Re: (RADIATOR) User are not able to disconnect
Hello - At least some of your problems are due to your database column definitions. See below - there is a database error when trying to insert the Stop record. . Fri Jan 9 11:08:17 2004: DEBUG: Packet dump: *** Received from 192.168192.2 port 21708 Code: Accounting-Request Identifier: 91 Authentic: Q<170><247><2>p<16><8><193><227><16><174><130><162>b!J Attributes: Acct-Session-Id = "3238" Acct-Terminate-Cause = User-Request cisco-avpair = "disc-cause-ext=TS User Exit" cisco-avpair = "connect-progress=Call Up" Acct-Session-Time = 0 Acct-Status-Type = Stop Cisco-NAS-Port = "tty125" NAS-Port = 125 NAS-Port-Type = Virtual Calling-Station-Id = "192.168192.10" Service-Type = NAS-Prompt-User NAS-IP-Address = 192.168192.2 Acct-Delay-Time = 0 Fri Jan 9 11:08:17 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT' Fri Jan 9 11:08:17 2004: DEBUG: Deleting session for , 192.168192.2, 125 Fri Jan 9 11:08:17 2004: DEBUG: do query is: delete from TblActiveSessions where PortNo='125' and LoginName = '' Fri Jan 9 11:08:17 2004: DEBUG: Handling with Radius::AuthSQL Fri Jan 9 11:08:17 2004: DEBUG: Handling accounting with Radius::AuthSQL Fri Jan 9 11:08:17 2004: DEBUG: do query is: insert into TblTransaction (TimeClose, RecordType, SessionId, Duration, TerminationCause, NASIPAddress, PortNo, CLI) values (to_date(' 9 01 2004 11:08:17', 'DD MM HH24:MI:SS'), 'Stop', '3238', 0, 'User-Request', '192.168192.2', 125, '192.168192.10') Fri Jan 9 11:08:17 2004: ERR: do failed for 'insert into TblTransaction (TimeClose, RecordType, SessionId, Duration, TerminationCause, NASIPAddress, PortNo, CLI) values (to_date(' 9 01 2004 11:08:17', 'DD MM HH24:MI:SS'), 'Stop', '3238', 0, 'User-Request', '192.168192.2', 125, '192.168192.10')': ORA-01401: inserted value too large for column (DBD ERROR: OCIStmtExecute) Fri Jan 9 11:08:17 2004: ERR: do failed for 'insert into TblTransaction (TimeClose, RecordType, SessionId, Duration, TerminationCause, NASIPAddress, PortNo, CLI) values (to_date(' 9 01 2004 11:08:17', 'DD MM HH24:MI:SS'), 'Stop', '3238', 0, 'User-Request', '192.168192.2', 125, '192.168192.10')': ORA-01401: inserted value too large for column (DBD ERROR: OCIStmtExecute) There are some additional problems due to the lack of the Framed-IP-Address attribute in the accounting records, therefore the AuthBy DYNADDRESS will not work properly. And from what I can see in the debug, Radiator is indeed returning the Session-Timeout attribute, so if the NAS is not dealing with it properly it is a NAS configuration issue (assuming that the NAS knows what to do with it). You will need to check with your NAS vendor to find out how to correctly configure it. regards Hugh On 09/01/2004, at 9:33 PM, Muhammad Talha wrote: Thanks for your reply i am attahing my cfg file as well trace 4 log file . waiting for yr reply Regards ./UW - Original Message - From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "unixware" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, January 09, 2004 2:35 PM Subject: Re: (RADIATOR) User are not able to disconnect Hello - The only way we have of helping you is to look at your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. From what you are describing it sounds like the NAS is not configured correctly. regards Hugh On 09/01/2004, at 6:40 PM, unixware wrote: Dear all i have some problemregarding communication with Radius server and NAS ( Radiaotor 2.18 on Sun Solaris ) using Oracle 9.2.0 ,Cisco AS5300 NAS i can see correct SessionTimeout is calculated in radius log. but still users are not disconnected and their balance going in negative. no stop record recieved by Radius . RAS configuration is seem to be ok. any help will greatly appreciated Regards ./UW NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. <2004010911.log> NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible,
