP server. Wed Sep 5 12:57:12 2001: ERR: ldap search failed with error LDAP_PARAM_ERROR. Disconnecting from LDAP server. Wed Sep 5 12:57:18 2001: ERR: ldap search failed with error LDAP_PARAM_ERROR. Disconnecting from LDAP server. Wed Sep 5 12:59:59 2001: WARNING: Unknown reply received in AuthRADIUS for request 61 from 216.219.28.131:1645 Wed Sep 5 13:03:44 2001: WARNING: Unknown reply received in AuthRADIUS for request 163 from 216.219.28.131:1645 Wed Sep 5 13:42:10 2001: WARNING: Unknown reply received in AuthRADIUS for request 55 from 216.219.28.131:1645 Wed Sep 5 13:42:11 2001: WARNING: Unknown reply received in AuthRADIUS for request 65 from 216.219.28.131:1645 . This is the realm Realm MaxSessions 1 AuthBy LDAP2 # Tell Radiator how to talk to the LDAP server Hostxxx.xxx.yy.yy AuthDN cn=admin, dc=Michigan, dc=com AuthPasswordsecret BaseDN ou=state, dc=Michigan, dc=com UsernameAttruid PasswordAttruserPassword # You can use CheckAttr, ReplyAttr and AuthAttrDef # to specify check and reply attributes int eh LDAP # database. See the reference manual for more # information # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply #AddToReply Framed-Protocol = PPP,\ #Framed-IP-Netmask = 255.255.255.255,\ #Framed-Routing = None,\ #Framed-MTU = 1500,\ #Framed-Compression = Van-Jacobson-TCP-IP # You can enable debugging of the Net::LDAP # module with this: Debug 255 /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName %L/detailu /Realm --- Ing. Rolando Riley Administrador de Sistemas Unix AYAYAI.COM S.A. Tel: (507) 265-2424 ext. 408 --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: IP restriction
Hello 'Tunde - On Wednesday 05 September 2001 21:18, 'Tunde Ogedengbe wrote: I have a set of Netservers. How do I restrict the use of of IP to a particular Netserver within Radius? I don't understand the question, sorry. Could you explain what you mean? thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001
I am having problems configuring Radiator v2.18.2 to authenticate to a Cisco
VPN 5001.
I have been testing the using the following configuration files:
goodies\simple2.cfg:
# simple2.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory and log accounting to a file in the current
# directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
DictionaryFile ./dictionary
# User a lower trace level in production systems:
Trace 4
# Added by Howard Jares
AuthPort 1812
AcctPort 1813
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
Client DEFAULT
Secret *
DupInterval 0
/Client
Realm DEFAULT
AuthBy FILE
Filename ./users2
/AuthBy
# Log accounting to a detail file
AcctLogFileName ./detail
/Realm
Users2:
DEFAULT Service-Type = Administrative-User, Auth-Type = System
Idle-Timeout = 2000,
DEFAULT Service-Type = Login-User, Expiration = Feb 2 2010
Idle-Timeout = 2001,
Fall-Through = yes
# User-Password can be in a number of formats: plaintext,
# UNIX encrypted,
# SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
# defaults to plaintext
pwtest1 User-Password = fred
pwtest2 User-Password = {SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=
pwtest3 User-Password = {crypt}1xMKc0GIVUNbE
pwtest4 User-Password = $1$cTpht$Obu9PLSMst1TDou.mN5bk0
# Encrypted-Password can by in a variety of encryption standards too
# but defaults to Unix crypt
pwtest5 Encrypted-Password = {SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=
pwtest6 Encrypted-Password = {crypt}1xMKc0GIVUNbE
pwtest7 Encrypted-Password = $1$cTpht$Obu9PLSMst1TDou.mN5bk0
pwtest8 Encrypted-Password = 1xMKc0GIVUNbE
pwtest9 Encrypted-Password = {MD5}VwqQv7+MfqtdxdTiaDLVsQ==
pwtest10 User-Password = {MD5}VwqQv7+MfqtdxdTiaDLVsQ==
[EMAIL PROTECTED] User-Password=fred
cisco-VPNGroupInfo=Test,
cisco-VPNPassword=fred
# Connect-Info = Test
I modified the standard dictionary file to include:
#HJ
VENDORATTR 9 cisco-VPNPassword 66 string
VENDORATTR 9 cisco-VPNGroupInfo 67 string
#HJ
On the server running Radiator:
F:\Radiator-2.18.2perl radiusd -config=goodies\simple2.cfg
Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
*** Received from 129.7.209.253 port 2050
Code: Access-Request
Identifier: 41
Authentic: z190244T251441437L1A15143v273
Attributes:
NAS-IP-Address = 129.7.209.253
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
NAS-Port = 268435459
User-Name = [EMAIL PROTECTED]
CHAP-Password = ^Y18228239246230G^46h1136(243
Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED],
129.7.209.253, 268435459
Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
[EMAIL PROTECTED]
Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
*** Sending to 129.7.209.253 port 2050
Code: Access-Accept
Identifier: 41
Authentic: z190244T251441437L1A15143v273
Attributes:
cisco-VPNGroupInfo = Test
cisco-VPNPassword = fred
Connect-Info = Test
On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
connect using [EMAIL PROTECTED], the system sits there and then eventually times
out.
