(RADIATOR) static ip customers
would tere be an easy way to setup some way to check for a user's ip and netmask from a db? %static = ( "godsey" => "192.168.1.128/25"; "jason" => "192.168.1.1/32"; "joe" => "192.168.1.2/32"; ); - Jason === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) static ip customers
Hi Jason, On Jun 6, 7:07pm, Jason Godsey wrote: > Subject: (RADIATOR) static ip customers > > would tere be an easy way to setup some way to check for a user's ip and > netmask from a db? > > %static = ( > "godsey" => "192.168.1.128/25"; > "jason" => "192.168.1.1/32"; > "joe" => "192.168.1.2/32"; > ); > Yes, its pretty easy, but the way to do it depends on what type of databse you have. Basically what you need to do is set up a reply item for the user with eg: Framed-IP-Address=192.168.1.1 Hope that helps. Cheers. > > - Jason > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Jason Godsey -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Accounting dictionary for netserver card
Hi Oliver, On Jun 4, 4:57pm, O Stockhammer wrote: > Subject: Re: (RADIATOR) Accounting dictionary for netserver card > > These are from the logfile: > > Fri Jun 4 16:44:12 1999: ERR: Attribute number 0 (vendor ) is not defined > in your dictionary That is quite bizarre, there is no such attribute > Fri Jun 4 16:45:18 1999: ERR: Attribute number 73 (vendor ) is not > defined in your dictionary So is that. > Fri Jun 4 16:45:18 1999: ERR: Attribute number 116 (vendor ) is not > defined in your dictionary That is supposedly Ascend-Appletalk-Route > Fri Jun 4 16:46:24 1999: ERR: Attribute number 240 (vendor ) is not > defined in your dictionary That is supposedly Ascend-Add-Seconds > Thu Jun 3 20:31:37 1999: ERR: Attribute number 144 (vendor ) is not > defined in your dictionary That is Ascend-Assign-IP-Client That all looks very strange, almost as if the incoming packet is corrupted in being incorrectly interpreted. Can you send a hex packet dump of one of these requests? You can get het packet dumps at trace level 5. > > These are the logs from the SQL log: > > 928528731 4 Rewrote user name to > kaligula > > 928528731 4 Handling with > Radius::AuthSQL > > 928528731 4Handling with > Radius::AuthUNIX > > 928528731 4Radius::AuthUNIX looks for match with > kaligula > > 928528731 4 Radius::AuthUNIX > ACCEPT: > > 928528731 4 Access accepted for > kaligula > > 928528736 1 Bad authenticator in request from 207.240.140.6 > (207.240.140.6) > > This is what I get at trace level 5. I am logging both to a logfile and > MySQL and accounting is going to both a detail file and MySQL. Accounting > works for my other chassies using Hyperarc cards. It seems lime auth is working, but accounting is complaining about "Bad authenticator". This is usually an indication that you need IgnoreAcctSignature set for that NAS. But in the light of the very strange results above, it may be something else. The packet dump will help. Im sorry you are having this trouble. I hope we get you on the air soon. Cheers. > > Thanks, > Oliver > > On Fri, 4 Jun 1999, Mike McCauley wrote: > > > Hi Oliver, > > > > can you send us a fragment of your radiator log file at trace level 4, showing > > what happens when you receive accounting packets from your Netserver. I would > > exepct to see Radiator complaining about missing dictionary entries. That will > > help us track down the missing attributes. > > > > Cheers. > > > > > > On Jun 3, 8:49pm, O Stockhammer wrote: > > > Subject: (RADIATOR) Accounting dictionary for netserver card > > > > > > Hello, > > > We are using both Netserver and Hyperarc TotalControl Cards. > > > Radiator is authenticating fine off of both but the Netserver Cards are > > > missing entries for the dictionary file and therefore no accounting > > > happens for them. > > > For some reason I