Re: (RADIATOR) Ascend-coldstart
Hello Jerome - I will forward your mail to Mike for further analysis. regards Hugh On 10/01/2004, at 2:42 AM, Jerome Fleury wrote: Hi there, it seems like Radiator handles really badly the Ascend event 'Coldstart'. let me explain this: The Ascend NAS is supposed to send this Event-Request at every reboot, so that the server can cleanup the session table. the debug says: *** Received from 212.129.4.13 port 6974 Code: Ascend-Access-Event-Request Identifier: 190 Authentic: <179><249><24><8><159><177><220>nF-<10><186><0><228>H<2> Attributes: NAS-IP-Address = 212.129.4.13 Ascend-Event-Type = Ascend-ColdStart *** Sending to 212.129.4.13 port 6974 Code: Ascend-Access-Event-Response Identifier: 190 Authentic: <179><249><24><8><159><177><220>nF-<10><186><0><228>H<2> Attributes: This could look OK, but the Ascend documentation says: Ascend-Event-Type (150) Description: Indicates one of the following: A cold-start notification, informing the accounting server that the MAX TNT has started up A session event, informing the authentication server that a session has begun Usage: For a cold-start notification, Ascend-Event-Type=Ascend-Coldstart (1). For a session event, Ascend-Event-Type=Ascend-Session-Event (2). Dependencies: In a cold-start notification, the MAX TNT sends values for NAS-Identifier, Ascend-Event-Type, and Ascend-Number-Sessions in an Ascend-Access-Event-Request packet (code 33). The RADIUS accounting server must send back an Ascend-Access-Event-Response packet (code 34) with the correct identifier to the MAX TNT. That means the radius server has to send a NAS-Identifier (or something like, this is quite not clear) for the NAS to accept the response. On our config it looks like the NAS doesn't accept the response from Radiator and keeps retransmitting the Event-Request. I think I'll have to code a patch (better than a hook indeed) so that Radiator handles this correctly. What do you think about it ? Has someone here already face this problem ? Tchuss. -- Jerome Fleury === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Authlog
Hello Craig - Yes you can define your own SuccessQuery and/or FailureQuery using special characters. See section 6.54 in the Radiator 3.8 reference manual. regards Hugh On 10/01/2004, at 8:09 AM, Craig Gittens wrote: Hey guys, Can we user Radiator variables for table names in the Authlog SQL statement? I want to do this: insert into RadLog-%Y-%m \ (Priority, Message, User_Name, FailedPass) \ values \ (%0, %1, %2, %3) Or something like. Craig. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Authlog
Hey guys, Can we user Radiator variables for table names in the Authlog SQL statement? I want to do this: insert into RadLog-%Y-%m \ (Priority, Message, User_Name, FailedPass) \ values \ (%0, %1, %2, %3) Or something like. Craig. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Ascend-coldstart