On the Cisco VPN 5001, I do a
show sys log buffer
and I get:
Notice 9/5/01 16:35:21 New IKE connection: [129.7.225.8]:1284:[EMAIL PROTECTED]
Debug9/5/01 16:35:24 Received RADIUS challenge resp. from [EMAIL PROTECTED] at
129.7.225.8, contacting server
Debug9/5/01 16:35:24 No Connect-Info for [EMAIL PROTECTED]
Debug9/5/01 16:35:24 Bad config from RADIUS server for [EMAIL PROTECTED]
Error9/5/01 16:35:24 No Policy, , for user, [EMAIL PROTECTED]
Notice 9/5/01 16:35:24 No ifp ([EMAIL PROTECTED]) reset due to
Re: (RADIATOR) 2.18.3 EAP
Hi, Hugh. As per my description when I requested the evaluation copy, I am trying to set up a wireless network with Cisco Aironet; we need a Unix-based RADIUS server that can speak LEAP to the ACS box, which proxies the requests from the access points. I was told that this is supported, but I can't find anything in the docs. What you want to do is a simple AuthBy RADIUS proxy set up. I'm not quite sure we are understanding each other; perhaps my description was unclear. I'll try again. The Access Points are pointing at the ACS box. The ACS box is set up to pass the queries to my Unix box, where my account database resides. I want my Unix box to perform the authentication. I believe you are suggesting to me the opposite case, where the actual authentication is performed by the ACS box. However, I am specifically trying to *avoid* having user account information on the ACS box. Note that EAP/LEAP support is being added to Radiator in stages, with EAP/LEAP proxy support being the first. Additional support will be introduced in future revisions. It sounds like what I am hoping to do is not supported for now. :-( Anne. -- Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8 [EMAIL PROTECTED]+1 514 848-7606 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Internet phone
Hi Hugh, Yes, NAS will use Voice over IP. How it would be in this case? Ganbold Hugh Irvine wrote: Hello Ganbold - Radiator can be used for any application that uses the radius protocol. The question to ask is what protocol does the NAS use to authenticate Voice-Over-IP?. As you rightly point out, Radiator is not a billing system, so you will still have to address that aspect, either by developing it yourself or by purchasing something. regards Hugh On Thursday 06 September 2001 04:02, ganbold wrote: Hi, We want to use Radiator for Internet phone. Is it possible to use Radiator in this purpose? If possible how will be difficult to write Internet phone billing software for Radiator? Also I would like to know about compatibility issue with Radiator if we buy some other Internet phone billing software. thanks in advance, Ganbold Ts. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question regarding Internet phone
Hi, Also there some billing systems we are interesting. MIND CTI, Portal etc. Are there anybody knows about these system on Radiator? Please let me know. thanks in advance, Ganbold Hugh Irvine wrote: Hello Ganbold - Radiator can be used for any application that uses the radius protocol. The question to ask is what protocol does the NAS use to authenticate Voice-Over-IP?. As you rightly point out, Radiator is not a billing system, so you will still have to address that aspect, either by developing it yourself or by purchasing something. regards Hugh On Thursday 06 September 2001 04:02, ganbold wrote: Hi, We want to use Radiator for Internet phone. Is it possible to use Radiator in this purpose? If possible how will be difficult to write Internet phone billing software for Radiator? Also I would like to know about compatibility issue with Radiator if we buy some other Internet phone billing software. thanks in advance, Ganbold Ts. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Calling-Station-Id