am missing entries in the dictionary file for > > > the netserver card. I am using your dictionary.usr file that you > > > provided. What entries do I need for accounting to work? > > > > > > I think it has to do with the vendor specific entries like > > > > > > USR-Chassis-Call-Slot = 0 > > > rather than > > > Chassis-Call-Slot = 0 which is in the dictionary file > > > > > > Thank you, > > > Oliver Stockhammer > > > Systems > > > The Internet Channel > > > > > > > > > === > > > Archive at http://www.thesite.com.au/~radiator/ > > > To unsubscribe, email '[EMAIL PROTECTED]' with > > > 'unsubscribe radiator' in the body of the message. > > >-- End of excerpt from O Stockhammer > > > > > > > > -- > > Mike McCauley [EMAIL PROTECTED] > > Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW > > 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au > > Phone +61 3 9598-0985 Fax +61 3 9598-0955 > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, > > NT, Rhapsody > > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from O Stockhammer -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive
Re: (RADIATOR) general password questions
Hi Arnie, On Jun 4, 5:26pm, Arnie Roberts wrote: > Subject: (RADIATOR) general password questions > Hello All, > > I'm using Radiator on Windows 95 with only a handful of users - > more of a test system than fully blown production. We are happy > with things as they stand but superiors have asked me questions > I can't answer and so I wonder if anyone can help. > > Am I right in thinking that password expiry would work naturally > if I moved to NT or Unix and used the system password files rather > than the flat file I'm using now? NT Password expiry works as expected. UNIX password expiry has ne effect on Radiator. In flat files, you can use the Expiration check item to expire passwords. > > Can Radiator be configured to warn of imminent password expiry using the > Reply-Message attribute? Not out of the box. > > Is there any way in which users can change their passwords 'on the fly'? > My reading of rfc2138 tells me that the concept doesn't fit very well with > the Radius protocol unless Vendor-Specific attributes are used. > I would be very interested to hear from anyone doing this - before or after expiry. > I see that Microsoft appears to allow the Chap-Password to be changed after expiry - Some time back, Cris Bailiff submitted some patches to add password-changing to Radiator. These have not beed rolled into the base code. > > http://search.ietf.org/internet-drafts/draft-ietf-pppext-mschap-v2-03.txt Radiator does not support MSCHAP, and it wont until we can find a readily available MD4 module. > > http://www.rfc-editor.org/rfc/rfc2548.txt > > Does Radiator understand any Vendor-Specific codes or is it transparent > to them all? It does not refer in the code to any specific VSAs. It handles them all the same way. > > That's enough questions to be going on with :) Hope that helps. Cheers. > > Thanks in advance. > > Arnie > > > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Arnie Roberts -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) CHAP HOWTO
Hi Richi, On Jun 6, 10:30pm, Richi Plana wrote: > Subject: Re: (RADIATOR) CHAP HOWTO > Hi, Mike, et al. > > On Sun, 6 Jun 1999, Mike McCauley wrote: > > |o| > Just wondering how to check the attributes CHAP-Password and > |o| > CHAP-Challenge. Are there methods in any of the Radiator objects that > |o| > would allow ones own written AuthBy method to check this attrib? > |o| > > |o| Radius::Radius::check_plaintext_password does most of the hard > |o| work of checking a password against whatever arrived in the radius > |o| request, be it CHAP, PAPA or whatever. > > It's a good function. Works like a charm. Is there some kind of > documentation on Radius::Radius or the whole Radius module (as implemented > in Radiator)? Seems there are a lot nifty functions just waiting to be > used. The only doc of the functions is in the file itself. > > BTW, although check_plaintext_password works as advertised, it won't work > for us because it just hit me: we've stored clients' password using DES > crypt(). If Radius::Radius::check_plaintext_password can work with that, > I'd like to know how! Then you lose. Its not possible to do CHAP authentication unless you have the plaintext password available. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) CHAP HOWTO
Hi, Mike, et al. On Sun, 6 Jun 1999, Mike McCauley wrote: |o| > Just wondering how to check the attributes CHAP-Password and |o| > CHAP-Challenge. Are there methods in any of the Radiator objects that |o| > would allow ones own written AuthBy method to check this attrib? |o| > |o| Radius::Radius::check_plaintext_password does most of the hard |o| work of checking a password against whatever arrived in the radius |o| request, be it CHAP, PAPA or whatever. It's a good function. Works like a charm. Is there some kind of documentation on Radius::Radius or the whole Radius module (as implemented in Radiator)? Seems there are a lot nifty functions just waiting to be used. BTW, although check_plaintext_password works as advertised, it won't work for us because it just hit me: we've stored clients' password using DES crypt(). If Radius::Radius::check_plaintext_password can work with that, I'd like to know how! L L Richi Plana 8^) ,-,-. ,-,-. ,-,-. ,-,-. ,- LL LL Systems Administrator / / \ \ / / \ \ / / \ \ / / \ \ / / L Mosaic Communications, Inc. \ \ / / \ \ / / \ \ / / \ \ / / L mailto:[EMAIL PROTECTED] `-'-' `-'-' `-'-' `-'-' === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) CHAP HOWTO
Hi Richi, On Jun 5, 3:35pm, Richi Plana wrote: > Subject: (RADIATOR) CHAP HOWTO > Hi, > > Just wondering how to check the attributes CHAP-Password and > CHAP-Challenge. Are there methods in any of the Radiator objects that > would allow ones own written AuthBy method to check this attrib? > Radius::Radius::check_plaintext_password does most of the hard work of checking a password against whatever arrived in the radius request, be it CHAP, PAPA or whatever. Thats the only function that has specific knowledge of the CHAP attributes. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthBy RADIUS and PostAuthHook
Hi Sander,
On Jun 6, 12:59pm, Sander Asberg wrote:
> Subject: (RADIATOR) AuthBy RADIUS and PostAuthHook
>
> We have the following Situation, in which we use Radiator as
> a radius proxy (AuthBy RADIUS) between the dial-in hardware and
> our customer radius servers:
>
> Client <-(radius)-> Radiator <-(radius)-> customer radius server
>
> If we want some of our customers to specify Framed-IP-addresses for
> their dial-in users, we need to have a mechanism to ensure that
> these addresses are within their IP range.
>
> My thought was, that I could establish this through a PostAuthHook,
> in which I would check the Framed-IP-Address, and accept it if it was
> a valid IP address, and reject it otherwise.
>
> However, in PostAuthHook, $_[1], does not seem to contain the reply
> attributes gotten from the customer radius server. ( $_[1]->count is
> 0. I am able to add attributes with $_[1]->add_attr though!)
Contrary to the documentation that you have, you should be accesing those
functions like this:
${$_[1]}->count
${$_[1]}->add_attr()
etc.
>
> Is this the way to check the Framed-IP-Address? If yes, what is
> wrong with my approach? If not, what other mechanisms can I use
> to ensure correct issueing of IP addresses by customers?
Use PostAuthHook is a good way to do that sort of thing. There are no ways to
do exactly what you want built in to Radiator.
Hope that helps.
Cheers.