Hi there, it seems like Radiator handles really badly the Ascend event 'Coldstart'. let me explain this: The Ascend NAS is supposed to send this Event-Request at every reboot, so that the server can cleanup the session table. the debug says: *** Received from 212.129.4.13 port 6974 Code: Ascend-Access-Event-Request Identifier: 190 Authentic: <179><249><24><8><159><177><220>nF-<10><186><0><228>H<2> Attributes: NAS-IP-Address = 212.129.4.13 Ascend-Event-Type = Ascend-ColdStart *** Sending to 212.129.4.13 port 6974 Code: Ascend-Access-Event-Response Identifier: 190 Authentic: <179><249><24><8><159><177><220>nF-<10><186><0><228>H<2> Attributes: This could look OK, but the Ascend documentation says: Ascend-Event-Type (150) Description: Indicates one of the following: A cold-start notification, informing the accounting server that the MAX TNT has started up A session event, informing the authentication server that a session has begun Usage: For a cold-start notification, Ascend-Event-Type=Ascend-Coldstart (1). For a session event, Ascend-Event-Type=Ascend-Session-Event (2). Dependencies: In a cold-start notification, the MAX TNT sends values for NAS-Identifier, Ascend-Event-Type, and Ascend-Number-Sessions in an Ascend-Access-Event-Request packet (code 33). The RADIUS accounting server must send back an Ascend-Access-Event-Response packet (code 34) with the correct identifier to the MAX TNT. That means the radius server has to send a NAS-Identifier (or something like, this is quite not clear) for the NAS to accept the response. On our config it looks like the NAS doesn't accept the response from Radiator and keeps retransmitting the Event-Request. I think I'll have to code a patch (better than a hook indeed) so that Radiator handles this correctly. What do you think about it ? Has someone here already face this problem ? Tchuss. -- Jerome Fleury === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Xsupplicant Radiator EAP_TLS problems
Dear all, I am trying to make EAP-TLS work between Xsupplicant and Radiator. But I am having some problems. I generated the certidficates using Openssl and authentication works perfectly when authenticating against Radiator from a windows supplicant. The problem only appears when using Xsupplicant (under GNU/Debian). In my notebook I installed: Xsupplicant 0.8b Openssl 0.9.7b Libpcap 0.7.2 Lindnet 1.7 Below there is the 1.conf I used for Xsupplicant and the output generated by Radiator during the authentication process. I would appreciate any idea. Thanks in advance Alex /etc/1x/1x.conf -- default : id = [EMAIL PROTECTED] default : cert = /etc/1x/certs/certs_amuse/[EMAIL PROTECTED] default : key = /etc/1x/certs/certs_amuse/[EMAIL PROTECTED] default : root = /etc/1x/certs/certs_amuse/root.pem default :auth = EAP default : pref = tls default : random_file = /dev/random default : after_auth = "/bin/echo I authenticated" = RADIATOR OUTPUT: Fri Jan 9 14:12:25 2004: DEBUG: Reading users file /etc/radiator/users_tls Fri Jan 9 14:12:25 2004: DEBUG: Reading users file /etc/radiator/users Fri Jan 9 14:12:25 2004: DEBUG: Reading users file /etc/radiator/users Fri Jan 9 14:12:25 2004: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' This Radiator license will expire on 2004-02-01 This Radiator license will stop operating after 1000 requests To purchase an unlimited full source version of Radiator, see http://www.open.com.au/ordering.html To extend your evaluation period, contact [EMAIL PROTECTED] Fri Jan 9 14:12:25 2004: DEBUG: Reading dictionary file '/etc/radiator/dictionary' Fri Jan 9 14:12:26 2004: DEBUG: Creating authentication port 0.0.0.0:1812 Fri Jan 9 14:12:26 2004: DEBUG: Creating accounting port 0.0.0.0:1813 Fri Jan 9 14:12:26 2004: NOTICE: Server started: Radiator 3.7.1 on phoenix (EVALUATION) Fri Jan 9 14:13:54 2004: DEBUG: Packet dump: *** Received from 131.155.193.92 port 1035 Code: Access-Request Identifier: 5 Authentic: <233>,<246><157>.