Hi Hugh, Thank you for your reply. As I see from debugs Cisco sends exactly what Radiator requests. The question is simpler now. How can I get Radius request Calling-Station-Id attribute from Cisco router? Thank you Vadim Radius: Attributes: NAS-IP-Address = 203.24.77.215 NAS-Port = 2 NAS-Port-Type = Async User-Name = vi Called-Station-Id = 82289800 Acct-Status-Type = Stop Acct-Authentic = RADIUS Service-Type = Framed-User Acct-Session-Id = 034B Framed-Protocol = PPP Framed-IP-Address = 210.11.41.130 Acct-Terminate-Cause = Lost-Carrier Acct-Input-Octets = 254 Acct-Output-Octets = 240 Acct-Input-Packets = 7 Acct-Output-Packets = 7 Acct-Session-Time = 47 Acct-Delay-Time = 0 Cisco: Sep 6 10:30:14.613 cst: RADIUS: Initial Transmit id 177 203.24.77.207:1646, Accountin g-Request, len 134 Sep 6 10:30:14.617 cst: Attribute 4 6 CB184DD7 Sep 6 10:30:14.617 cst: Attribute 5 6 0002 Sep 6 10:30:14.621 cst: Attribute 61 6 Sep 6 10:30:14.621 cst: Attribute 1 4 76691E0A Sep 6 10:30:14.625 cst: Attribute 30 10 38323238 Sep 6 10:30:14.625 cst: Attribute 40 6 0002 Sep 6 10:30:14.629 cst: Attribute 45 6 0001 Sep 6 10:30:14.629 cst: Attribute 6 6 0002 Sep 6 10:30:14.629 cst: Attribute 44 10 30303030 Sep 6 10:30:14.633 cst: Attribute 7 6 0001 Sep 6 10:30:14.633 cst: Attribute 8 6 D20B2982 Sep 6 10:30:14.637 cst: Attribute 49 6 0002 Sep 6 10:30:14.637 cst: Attribute 42 6 00FE Sep 6 10:30:14.641 cst: Attribute 43 6 00F0 Sep 6 10:30:14.641 cst: Attribute 47 6 0007 Sep 6 10:30:14.645 cst: Attribute 48 6 0007 Sep 6 10:30:14.645 cst: Attribute 46 6 002F Sep 6 10:30:14.645 cst: Attribute 41 6 Sep 6 10:30:14.753 cst: RADIUS: Received from id 177 203.24.77.207:1646, Accounting-r esponse, len 20 Hello Vadim - Have a look at a trace 4 debug from Radiator to see exactly what attributes are being sent in the radius requests sent by the Cisco. You can also look at a debug on the Cisco to see what is being sent. hth Hugh At 12:33 +0930 01/9/5, Vadim Isakov wrote: Hi all, We are testing Radiator-Demo now and have problem to get Calling-Station-ID from our Cisco 5200. I set all necessary Atribbutes in AcctLogFileFormat. They all appear in details file except Calling-Station-Id. Cisco debug shows sent atrributes, but there are no attribuite 31. Is it Radiator or Cisco issue? Did anyone have such kind of problem ? Thank you in advance Vadim === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Attributes 52 and 53
Hi All, I am getting error messages Attribute 52 (vendor) not defined in dictionary (and 53) Can anyone tell me where to find them so I can add them to our dictionary file. Thanks and regards, Brian Morris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Lucent APX and auth-config requests
Hello, I recently lost some sleep over a problem with a Ascend/Lucent APX. Maybe someone else here can advise (or take heed). One night the APX suddenly started sending authentication requests for frdlink-*, ipxroute-*, appleroute, and other nonsense. Well in our case authentication for this RAS just happened to be promiscuous (that is, free authentication). This seemed to cause some sort of problem for the RAS, because it kept sending these requests over and over at about 40 auth packets/second with these bogus requests. Now I assumed that the following setting would fix this: http://www.open.com.au/radiator/faq.html#71 But it didn't. The requests kept coming even after a RAS reboot. What I then did was deny these bogus requests: Handler User-Name = /^((ipx|apple)route|permconn|frdlink)-/ /Handler which stopped them altogether. Then everything was back to normal. Just wondering if anyone else has come across this problem of the RAS ignoring the auth-config setting. We are running TAOS 9.0.1 on the RAS. Thanks, Viraj. PGP signature