>
> regards,
> Sander Asberg
>
>
>
>
> ===
> Archive at http://www.thesite.com.au/~radiator/
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
>-- End of excerpt from Sander Asberg
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Re: Creative Handler Statements
Hi John. > I have a situation where a phone company is providing the ports for us, > but they have a lot of NASs. I'm trying to make a catch all handler that > will match them since they are all in the same class B. Their NASs > require me to put a few extra "AddToReply" statements in to make them > work better. What is the proper way to match them? Below is my first > try: > > > > At first, I thought that their proxy radius servers were going to send the > IP address of the radius server as the client ID, but I'm actually getting > the NAS IP in the client-id field. Is there a way to write a handler that > works on the "Receieved from" instead of just the RADIUS attributes? If > so, they only have 4 radius servers and that would be pretty easy to trap > with only 4 handler statements. So, they have lots of NASs, but all request are proxied through only 4 of their radius servers? Perhaps you could put a RewriteUsername in the Client clause(s) for them, and add some distinctive tag to the end of the user name, which you could then recognise with a Realm or Handler clause? Hope that helps. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) general password questions
On Jun 4, 8:16pm, Felix Izquierdo wrote: > Subject: Re: (RADIATOR) general password questions > Arnie Roberts wrote: > > > > Am I right in thinking that password expiry would work naturally > > if I moved to NT or Unix and used the system password files rather > > than the flat file I'm using now? > > > > The actual AuthSYSTEM.pm version doesn't work with the /etc/shadow file > in Unix, and the passwords and expiry information are in this file in > many Unix. You can get it with a very little patch using the > Shadowf/Shadows Perl module. I use the Solaris native user database as > repository for usernames/passwords/expiry-dates and it works fine for > me. There is now a patched version of AuthSYSTEM.pm available that can optionally use getspnam from the Shadowf/Shadows Perl module Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) AuthBy RADIUS and PostAuthHook
We have the following Situation, in which we use Radiator as a radius proxy (AuthBy RADIUS) between the dial-in hardware and our customer radius servers: Client <-(radius)-> Radiator <-(radius)-> customer radius server If we want some of our customers to specify Framed-IP-addresses for their dial-in users, we need to have a mechanism to ensure that these addresses are within their IP range. My thought was, that I could establish this through a PostAuthHook, in which I would check the Framed-IP-Address, and accept it if it was a valid IP address, and reject it otherwise. However, in PostAuthHook, $_[1], does not seem to contain the reply attributes gotten from the customer radius server. ( $_[1]->count is 0. I am able to add attributes with $_[1]->add_attr though!) Is this the way to check the Framed-IP-Address? If yes, what is wrong with my approach? If not, what other mechanisms can I use to ensure correct issueing of IP addresses by customers? regards, Sander Asberg === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Module for shadow passwords
Hi Felix, Thanks for telling about this. We have updates AuthBy SYSTEM so it can use getspnam if it is available. From the reference manual: UseGetspnam On some operating systems (notably Solaris) AuthBy SYSTEM needs this parameter to enable it to get the encrypted password from /etc/shadow or NIS+ You also need the Shadows module from ftp://dagobert.eur.nl/pub/homebrew/Shadow-0.01.tar.gz or better. Use this if you are running on Solaris, or if Radiator reports "Bad Encrypted-Password" even if you are sure the password and ther shared secret are correct. # We are on Solaris, and have installed "Shadows" UseGetspnam The new version is available from http://www.open.com.au/radiator/downloads/patches-2.13.1/AuthSYSTEM.pm Thanks again. Cheers. On May 24, 5:19pm, Felix Izquierdo wrote: > Subject: (RADIATOR) Module for shadow passwords > > Hi! > > I have a found a Perl module for retrieving shadow passwords in > ftp://dagobert.eur.nl/pub/homebrew/Shadow-0.01.tar.gz . It adds the > Solaris ( and other OS's ) getspnam() function to Perl. > > Does anybody know other similar modules? Mike, will be posible an > AuthSYSTEM.pm version using any implementation of getspnam like this? I > think it can be a complete solution for all the shadow passwords > problems. Now with Radiator, it's posible to work with the /etc/shadow > file of a Solaris users database, but loosing the information in the > /etc/passwd file, and the primary GID is in this file. A posible > AuthSYSTEM.pm version with getspnam() support, will work with any > user/password database defined in nsswtich.conf. > > Felix > __ > DATAGRAMA SERVICIOS INTERNET > C/ Acer 30Tlf: +34 3 223 00 98 > 08038 BARCELONA ( Spain ) Fax: +34 3 223 12 66 > mailto:[EMAIL PROTECTED] http://www.datagrama.net > __ > > === > Archive at http://www.thesite.com.au/~radiator/ > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Felix Izquierdo -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