<209><178><150><24>8<255><25><185><151><30><161> Attributes: User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 131.155.193.92 Called-Station-Id = "004096310d73" Calling-Station-Id = "00022d0292be" NAS-Identifier = "ap340-2" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><0><0><25><1>[EMAIL PROTECTED] Message-Authenticator = <200><181><130><228>DP<195><234><152><140>T<229><24><24><201>` Fri Jan 9 14:13:54 2004: DEBUG: Handling request with Handler 'Realm=amuse_tls.nl' Fri Jan 9 14:13:54 2004: DEBUG: Deleting session for [EMAIL PROTECTED], 131.155.193.92, 29 Fri Jan 9 14:13:54 2004: DEBUG: Handling with Radius::AuthFILE: Fri Jan 9 14:13:54 2004: DEBUG: Handling with EAP: code 2, 0, 25 Fri Jan 9 14:13:54 2004: DEBUG: Response type 1 Fri Jan 9 14:13:55 2004: DEBUG: EAP result: 3, EAP TLS Challenge Fri Jan 9 14:13:55 2004: DEBUG: Access challenged for [EMAIL PROTECTED]: EAP TLS Challenge Fri Jan 9 14:13:55 2004: DEBUG: Packet dump: *** Sending to 131.155.193.92 port 1035 Code: Access-Challenge Identifier: 5 Authentic: <233>,<246><157>.<209><178><150><24>8<255><25><185><151><30><161> Attributes: EAP-Message = <1><1><0><6><13> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Fri Jan 9 14:13:55 2004: DEBUG: Packet dump: *** Received from 131.155.193.92 port 1036 Code: Access-Request Identifier: 6 Authentic: <247><214><254><245><146>p<189><133><221><24><183><178><177>:<11><192> Attributes: User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 131.155.193.92 Called-Station-Id = "004096310d73" Calling-Station-Id = "00022d0292be" NAS-Identifier = "ap340-2" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><1><0>n<13><128><0><0><0>d<22><3><1><0>_<1><0><0>[<3><1>?<254><169><2 37>k<233><229>|<206>I<248><166> U<25><208><130>M<237><229><188><218><152><210><187>Y<9><219><172><139><2 28><141><22><0><0>4<0>9<0>8<0>5<0><22><0><19><0><10>< 0>3<0>2<0>/<0>f<0><5><0><4><0>c<0>b<0>a<0><21><0><18><0><9><0>e<0>d<0>`< 0><20><0><17><0><8><0><6><0><3><1><0> Message-Authenticator = <15><180><202><136><208>;<153>Q<224><29>}Z<243>K<7><21> Fri Jan 9 14:13:55 2004: DEBUG: Handling request with Handler 'Realm=amuse_tls.nl' Fri Jan 9 14:13:55 2004: DEBUG: Deleting session for [EMAIL PROTECTED], 131.155.193.92, 29 Fri Jan 9 14:13:55 2004: DEBUG: Handling with Radius::AuthFILE: Fri Jan 9 14:13:55 2004: DEBUG: Handling with EAP: code 2, 1, 110 Fri Jan 9 14:13:55 2004: DEBUG: Response type 13 Fri Jan 9 14:13:55 2004: DEBUG: EAP result: 3, EAP TLS Challenge Fri Jan 9 14:13:55 2004: DEBUG: Access challenged for [EMAIL PROTECTED]: EAP TLS Challenge Fri Jan 9 14:13:55 2004: D
Re: (RADIATOR) User are not able to disconnect
Hello - The only way we have of helping you is to look at your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. From what you are describing it sounds like the NAS is not configured correctly. regards Hugh On 09/01/2004, at 6:40 PM, unixware wrote: Dear all i have some problemregarding communication with Radius server and NAS ( Radiaotor 2.18 on Sun Solaris ) using Oracle 9.2.0 ,Cisco AS5300 NAS i can see correct SessionTimeout is calculated in radius log. but still users are not disconnected and their balance going in negative. no stop record recieved by Radius . RAS configuration is seem to be ok. any help will greatly appreciated Regards ./UW NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) User are not able to disconnect
Dear all i have some problem regarding communication with Radius server and NAS ( Radiaotor 2.18 on Sun Solaris ) using Oracle 9.2.0 ,Cisco AS5300 NAS i can see correct SessionTimeout is calculated in radius log. but still users are not disconnected and their balance going in negative. no stop record recieved by Radius . RAS configuration is seem to be ok. any help will greatly appreciated Regards ./UW