Re: (RADIATOR) Calling-Station-Id
On Thu, Sep 06, 2001 at 10:44:23AM +0930, Vadim Isakov wrote: Thank you for your reply. As I see from debugs Cisco sends exactly what Radiator requests. The question is simpler now. How can I get Radius request Calling-Station-Id attribute from Cisco router? It's in the circuit config - in my case: ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled ani Better to ask at the [EMAIL PROTECTED] mailing list. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: Fwd: (RADIATOR) remote radiator restart
Hi Mariano, On Thu, 6 Sep 2001 07:46, Hugh Irvine wrote: -- Forwarded Message -- Subject: (RADIATOR) remote radiator restart Date: Wed, 5 Sep 2001 14:22:45 -0300 From: Mariano Absatz [EMAIL PROTECTED] To: Radiator List [EMAIL PROTECTED] Hi, I am running Radiator 2.18.2 on a couple of Sun Netras (Solaris 8) authenticating against an Oracle database (on yet another Netra). We developed a web based front end for administration of the users in the Oracle database on a Sun Ultra 10 (also Solaris 8) with Apache and embedded Perl. The point is that, for instance, when I try to invoke a restart script through ssh, I get the following error: Doing it so through rsh, it works but it locks the connection (and anyway, I'd rather not have rshd running on the server. On the other hand, the manual states that through the SNMP agent I can restart Radiator, but I don't know how. Am I missing something? (I think this would be the cleanest method to do it). you need to set the SNMP variable 1.3.6.1.3.79.1.1.1.4 to the value 2, with something like: snmpset your.radius.server.address your_community 1.3.6.1.3.79.1.1.1.4 i 2 Note that this does not actually stop the server, it just rereads the config, like with HUP. Cheers. Cheers. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) PreHandlerHook (question)
-- Forwarded Message --
Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from [Paul
Thorton [EMAIL PROTECTED]]
Date: Wed, 5 Sep 2001 21:14:06 -0500
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
From [EMAIL PROTECTED] Wed Sep 5 21:14:06 2001
Received: from avmx.asiaonline.net.au (avmx.asiaonline.net.au [210.215.1.8])
by server1.open.com.au (8.11.0/8.11.0) with ESMTP id f862E4328432
for [EMAIL PROTECTED]; Wed, 5 Sep 2001 21:14:05 -0500
Received: from asiaonline.net (localhost.localdomain [127.0.0.1])
by avmx.asiaonline.net.au (8.11.2/8.11.2) with ESMTP id f8640Xh20089
for [EMAIL PROTECTED]; Thu, 6 Sep 2001 14:00:33 +1000
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Subject: PreHandlerHook (question)
X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0
Date: Thu, 6 Sep 2001 13:59:33 +1000
content-class: urn:content-classes:message
Message-ID: [EMAIL PROTECTED]
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PreHandlerHook (question)
Thread-Index: AcE2iFZHUersV5NTRSiC1XPP+n+isw==
From: Paul Thorton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by server1.open.com.au id
f862E6328433
Hi,
I want to be able to use the PreHandlerHook to be able to compare a
radius attribute Class
and then change it to something else if matched. Can this be done?
IE. If the incoming packet contains the attribute (Class - perm) then I
want to be able
to change this to Class - pstn
This is required in order to stop permanent customers from dialing into
our pstn AS pool.
We have something similar for the other way around, but this just
converts all Class's to perm
and this method will not work the other way as not all Class's will be
pstn only.
I.E.
PreHandlerHook sub { ${$_[0]}-add_attr('Class', 'perm'); }
Thanks,
Paul
---
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Lucent APX and auth-config requests
Hello Viraj - On Thursday 06 September 2001 12:56, Viraj Alankar wrote: Hello, I recently lost some sleep over a problem with a Ascend/Lucent APX. Maybe someone else here can advise (or take heed). One night the APX suddenly started sending authentication requests for frdlink-*, ipxroute-*, appleroute, and other nonsense. Well in our case authentication for this RAS just happened to be promiscuous (that is, free authentication). This seemed to cause some sort of problem for the RAS, because it kept sending these requests over and over at about 40 auth packets/second with these bogus requests. Now I assumed that the following setting would fix this: http://www.open.com.au/radiator/faq.html#71 But it didn't. The requests kept coming even after a RAS reboot. What I then did was deny these bogus requests: Handler User-Name = /^((ipx|apple)route|permconn|frdlink)-/ /Handler which stopped them altogether. Then everything was back to normal. Note that the above does not stop the NAS sending the requests, it just stops Radiator from replying. Also note that something must have changed on the NAS (perhaps a software upgrade?) to cause it to change behaviour. Just wondering if anyone else has come across this problem of the RAS ignoring the auth-config setting. We are running TAOS 9.0.1 on the RAS. Please let us know the answer so we can update the FAQ. regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problem using Radiator to authenticate VPN access via a Cisco VPN 5001
Hello Howard -
On Thursday 06 September 2001 08:26, Jares, Howard M wrote:
I am having problems configuring Radiator v2.18.2 to authenticate to a
Cisco VPN 5001.
I have been testing the using the following configuration files:
goodies\simple2.cfg:
# simple2.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory and log accounting to a file in the current
# directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: simple.cfg,v 1.4 2001/04/25 23:47:13 mikem Exp $
Foreground
LogStdout
LogDir.
DbDir .
DictionaryFile ./dictionary
# User a lower trace level in production systems:
Trace 4
# Added by Howard Jares
AuthPort 1812
AcctPort 1813
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
Client DEFAULT
Secret *
DupInterval 0
/Client
Realm DEFAULT
AuthBy FILE
Filename ./users2
/AuthBy
# Log accounting to a detail file
AcctLogFileName ./detail
/Realm
Users2:
DEFAULT Service-Type = Administrative-User, Auth-Type = System
Idle-Timeout = 2000,
DEFAULT Service-Type = Login-User, Expiration = Feb 2 2010
Idle-Timeout = 2001,
Fall-Through = yes
# User-Password can be in a number of formats: plaintext,
# UNIX encrypted,
# SHA encrypted (as used in Netscape LDAP), or Linux MD5 password
# defaults to plaintext
pwtest1 User-Password = fred
pwtest2 User-Password = {SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=
pwtest3 User-Password = {crypt}1xMKc0GIVUNbE
pwtest4 User-Password = $1$cTpht$Obu9PLSMst1TDou.mN5bk0
# Encrypted-Password can by in a variety of encryption standards too
# but defaults to Unix crypt
pwtest5 Encrypted-Password = {SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=
pwtest6 Encrypted-Password = {crypt}1xMKc0GIVUNbE
pwtest7 Encrypted-Password = $1$cTpht$Obu9PLSMst1TDou.mN5bk0
pwtest8 Encrypted-Password = 1xMKc0GIVUNbE
pwtest9 Encrypted-Password = {MD5}VwqQv7+MfqtdxdTiaDLVsQ==
pwtest10 User-Password = {MD5}VwqQv7+MfqtdxdTiaDLVsQ==
[EMAIL PROTECTED] User-Password=fred
cisco-VPNGroupInfo=Test,
cisco-VPNPassword=fred
# Connect-Info = Test
I modified the standard dictionary file to include:
#HJ
VENDORATTR 9 cisco-VPNPassword 66 string
VENDORATTR 9 cisco-VPNGroupInfo 67 string
#HJ
On the server running Radiator:
F:\Radiator-2.18.2perl radiusd -config=goodies\simple2.cfg
Wed Sep 5 16:35:13 2001: DEBUG: Reading users file ./users2
Wed Sep 5 16:35:13 2001: INFO: Server started: Radiator 2.18.2 on ks1
Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
*** Received from 129.7.209.253 port 2050
Code: Access-Request
Identifier: 41
Authentic: z190244T251441437L1A15143v273
Attributes:
NAS-IP-Address = 129.7.209.253
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
NAS-Port = 268435459
User-Name = [EMAIL PROTECTED]
CHAP-Password = ^Y18228239246230G^46h1136(243
Wed Sep 5 16:35:24 2001: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Sep 5 16:35:24 2001: DEBUG: Deleting session for [EMAIL PROTECTED],
129.7.209.253, 268435459
Wed Sep 5 16:35:24 2001: DEBUG: Handling with Radius::AuthFILE
Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE looks for match with
[EMAIL PROTECTED]
Wed Sep 5 16:35:24 2001: DEBUG: Radius::AuthFILE ACCEPT:
Wed Sep 5 16:35:24 2001: DEBUG: Access accepted for [EMAIL PROTECTED]
Wed Sep 5 16:35:24 2001: DEBUG: Packet dump:
*** Sending to 129.7.209.253 port 2050
Code: Access-Accept
Identifier: 41
Authentic: z190244T251441437L1A15143v273
Attributes:
cisco-VPNGroupInfo = Test
cisco-VPNPassword = fred
Connect-Info = Test
On 129.7.225.8 I am using the Cisco VPN client version 5.1.1. When I try to
connect using [EMAIL PROTECTED], the system sits there and then eventually times
out.
On the Cisco VPN 5001, I do a
show sys log buffer
and I get:
Notice 9/5/01 16:35:21 New IKE connection: [129.7.225.8]:1284:[EMAIL PROTECTED]
Debug9/5/01 16:35:24 Received RADIUS challenge resp. from [EMAIL PROTECTED]
at 129.7.225.8, contacting server
Debug9/5/01 16:35:24 No Connect-Info for [EMAIL PROTECTED]
Debug9/5/01 16:35:24
Re: (RADIATOR) 2.18.3 EAP
Hello Anne - My apologies, but I am still unclear as to what you are trying to do. From what you describe below, I understand you to mean that you want the wireless base station to point to the ACS, which then points to Radiator, which then authenticates from a UNIX box. Is this correct? thanks Hugh On Thursday 06 September 2001 08:29, Anne Bennett wrote: Hi, Hugh. As per my description when I requested the evaluation copy, I am trying to set up a wireless network with Cisco Aironet; we need a Unix-based RADIUS server that can speak LEAP to the ACS box, which proxies the requests from the access points. I was told that this is supported, but I can't find anything in the docs. What you want to do is a simple AuthBy RADIUS proxy set up. I'm not quite sure we are understanding each other; perhaps my description was unclear. I'll try again. The Access Points are pointing at the ACS box. The ACS box is set up to pass the queries to my Unix box, where my account database resides. I want my Unix box to perform the authentication. I believe you are suggesting to me the opposite case, where the actual authentication is performed by the ACS box. However, I am specifically trying to *avoid* having user account information on the ACS box. Note that EAP/LEAP support is being added to Radiator in stages, with EAP/LEAP proxy support being the first. Additional support will be introduced in future revisions. It sounds like what I am hoping to do is not supported for now. :-( Anne. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) PreHandlerHook (question)
Hello Paul -
I want to be able to use the PreHandlerHook to be able to compare a
radius attribute Class
and then change it to something else if matched. Can this be done?
IE. If the incoming packet contains the attribute (Class - perm) then I
want to be able
to change this to Class - pstn
This is required in order to stop permanent customers from dialing into
our pstn AS pool.
We have something similar for the other way around, but this just
converts all Class's to perm
and this method will not work the other way as not all Class's will be
pstn only.
I.E.
PreHandlerHook sub { ${$_[0]}-add_attr('Class', 'perm'); }
This is very simple to do.
Have a look at the example hooks in the file goodies/hooks.txt to see how
it is done.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Attributes 52 and 53
Hello Brian - These definitions are in the Radiator 2.18.3 dictionary: ATTRIBUTE Acct-Input-Gigawords52 integer ATTRIBUTE Acct-Output-Gigawords 53 integer regards Hugh On Thursday 06 September 2001 12:33, Brian Morris wrote: Hi All, I am getting error messages Attribute 52 (vendor) not defined in dictionary (and 53) Can anyone tell me where to find them so I can add them to our dictionary file. Thanks and regards, Brian Morris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) I'm back from far north tropical Queensland (it was lovely...)
Hello Everyone - My apologies if I have missed any mail this last week. If anyone has any outstanding problems, please resend them. thanks and regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
